Tag Archives: Ransomeware

Cybersecurity Part 4: Surviving Ransomware

By Tony DePrato | Follow Me on LinkedIn

The scope of all the following arguments is for equipment owned by the school, or equipment approved to use at school. This post is not promoting policies for personal devices used solely at home, nor is this post addressing devices that may be used for entertainment or non-academic purposes.

Ransomware, in its most basic form, is self-explanatory. Data is captured, encrypted, and held for ransom until a fee is paid. The two most common forms of ransomware delivery are through email and websites.~ https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html

Ransomware is scary. Ransomware, once it begins to propagate, becomes more about survival and mitigation and less about prevention.

I have thought about how to advise K12 schools around the world how to prepare for ransomware. I have concluded that there are only two approaches everyone can follow: Reduce or Completely Remove Windows and Create Very Inconvenient Backups of Data. 

Reduce or Completely Remove Windows

I decided to compile known types of ransomware. I stopped at 106 identified types. Here is a graph, and link to the sources, that demonstrate what operating systems are vulnerable:

Screen Shot 2020-02-19 at 8.58.44 AM
Data Link

If you want to do the math:

  • 106 Ransomware programs
  • 100 Target Windows Operating Systems
  • 93%-94% of Targets are Windows Operating Systems
  • Using Windows is Riskier than Using other Systems

“Riskier” is a little weak in this case. It is very likely that Windows users will be a target, it is very unlikely that Apple and Chromebook users will be a target. 

If the goal is to live in a relatively peaceful ransomware free environment, then the majority of end-users need to be using Apple or Chrome-based devices (Linux varieties are also an option for a subset of users). 

There are tools for Windows that help defend and protect against ransomware. However, nothing is better than not being attacked at all.

Create Very Inconvenient Backups of Data

Every time I ask an IT director or IT manager about backups, they claim they are 100% compliant and 100% able to deal with any problems. I have never believed my planning was close to 100%, nor have I ever believed I could restore 100% of all data. I would say, at my best, I am 60%-70% certain that I can restore 80%-90% of data. 

Data. Not operating systems and settings. Data. Not the software that was installed. Just all the data consisting of but not limited to documents, databases, movies, music, pictures, special configuration files, scripts and code, and the inclusive content of all websites.

There is only one question a person needs to ask to confirm if backups are safe from ransomware: “Can the backup be accessed right now if we need it?”.

If the answer is ‘Yes’, then backups are going to be vulnerable. 

There should be at least two layers of backups. Layer one can be data that is backed-up and accessible on the network, in the cloud, and/or from normal workstations. Meaning, someone can sit down and create or restore a laptop, database, etc by following a workflow at their desk. 

Layer two backups are inconvenient. These backups are stored outside of the normal network. These backups are scheduled and not even accessible by network administrators without taking extra steps. These backups require some level of multifactor authentication or even a physical lock and key.

Backup

Layer two backups also need to be tested at least monthly (this is only recommended for K12 schools most businesses need to test more frequently; school districts would need to test very often and on a predetermined schedule).

Tests need to include:

  1. Data restoration
  2. Data access and use
  3. A scan for malware, ransomware, etc
  4. An iterative process to consistently reduce the size of backups
  5. An archival process to store data that will most likely never be needed, but is legally required to store
  6. Imagination. Because you never know where you will be and what the situation will be when you need to access these backups

A very low tech approach to a layer two back-up could include someone taking an external drive to the data source, moving the data manually, and then locking the drive in a safe. Do not overthink this, just start doing it and keep improving the process. If you can access these backups from your workstation, then those backups are vulnerable by definition.

If ransomware happens, and the data cannot be decrypted, this layer two data would be safe as it would be offline. Layer one backups may stay secure, but layer two backups will be secure unless you are victim of very bad timing. 

The cybersecurity industry is rapidly developing better protocols for handling ransomware. Staying educated and studying cases is not only essential, but it should also be scheduled into the cycle of work at least once every 6-8 weeks.

The data above could change. An uptick in ransomware for Chrome or Apple of even 1% is enough to review internal processes and procedures. Until then though, get the number of Windows OS users down and make better backups. 

businessman hand holding money banknote for paying the key from

Start Your Research Here

Ransomware: Best Practices for Prevention and Response

https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html

Understanding Ransomeware


                     By: Tony DePrato | Follow me on Twitter @tdeprato

On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages. This type of malicious attack is classified as ransomeware.

The ransomeware concept is fairly simple. Once the package infects a system, it begins to encrypt all the data. The data is still on the machine, but it is not accessible unless the user enters a decryption key. In order to obtain the key, money must be sent to the “owner” of the ransomeware. Usually this money is requested in the form of cryptocurrency, to make it difficult (if not impossible) to trace the payment.

Ransomeware Targets Everyone

Schools often believe that certain security measures and protocols followed in the corporate world do not apply to them. There is often a consensus on-campus that technology needs to be friendly and open. Because of this cultural approach to planning technology many rules and regulations are simply not followed, especially if those rules and regulations are designed for extreme scenarios.

For example, it would be odd to find a school that did not have user managed passwords for email. When users get their email account, they change and manage their own password. However, if someone recommends that school personnel setup multistep authentication, that expires every thirty days, that recommendation is probably going to be rejected. Any multistep authentication process requires that users learn more about security and manage security more regularly. If a user makes a mistake, the delay for resetting their services is often considered unacceptable.

IT policies and procedures that would prevent a school from being a victim of ransomeware, or other sophisticated attacks, are going to be policies that create barriers and limits. These measures would slow people down at times, and restrict certain types of technology from being used on-campus.

Managing network and data security is a discipline that must be followed regardless of an organizational mission or definition. Best practice scenarios need to be studied as universal best practice scenarios. Studying best practice scenarios for only a single type of organization (like a K-12 International School) limits exposure to case-studies, creative ideas, and threat assessment.

Ransomeware Prevention and Protection

Investing money and IT security planning have something in common. If a person makes a future decision, strictly on past performance, they are very likely to be investing in a plan that is expensive with lower future yield. IT security threats work because they are original, and because a purchasable defensive solution was not available at the time of the threat.

Many organizations make the mistake of preparing for the future by buying protection for a threat that is no longer unique.  This is useful if the threat resurfaces, but it is useless against new threats.

If an organization truly wants to be well prepared for ransomeware threats, everyone in the organization should be able to answer ‘Yes’ to this statement:

“I can take my laptop/desktop/primary device and throw it away right now without severely impacting my work or life.”

Answering ‘Yes’ to that statement means that a person understands the data  is more important than the machine is resides on. Just like investing in retirement, only diversification will save someone during a new and aggressive IT security threat.

There are numerous ways to achieve a high level of data diversity and redundancy. Here are a few that can be implemented with policy and practice:

  • The standard for file storage should be in the cloud.
  • Do not use SYNC software such as Google Drive Sync or OneDrive sync.
  • Laptops given to staff and students should have very small hard drives to discourage hoarding data and storing old files.
  • Weekly or Monthly archiving of data should not be in the same environment as data for daily work. For example, I use Google Drive everyday for work, but once a month I backup the important data to DropBox. The larger archives are for emergencies, and held within a different environment.
  • Offline backups on external drives are good, but hardware can fail. Consider what data is critical and make sure the offline backup is not the primary copy.
  • Systems like TimeMachine can actually corrupt data if they are backing-up automatically. Consider manually initiating backups, only after you have scanned your machine/servers for malware.
  • Photos and media can be challenging to keep organized in the cloud. Services like Google Photos, Instagram, etc. are designed for media. Use media centric services to manage media.
  • Email is not for data storage. If email is compromised, the communication threads should be all that is lost.
  • Schools using local network shared drives and NAS systems (Synology etc.) need to be restrictive and vigilant with permissions. If these services have been planned with “Ease of Use” as the driving force, they are at risk of being turned into an engine that will rapidly spread a threat.
  • Limit non-cloud based data sharing to special groups or departments to reduce the need to constantly update and patch these systems.

A final note to those who are making and enforcing policy. A single human vector who introduces one of these threats onto a network can create a cascade of destruction. Allowing anyone to circumvent a policy because of their title or position is placing everyone at risk.


WannaCry RansomeWare Impact
The ransomware campaign was unprecedented in scale according to Europol.[9] The attack affected many National Health Service hospitals in England and Scotland,[50] and up to 70,000 devices — including computers, MRI scanners, blood-storage refrigerators and theatre equipment — may have been affected.[51] On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.[12][52] In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.[46] NHS hospitals in Wales and Northern Ireland were unaffected by the attack.[10][12]
Nissan Motor Manufacturing UK in Tyne and Wear, one of Europe‘s most productive car manufacturing plants, halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.[53][54]
According to experts[who?] the attack’s impact could have been much worse if no kill-switch was built in by the malware’s creators.[55][56]
Cybersecurity expert Ori Eisen said that the attack appears to be “low-level” stuff, given the ransom demands of $300 and states that the same thing could be done to crucial infrastructure, like nuclear power plants, dams or railway systems.[57]
List of affected organization
São Paulo Court of Justice (Brazil)[58]
Vivo Telefônica Brasil) (Brazil)[58]
Lakeridge Health (Canada)[59]
PetroChina (China)[16]
Public Security Bureaus (China)[60]
Sun Yat-sen University (China)[61]
Instituto Nacional de Salud (Colombia)[62]
Renault (France)[63]
Deutsche Bahn (Germany)[64]
Telenor Hungary (Hungary)[65]
Andhra Pradesh Police (India)[66]
Dharmais Hospital (Indonesia)[61]
Harapan Kita Hospital (Indonesia)[61]
University of Milano-Bicocca (Italy)[67]
Q-Park (The Netherlands)[68]
Portugal Telecom (Portugal)[69]
Automobile Dacia (Romania)[70]
Ministry of Foreign Affairs (Romania)[71]
MegaFon (Russia)[72]
Ministry of Internal Affairs (Russia)[73]
Russian Railways (Russia)[74]
LATAM Airlines Group (Chile)[75]
Banco Bilbao Vizcaya Argentaria (Spain)[76]
Telefónica (Spain)[76]
Sandvik (Sweden)[61]
Garena Blade and Soul (Thailand)[77]
National Health Service (England) (United Kingdom)[78][12][10]
NHS Scotland (United Kingdom)[12][10]
Nissan UK (United Kingdom)[78]
FedEx (United States)[79]
Massachusetts Institute of Technology (United States)
Saudi Telecom (Saudi Arabia)[80]