This post will list a number of steps which, together, should minimize your risks of being successfully attacked by ransomware such as WannaCrypt, CryptoLocker, and a plethora of other variants that are ravaging businesses of all sizes around the world.
Note: There has been some advice specifically for WannaCrypt such as disabling SMBv1, but this article focuses more of general practices for dealing with ransomware.
WannaCrypt made mainstream news headlines on Friday, May 12, but for at least 12 months before that, ransomware has been quietly squeezing money out of businesses around the world. Ransomware isn’t like traditional hacking, which normally focuses on government and large enterprises. Ransomware targets the vulnerable, those that have to pay up because they have no choice.
Note: MVP Troy Hunt, a known Microsoft security expert, has posted a good breakdown of WannaCrypt here. WannaCrypt uses SMB to spread, and Microsoft has been begging people to disable SMBv1 and dump products that require SMBv1.
Ransomware is the electronic version of a protection racket. Mostly run by organized crime, a ransomware attack enters a company, often by an email attachment that is crafted (with a specific target) or automated (from the contact list of a previous victim). An unwitting employee sees a reasonable looking attachment, opens it, and some time later (it could be days), the malware spreads across the network and encrypts every document that it can find. Users are informed, either by ransom notes left in affected folders or an on-screen prompt, of what has happened and that the “service provider” will kindly decrypt the files if your pay their “service charge”, which is usually payable in BitCoins.
Some of these ransomware variants are very clever, evolving themselves to the point where anti-virus is useless. Some of them are very dumb, relying on bad IT practices and laziness. There are a number of steps, though, that you can take to minimize your vulnerability to this crime. Note that no one step will protect you; you need to employ all of these methods to raise a modern defensive barrier against modern threats — the days of malware on a floppy are long gone, and your anti-virus scanning, which was designed for such threats, is no longer sufficient, despite what your buddy in the bar says to you.
Backup & Disaster Recovery
If your data is protected, then it might be possible to restore from backups without paying a ransom. On the face of it, that sounds like a good plan, but it only works if the stars are aligned perfectly and if your data storage policies minimize the number of locations where users can store data.
The reality is that data is scattered everywhere, and the ransomware hits all of those points. Even if your backups work perfectly, restoring from backup will take time and be disruptive.
One might failover to a disaster recovery site. There is some disruption in doing so, but if all data was stored on servers, then this will, in theory, get you back up and running. However, a lot of ransomware attacks are timed to hit after employees have gone home for the weekend. What if you don’t see the problem until the Monday morning? Does your DR system keep 3-4 days of retention for such a failover?
A cure is useful to have, but prevention is better.
PCs as Appliances
How many of your users use the desktop as a file server? It’s a common scenario! Every PC with company data on it is a valuable asset and that causes a problem. If our method of recovery is backup/DR, then PCs with data on them become an obstacle because our recovery method will not work for the data on that machine.
PCs should be treated as appliances. All data should be stored on servers or in the cloud. That doesn’t necessarily mean that work methods need to change; one can be clever. For example, folder redirection in Group Policy allows Desktop, My Documents, and a bunch of other folders to be redirected to a file server. Users won’t even notice! And you can enable offline files if they are mobile workers. One might argue that “I’ve already paid for 1TB of storage on the PC and that’s cheaper than server storage.” OK, that’s dumb, stuck in the 1990s with Vanilla Ice, and partly why you’re going to be searching for a way to buy BitCoins, but storage on a server doesn’t need to be expensive. Have a look at the new ways of rolling out a file server, such as StorSimple, which is now affordable for small-medium enterprises and branch offices.
Long-term, a migration of data on PCs to the cloud would be beneficial. Look at OneDrive for Business for personal storage, and Office 365 Groups for shared storage (I love this feature). If you hate the OneDrive sync client (many do) then there are many alternatives in the market.
WannaCrypt (or WannaCry), the ransomware worm that has made all of the news, was based on a leaked or stolen NSA hacking tool called EternalBlue. Microsoft released a patch on March 14 to close the zero-day vulnerability that this tool was targeting. So if you deployed the security patches from March to all of your machines, you were protected against WannaCrypt.
According to NetMarketShare, Windows XP is still used by 7 percent of users. I suspect that estimate is on the low side. Most PCs using XP are in the business world and might not be measured by services such as NetMarketShare.
The first big victim that I heard of being hit was the National Health Service (NHS) in the UK, which is still paying Microsoft millions of pounds per year for a special support contract for Windows XP — and it sounds like despite giving all that money to Microsoft, the NHS still failed to deploy the patch that would have prevented the outbreak. XP is out of support and anyone using it is a victim-in-waiting.
It’s time to get over yourself and your “Windows XP is faster, more reliable, and tested” alt-facts:
- Upgrade to Windows 10
- Start patching
By the way, anyone in Europe needs to pay special attention to the European Union General Data Protection Regulation, which places more emphasis than ever on businesses to take the correct steps to protect customer data.
The main entry point for these kinds of malware is an email attachment. Employees need to be educated to understand what these threats are and how they prey upon human opportunities.
To be honest, this education by itself will not be enough. I’ve personally seen how these emails are becoming more professional, with none of the language errors that we IT pros often joke about. Language and logos look normal, the attachments are named to look like the sort of thing we expect in our email, and many emails are coming “from” suppliers or customers that we expect attachments from.
Advanced Threat Protection
Anti-virus scanning is useless against zero-day threats. So all that time you spend on keeping AV up-to-date will be useless against previously unknown ransomware, or ransomware variants that evolve faster than traditional file scanning can keep up with.
Advanced Threat Protection (ATP) is a form of solution that we can put in front of the entry points to the business, such as a firewall or email system. Instead of doing a traditional scan, ATP sends attachments to a cloud-based virtual machine and runs a series of tests:
- Opens the file
- Speeds up time
- Tries to execute the file
The ATP system monitors the file system and OS of the virtual machine to see if the file tries to do something that a data file should not, such as making file system changes, editing the registry, and so on. If it does, it’s malware and it’s isolated. If the file is clean, it is allowed into the company.
ATP might be slightly disruptive in how it allows files into the company, but it can offer the sorts of protection that traditional scanning just cannot. Make sure that you protect all of your entry points:
- Cloud-based email, such as Office 365 or Google
Windows 10 Enterprise E3
By itself, Windows 10 is a more secure operating system than Windows 7, and it’s certainly more secure than the out-of-support Windows XP. But Windows 10 Enterprise, available without Software Assurance as a per-user monthly subscription via the Microsoft Partner-based Cloud Solution Provider (CSP) program, offers much more:
- Device Guard: Hardware-based protection of the OS by only allowing integrity-signed executables.
- AppLocker: Whitelisting of which executable programs are allowed.
- Credential Guard: Hardware-based protection of password hashes and secrets.
Note that the hardware requirements of these features require things like modern TPM chips and UEFI firmware on your devices.
In theory, with these features enabled, even if malware does get past human filtering and ATP scanning, it should not be able to execute.
Remove Admin Rights
The vast majority of malware runs as the currently logged in user and requires that the user has admin rights on their PC. The easiest way to prevent this malware is to remove admin rights from the user. And now we get into “biblical” arguments.
In the USA, the fad of “bring your own device” (BYOD) has completely screwed corporate IT security. If I own it, I have admin rights over it. In the good ol’ days, a company would ban non-company devices from their network. In the BYOD world, employees are bringing in their own device, that their kids were torrenting on the night before, and plugging it into the LAN where the company assets and customer data are stored. Hmm, does that sound responsible or secure to you?
We also have the problem that businesses write/purchase rubbish business software that requires admin rights for the user. When I was last an admin, that software might be purchased, but it wasn’t going to run, no way, no how. Yes; I was a difficult person (I removed several swear words from my drafts) in the opinion of the business, but I kept us secure.
This Is a Business Issue
IT security is not an IT issue; it’s a business issue. Shareholders need to hold boards accountable, and the board needs to have IT security being managed at the board level by an IT expert, not some sad sap accountant who drew the short straw, which is the typical choice. If the business understands at the board level that IT security is as important as anything else, then the data and processes, and profitability, of the business will be protected. Without this support, IT, who often desire to do the necessary work, won’t have the support, financial backing, or push from the business to make this happening, and quite frankly will be fighting an unwinnable uphill battle … and yes … these attacks will happen and repeat — it’s known that the crime organizations sell lists of paying victims to each other so that those who pay the ransom but fail to protect themselves fall victim again and again.