A
Execu(ve Brief
®
Making Recovery Part of your Ransomware Preparedness Strategy
TheCostPoten+alinRansomware
Today,ransomwareisabusiness–yes,business.Drivenmostlythroughransomware-as-a-servicepla<ormsrunbyorganizedcrimegangs,ransomwareisthefastestgrowingthreattoday.Andit’snosurprise,givenasingleransomwareaAackcampaigncannetthecriminalsmillionsofdollars,inreturnforveryliAlerisk,expenditureorchancesofbeingcaught.Thefollowingstatswillgiveyousomeideaofthecostofransomware:Revenue(annually): $1Billion+InfecIons: 4000+dailyAvg.Ransom: 3-5Bitcoins
(inUSD): $3500-6000Avg.Impact: 6worksta+ons
2serversAvg.DownIme: 12hoursAvg.RemediaIon: 12hours
Sources:FBI,KnowBe4Survey
Ransomware:Today’sThreatRealityRansomwarehasbecomethethreat-du-jourformostenterpriseorganizaIons,astheystruggletokeepupwiththerapidlychangingthreatlandscapeandbarrageofaAacksfrommoney-hungrycybercriminalsandhackers.ITteams,cyberandinfo-secdepartments,CISOsandCIOsareleOfeelinglikethey’restuckinagiantrevolvingdoorthatrotatesbetweenstatesofsecureandinsecureintheirenvironments.RansomwareisthelatestinalineofthreatstocomerollingdowntheirinternetconnecIoncausingthatdoortospinsofasteverythingbecomesasickeningblur.It’shardlysurprisingransomwarehasbecomesoubiquitousandsuccessfulbecauseofit’sfranklyimpressiveabilitytoevolve.ItsneakspastexisIngdefenseslikesecureemailgatewaysanddesktopanI-viruswithease,thentricksusersintorunningitsviralpayloadthemselvesforthataddedkillerpunch.Allofthis,ontopofourend-usersfacingotherthreatssuchasphishing,vishing,whaling(orbusinessemailcompromise),plainoldspam,malwareandinternet-villainy.Justwhenwethoughtwe’descapedthelatestinthatlonglistofthreats,alongcomesransomwaretotestoutdefensesandpreparednesstothemax.
Making Recovery Part of your Ransomware Preparedness Strategy 2
IfthissoundslikeyouoryourorganizaIon,thenyou’renotalone.RansomwareaAacksorganizaIonsofeverysize,geography,andindustryverIcal,althoughsomeindustriesarehitharder,givenanassumpIonthattheirdataismovevaluabletotheoperaIonalabilityofthebusiness.ThefrustraIonofthoseaffectedbytheseproblemsispalpable,andmostarenowlookingatabroadercrosssecIonoftechnologiestoprotectthemselvesandimportantlytorecoverpost-a:ack,ratherthanrelyonpure-playsecuritysoluIonsalone.MethodsofEntryRansomwareneedsameansofentry,somemethodofdelivery,andanabilitytoexecute.Likemostmalware,ransomwarefindsitswayintoanorganizaIonthrougheitheremailormaliciouslycodedwebsites.Thecodeusedatthispointismerelyatrojan–somekindofcodethatisacceptedbytheOSasavalidtypeofcodethatanemailmightcontain,orwebsitemightneedtorun.Oncethetrojanislaunched,itneedsawaytodownloadanddelivertheransomware.Atthispoint,trojansrelyonmacros(likethosefoundinWordandExcel),javascript,andevenvulnerabiliIesfoundinJava,Flash,webbrowsers,andbrowserplugins.LikesecuritysoOwarevendorswhostrivetoimprovetheirproductwitheachpassingrelease,cybercriminals
workIrelesslytoimprovetheir“product”aswell.UsingsophisIcatedandwhatcanonlybeconsidered“long-tail”methods–wheremulIplestepsaretakentobothavoiddetecIonandensureexecuIonoftheransomware–ransomwareauthorsareprovingthemselvestobeaformidableadversary.AndwithsocialengineeringandunsuspecIngemployeesontheirside,theredoesn’tappeartobeanyendinsightforransomwareinthenearfuture.PreparingforRansomwareAssumingit’sawhenandnotanifransomwarewillstrike,it’scriIcaltohaveyourITorganizaIonprepareineverywaypossible,toeitherthwartanaAack,ortominimizeitsimpactwithintheorganizaIon.Thereareafewcommonrecommendedsteps:1. Patcheverything,patcho3enAccordingtothe2016VerizonDataBreachInvesIgaIonsReport,theaverageImetodevelopanexploittoapublishedvulnerabilityisonly30days.AndwithaAackstodayleveragingvulnerabiliIesthathavebeenout,literally,since1998(1998!),it’sevidentthattheeverythingpartoftherecommendedstepsisnotbeingtakenseriously.
Making Recovery Part of your Ransomware Preparedness Strategy 3
2.Useamul:-layereddefensestrategyManyorganizaIonsputtheirtrustinanIvirussoluIons,whichrelyonsignaturesandbehaviorstoidenIfymaliciously-intenIonalcode.ButgivenmalwareauthorsnotonlyarefamiliarwithhowAVworks,butintenIonallystudyhowspecificAVvendorsdetectmalware,andwritecodethatavoidsdetecIonbyusingcurrentAVsoFwaretotestagainst.What’sneededisacombinaIonofanIvirus,emailprotecIon,endpointprotecIon(e.g.applicaIonwhite/blacklisIng),leastprivilege,usertraining,andphishingtesIng.PartofthelayeredapproachincludessomeabilitytoidenIfythepresenceofmalware/ransomwareandnoIfyITsothattheinstancecanbeisolatedanderadicated.3.PlanningtheroadtorecoveryYourransomwarepreparednessandprotecIonstrategiescan’tsimplycontainstepsthataredesignedtostopransomwarefromenteringtheorganizaIon;tobetrulyprepared,yourplanmustincludemeasuresthatallowyoutoputanymanipulateddataandsystemsbackintoaproducIve,pre-ransomwarestate.Youmightthinkitcheapertosimplypaytheransom,however,becausewe’retalkingaboutdatabeingtrulymodified,youdon’twantthesuccessofyourrecoveryresIngontrusIng
criminalsthatyourdatawillbedecryptedperfectly,withdataintegrityperfectlymaintained.Relyingondatarecoveryfromyourowntestedbackupsprovides100%confidenceinyourrecoverability.Also,there’ssIlltheissueofremovingtheransomwareandtrojansonyoursystems.AccordingtoarecentCitrixsurvey,36%oforganizaIonsarenotconfidenttheycancompletelyeradicatemalwarefromsystems.Sowhat’sneededforrecovery?• Recoverserverdata–Many
variantsofransomwareconnectfromtheinfecteduserdeviceouttoanyserversitcanreachviaexisIngorcachedSMBconnecIons,therebyallowittoencryptfilesonmulIpleservers.TobecertaindataisbackinaproducIonstate,recoveringanymanipulateddataisnecessary.Becauseyoucan’tknowtheextentofanaAackunIlitoccurs,ensuringallcriIcalfiles–bothuserandsystem–areincludedaspartofyourbackupandrecoverystrategy.
• Aplanforuserdevices–whetherlaptopsordesktopworkstaIons,thesedevicesneedtobecompletelyreimagedtoensureanymalwareremnantisremoved.DevicesusedbycriIcalusersmayneedimage-levelbackupsoftheirowntogetthoseusersbackupandworkingquickly.OtherusersmaysimplyberecoveredusingaredeployedstandardworkstaIonimage.
