Attacks/Breaches
3/1/2017
01:30 PM
Jeff Schilling
Jeff Schilling
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Best Practices for Lowering Ransomware Risk

The first step is to avoid falling prey in the first place. That means teaching your entire organization - from IT staff to executive management - how not to be a victim.

In recent months, ransomware campaign activity has increased exponentially. Over 27,000 incidents surged on the scene in early 2017 when a commonly misconfigured setting on open source database called MongoDB made hundreds of thousands of databases vulnerable to ransom. Threat actors logged on to victims' databases, backed up data offsite, deleted it, and offered to return it for .2 Bitcoins, which translates to $200. 

While this might seem like a minuscule amount, there is logic behind it. If too much is asked, the propensity to pay declines. Plus, the volume of the attack yields serious dividends. Regardless, for those afflicted, losing access to important information to operate a business is extremely disconcerting, creating desperation and making them prone to pay up.

The Mechanics
There are two primary vectors into a commercial IT environment. The first is to assume remote access to a user's computer and traverse the network until administrator credentials to databases and data stores are gained. This is accomplished by sending an employee a phishing email that entices them to open an attachment or visit a compromised website that loads malicious code on their computer terminal. Once the computer is compromised, threat actors scan the environment and try to find a computer terminal used to access network data. After a foothold on an administrator’s computer is established, they can remotely encrypt or wipe data and then issue ransom demands. 

The second method is more of a frontal assault on the database servers. Most companies have public-facing websites and, as a result, threat actors will find a server with a vulnerable application, then exploit it to get a foothold in the data center. If an IT staff has not properly separated public-facing websites from database servers and file shares -  a common mistake with small staffs -  a threat actor can use that access to pursue the database. While this vector requires more sophistication, ransomware actors are increasingly pivoting in this direction, implying that more skilled actors are getting into the game.

The Response
With all of these new techniques in play, what can security teams do to mitigate the threat? The good news is that your IT staff is probably already doing many of the things needed to protect your environment. Here are a few best practices to help lower the risk further:

User Vector:

  • Establish a third-party user education program on how to identify a phishing email.
  • Shut down the ability for user terminals to share resources peer-to-peer.
  • Implement a back-up strategy for personal data on external drives or virtual drives.
  • Install a reputable antivirus program that will block a majority of known ransomware attacks.

Website Vector:

  • Never host an external-facing server on the same hardware as a database or data store.
  • Ensure proper segmentation between web servers and database servers. 
  • Track vulnerability patch status of critical data servers and file shares.
  • Make sure IT staff has a data back-up strategy for databases and file shares,
  • Consider using secure third-party cloud or virtualized services for critical data storage and files shares offsite.

Advanced Planning & Outside Resources:

  • Have an incident response plan in place before an incident occurs. Having a plan in place allows for the immediate documentation all of the possible decisions and communication plans that need to be applied under the pressure of a real-life incident. 
  • Visit the NoMoreRansom.org website to seek assistance. This non-profit website is a partnership between antivirus vendors, international law enforcement, and cybersecurity threat researchers. This resource has helped thousands of victims decrypt data, complete with recommendations for what to do in the event of an attack. 
  • Pay or not pay? A final consideration that enters the mind of many is whether or not to pay the ransom. The majority experts’ view is consistent with those of the Federal Bureau of Investigation – do not pay. However, this is an easy decision for third-parties to make because it is someone else’s data being ransomed. 

At the end of the day, the decision will come down to the impact of the attack on your company's business. While ransomware actors in many cases return the data as promised, they may leave backdoors to return for more money, time and time again, or may not return data at all.

These present very unattractive options, so it is best to avoid falling prey in the first place. To be successful, advance preparation and applying proven best practices will be the most effective way to avoid a ransomware scenario completely. Having an entire organization aligned on how to avoid being a victim, from the IT staff to executive management, is essential to maintain the sanctity of data.

Related Content:

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of focus include cloud operations, client services, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Shantaram
50%
50%
Shantaram,
User Rank: Strategist
3/8/2017 | 4:57:17 AM
Re: 192.168.l.l
Great article! It was nice to read this information. Thanks
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.