DRJ Spring 2020

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 32, Issue 4

Full Contents Now Available!

Tuesday, 01 November 2016 00:00

The Best Defense for Ransomware is an Even Stronger Offense

Written by  DAVE LeCLAIR
Tips Every Organization Must Follow to Protect Business Continuity

LeClaire fbiRansomware is not new. In fact, forms of ransomware have been around for over a decade; however, these earlier forms were largely ineffective. They took on the form of "scare-ware" or "nag-ware" and simply popped up messages on the screen in an attempt to convince the user that the system was infected with viruses. Another approach was to show inappropriate images on the screen and then demand payment to remove them. These early forms did not permanently lock or encrypt files, and they were typically fairly easy to remove or avoid. Criminals also had difficulty collecting these fees anonymously. As a result, when those annoying infections popped up occasionally, they were not the scourge that modern ransomware has become.

Today, ransomware has rapidly become one of the most widespread and damaging causes of downtime and data loss for IT systems. It has captured the attention of the press and end-users with some pundits going so far as to call 2016 "the year of ransomware." Ransomware has become so prolific that it is no longer a question of if you are going to get hit with this type of malware, but simply a question of when. For users and organizations who are not prepared when ransomware attacks occur, there is little recourse. In fact, at a recent conference, Joseph Bonavolonta, Assistant Special Agent in Charge of the Cyber and Counterintelligence Program in the FBI's Boston office said, "The ransomware is that good. To be honest, we often advise people just to pay the ransom [if you haven't backed up]."

Numerous variations, copycats and versions have quickly become established around the globe. The most popular variants include CrytoLocker, TorrentLocker, CrytoWall, CBT-Locker, TeslaCrypt, Locky, plus many others. They use a range of techniques for infection vectors and they employ an assortment of execution methods. Worse, they all use strong, unbreakable encryption, employ some form of online network communication, and require anonymous electronic payment via bitcoins.

Each is typically delivered through spam messages, exploit kits or malvertising. CBT-Locker and Torrent-Locker typically prefer spam email campaigns as a delivery vector, while CryptoWall and TelsaCrypt prefer to use exploit kits. Unfortunately, both approaches have been proven to be highly effective ways to get into both end user and server-based systems.

So how does each work? The spam delivery vector requires interaction from the user. However, it has the advantage of being able to affect fully patched and up-to-date systems. They simply require a user to drop their guard one time to click on the delivery package. Many ransomware variants have been localized and are very convincing in order to dupe victims into clicking on their payloads. Exploit kits rely on vulnerable software packages installed on the victim's system. They have the advantage of not requiring any interaction from the user in order to infect the system, and utilize known security holes in existing software for penetration. Criminal organizations are now so systematic in their hacking methods that lists of vulnerable systems are now sold through coordinated efforts between malware creators with profits being split among collaborators.

As ransomware has become more widespread, the advances in technology and techniques used have also evolved. The first ransomware variants mostly attacked Microsoft Windows based systems. However, in recent months we have seen a new version that is now going after Apple Macs as well. Other advances have included highly localized versions that only target specific systems and/or geographic areas. These variants are so specific to geography that the spam email message is often more effective because the messages are grammatically perfect and they employ the vernacular typically used in that region. Another feature of ransomware that has evolved since the early days has been the addition of a feature to prove to the end user that the ransomware provider does indeed hold the decryption keys. Most ransomware variants now offer the ability to get one file decrypted for free, which is used to verify that payment will result in the unlocking of files.

However, for organizations that take the necessary steps, the disruptions can be minimized and data loss can be avoided. In order to more completely understand the steps that should be taken, organizations need insight and guidance on protection, backup, and the types of recovery solutions that organizations should implement.

LeClaire proliferationOrganizations protecting themselves from ransomware is a little bit like putting together a sports team. A good team will be able to play both defense and offense. The best teams will also have deep benches filled with backup players who can step in at a moment's notice when needed. For a strong ransomware offense, companies want to take some proactive measures that will attempt to keep ransomware out of all user and server-based systems. To get a jump start on potentially damaging ransomware attacks, it is imperative that you and your organization:

• Keep all of your software and operating systems up-to date. Ensuring that systems are up-to-date minimizes the chances that an exploit kit will be able to find an opening to exploit and deliver a ransomware package.
• Use antivirus software for virus detection on all systems. This is just good common sense to protect against ransomware at runtime. However, many organizations claim that antivirus software was not sufficient to keep them safe from ransomware.
• Educate users on security protocols. Make sure that your users understand that they should avoid clicking on untrusted emails and attachments. Untrusted websites can also be a source for ransomware so users should be advised against running software, including macros embedded in Microsoft office applications, from locations that may not be trustworthy.

For an impenetrable ransomware defense, it is important that the organization deploy countermeasures that can block the execution of ransomware and prevent it from encrypting data. This can be done by adhering to the following guidelines:

• Disable ActiveX content in Microsoft Office applications as code embedded in macros is a common infection vector.
• Have firewalls block TOR, I2P and restrict ports. Many ransomware variants require contact with a command-and-control server in order to encrypt files. Restricting access for unused IP ports and specifically blocking TOR and I2P can prevent these versions from successfully completing the required tasks.
• Block binaries from running from popular ransomware installation paths. Many ransomware variants install themselves and run out of a temporary directory. Blocking binaries from being able to run from these paths can possibly thwart the execution of these versions.

Finally, and most importantly, it's imperative that the business implement a good backup and recovery strategy. This is the surest way of guaranteeing that you can always recover data regardless of whether data loss occurred because of a hardware failure, human error, natural disaster, or ransomware attack.

In general we want to follow the "rule of three" for backup and recovery. The rule of three simply states that we want three copies of data, across two different media types (e.g. disk and cloud or disk and tape), with at least one copy off-site. This is good, sound advice but with ransomware it is important to consider a few more steps due to the unique nature of this type of data loss. For instance, make sure to backup data on all systems, not just the mission-critical ones. Ransomware can attack both Windows and Mac-based user systems and servers so be sure to protect all of your data for users and for business processes. While multiple copies of data are necessary, it's important to have some physical isolation between at least one copy of that data as that will help make sure that ransomware cannot spread across all copies of your data. After all, in the event of an attack, you will want to be able to roll the clock back to a point before being infected in order to avoid having to pay the ransom.
A good solution for ransomware protection will include both local and cloud-based backups. A hybrid cloud implementation provides many benefits. Using local backups, organizations can quickly recover infected systems with backups stored on the local backup appliance. Cloud-based backups provide an easy way to move copies of backups off-site. Cloud, unlike tape, enables this process to be fully automated and still get the isolation needed for maximum protection. Ideally, the backup solution will provide the following capabilities:

• Flexible cloud deployment options. Each organization may have different preferences for deploying cloud resources. Some may prefer a private cloud they manage themselves. Others may want a hyperscale implementation that utilizes a popular public cloud or perhaps a purpose-built.
• Instant recovery capabilities that provide the ability to spin up workloads in minutes from backups using the computing capabilities of the backup appliance to run those workloads while the production system is cleaned. Instant recovery allows organizations to minimize downtime from a ransomware attack and keep the business running.
• Linux-based backup software – not Windows-based. Most backup software runs on Microsoft Windows; therefore, these solutions are vulnerable to ransomware attack. In fact, having a Windows-based backup solution attacked is a worst-case scenario for ransomware intrusion. Running your backup software on Linux avoids this potential problem, because ransomware is not frequently attacking Linux based systems.

LeClaire lockData is the lifeblood of most organizations in today's digital world, and it is growing both in volume and in importance for every company. This is why IDC predicts that by the end of 2017, two-thirds of the CEOs of the G2000 will have digital transformation at the center of their corporate strategy.

A company's data includes its intellectual property, key customer information, critical financial information and even the very ideas that differentiate each organization from its competitors. As a result, we see improving data backup and recovery and business continuity projects at the top of most IT organization priority lists.
Organizations in the digital world are particularly vulnerable and staying protected is more challenging than ever before with new threats like ransomware, and new IT architectures and design patterns that increase the complexity of the task. IT cannot rely on old methods of data protection in this new era. They need to ensure business continuity for physical, virtual, and cloud-based environments and shift their thinking for basic backup and recovery to focus on complete business continuity. Companies of all sizes should consider technology platforms that feature a comprehensive, integrated portfolio of continuity services and solutions to protect data, provide disaster recovery, and proactively test and assure complete recovery of multi-tier applications. Today, business continuity is paramount. When evaluating available technologies, be sure to examine solutions that include integrated backup and recovery capabilities, multiple cloud options, disaster recovery and recovery assurance capabilities and services in one platform.

LeClair DaveDave LeClair is the vice president of product marketing at Unitrends, a leader in cloud-empowered data protection, disaster recovery and business continuity solutions. Visit www.unitrends.com for more information or follow the company on Twitter @Unitrends.