A

Execu(ve Brief

®

Making Recovery Part of your Ransomware Preparedness Strategy

TheCostPoten+alinRansomware

Today,ransomwareisabusiness–yes,business.Drivenmostlythroughransomware-as-a-servicepla<ormsrunbyorganizedcrimegangs,ransomwareisthefastestgrowingthreattoday.Andit’snosurprise,givenasingleransomwareaAackcampaigncannetthecriminalsmillionsofdollars,inreturnforveryliAlerisk,expenditureorchancesofbeingcaught.Thefollowingstatswillgiveyousomeideaofthecostofransomware:Revenue(annually): $1Billion+InfecIons: 4000+dailyAvg.Ransom: 3-5Bitcoins

(inUSD): $3500-6000Avg.Impact: 6worksta+ons

2serversAvg.DownIme: 12hoursAvg.RemediaIon: 12hours

Sources:FBI,KnowBe4Survey

Ransomware:Today’sThreatRealityRansomwarehasbecomethethreat-du-jourformostenterpriseorganizaIons,astheystruggletokeepupwiththerapidlychangingthreatlandscapeandbarrageofaAacksfrommoney-hungrycybercriminalsandhackers.ITteams,cyberandinfo-secdepartments,CISOsandCIOsareleOfeelinglikethey’restuckinagiantrevolvingdoorthatrotatesbetweenstatesofsecureandinsecureintheirenvironments.RansomwareisthelatestinalineofthreatstocomerollingdowntheirinternetconnecIoncausingthatdoortospinsofasteverythingbecomesasickeningblur.It’shardlysurprisingransomwarehasbecomesoubiquitousandsuccessfulbecauseofit’sfranklyimpressiveabilitytoevolve.ItsneakspastexisIngdefenseslikesecureemailgatewaysanddesktopanI-viruswithease,thentricksusersintorunningitsviralpayloadthemselvesforthataddedkillerpunch.Allofthis,ontopofourend-usersfacingotherthreatssuchasphishing,vishing,whaling(orbusinessemailcompromise),plainoldspam,malwareandinternet-villainy.Justwhenwethoughtwe’descapedthelatestinthatlonglistofthreats,alongcomesransomwaretotestoutdefensesandpreparednesstothemax.

Making Recovery Part of your Ransomware Preparedness Strategy 2

IfthissoundslikeyouoryourorganizaIon,thenyou’renotalone.RansomwareaAacksorganizaIonsofeverysize,geography,andindustryverIcal,althoughsomeindustriesarehitharder,givenanassumpIonthattheirdataismovevaluabletotheoperaIonalabilityofthebusiness.ThefrustraIonofthoseaffectedbytheseproblemsispalpable,andmostarenowlookingatabroadercrosssecIonoftechnologiestoprotectthemselvesandimportantlytorecoverpost-a:ack,ratherthanrelyonpure-playsecuritysoluIonsalone.MethodsofEntryRansomwareneedsameansofentry,somemethodofdelivery,andanabilitytoexecute.Likemostmalware,ransomwarefindsitswayintoanorganizaIonthrougheitheremailormaliciouslycodedwebsites.Thecodeusedatthispointismerelyatrojan–somekindofcodethatisacceptedbytheOSasavalidtypeofcodethatanemailmightcontain,orwebsitemightneedtorun.Oncethetrojanislaunched,itneedsawaytodownloadanddelivertheransomware.Atthispoint,trojansrelyonmacros(likethosefoundinWordandExcel),javascript,andevenvulnerabiliIesfoundinJava,Flash,webbrowsers,andbrowserplugins.LikesecuritysoOwarevendorswhostrivetoimprovetheirproductwitheachpassingrelease,cybercriminals

workIrelesslytoimprovetheir“product”aswell.UsingsophisIcatedandwhatcanonlybeconsidered“long-tail”methods–wheremulIplestepsaretakentobothavoiddetecIonandensureexecuIonoftheransomware–ransomwareauthorsareprovingthemselvestobeaformidableadversary.AndwithsocialengineeringandunsuspecIngemployeesontheirside,theredoesn’tappeartobeanyendinsightforransomwareinthenearfuture.PreparingforRansomwareAssumingit’sawhenandnotanifransomwarewillstrike,it’scriIcaltohaveyourITorganizaIonprepareineverywaypossible,toeitherthwartanaAack,ortominimizeitsimpactwithintheorganizaIon.Thereareafewcommonrecommendedsteps:1.   Patcheverything,patcho3enAccordingtothe2016VerizonDataBreachInvesIgaIonsReport,theaverageImetodevelopanexploittoapublishedvulnerabilityisonly30days.AndwithaAackstodayleveragingvulnerabiliIesthathavebeenout,literally,since1998(1998!),it’sevidentthattheeverythingpartoftherecommendedstepsisnotbeingtakenseriously.

Making Recovery Part of your Ransomware Preparedness Strategy 3

2.Useamul:-layereddefensestrategyManyorganizaIonsputtheirtrustinanIvirussoluIons,whichrelyonsignaturesandbehaviorstoidenIfymaliciously-intenIonalcode.ButgivenmalwareauthorsnotonlyarefamiliarwithhowAVworks,butintenIonallystudyhowspecificAVvendorsdetectmalware,andwritecodethatavoidsdetecIonbyusingcurrentAVsoFwaretotestagainst.What’sneededisacombinaIonofanIvirus,emailprotecIon,endpointprotecIon(e.g.applicaIonwhite/blacklisIng),leastprivilege,usertraining,andphishingtesIng.PartofthelayeredapproachincludessomeabilitytoidenIfythepresenceofmalware/ransomwareandnoIfyITsothattheinstancecanbeisolatedanderadicated.3.PlanningtheroadtorecoveryYourransomwarepreparednessandprotecIonstrategiescan’tsimplycontainstepsthataredesignedtostopransomwarefromenteringtheorganizaIon;tobetrulyprepared,yourplanmustincludemeasuresthatallowyoutoputanymanipulateddataandsystemsbackintoaproducIve,pre-ransomwarestate.Youmightthinkitcheapertosimplypaytheransom,however,becausewe’retalkingaboutdatabeingtrulymodified,youdon’twantthesuccessofyourrecoveryresIngontrusIng

criminalsthatyourdatawillbedecryptedperfectly,withdataintegrityperfectlymaintained.Relyingondatarecoveryfromyourowntestedbackupsprovides100%confidenceinyourrecoverability.Also,there’ssIlltheissueofremovingtheransomwareandtrojansonyoursystems.AccordingtoarecentCitrixsurvey,36%oforganizaIonsarenotconfidenttheycancompletelyeradicatemalwarefromsystems.Sowhat’sneededforrecovery?•  Recoverserverdata–Many

variantsofransomwareconnectfromtheinfecteduserdeviceouttoanyserversitcanreachviaexisIngorcachedSMBconnecIons,therebyallowittoencryptfilesonmulIpleservers.TobecertaindataisbackinaproducIonstate,recoveringanymanipulateddataisnecessary.Becauseyoucan’tknowtheextentofanaAackunIlitoccurs,ensuringallcriIcalfiles–bothuserandsystem–areincludedaspartofyourbackupandrecoverystrategy.

•  Aplanforuserdevices–whetherlaptopsordesktopworkstaIons,thesedevicesneedtobecompletelyreimagedtoensureanymalwareremnantisremoved.DevicesusedbycriIcalusersmayneedimage-levelbackupsoftheirowntogetthoseusersbackupandworkingquickly.OtherusersmaysimplyberecoveredusingaredeployedstandardworkstaIonimage.