Ransomware strikes a business every 10 seconds. If your business gets hit, knowing how to respond can minimize the costs and associated downtime. How should a company react when ransomware is first observed? What steps should be taken? This San Diego Computer Consulting
“Best Practices Outline” will cover the steps your business should consider when a ransomware infection occurs.
What is a Ransomware Attack?
At its most basic level, a ransomware attack is the use of encryption malware to first encrypt data, applications, and hardware, and then subsequently extort the owners of the encrypted assets for a financial payment. Only after the payment has been made to the ransomware hackers is a decryption tool or key provided to the victim.
The ability for ransomware to propagate within a company’s network can lead to catastrophic downtime, which can cripple an organization and can often lead to financial ruin. The cost of downtime is often 10-100 times the cost of an individual ransom amount demanded. During a typical attack, after a machine or a network has been encrypted by ransomware, ransom notices are electronically posted in prominent places so that the victims can spot them easily.
Most ransom notes pressure the victim to pay quickly by indicating that the ransom amount will escalate if the victim waits too long to pay. The typical rans4om is around $5,000, but can be smaller for individual consumers or much greater for large enterprises. If a victim chooses to pay the ransom, they have to procure cryptocurrency, (often Bitcoin) as payment. Procuring cryptocurrency is extremely time consuming and laborious for the average victim, so much so that it is not unusual for hackers to leave advice in the ransom note on how to acquire it quickly.
How Ransomware Spreads
The hackers primarily use the following attack vectors to infect a machine:
- Vulnerable ports Un-patched software
- Phishing emails Compromised websites
- Social media Advertising and free software downloads
Ransomware can encrypt the files on an individual computer or be designed to move through connected drives and devices without outside instruction. When networks are breached by the hacker, the hacker often uses other malware to gain lateral access to different parts of a network to implant ransomware more broadly.
How to Stop Ransomware from Spreading
An infected machine should be physically disconnected from any network it is attached or mapped to. This includes disconnecting any NAS storage devices, USBs, or external hard drives. Wireless connectivity should also be turned off. Once a machine has been disconnected from the network, it should be left alone. It should not be turned off or rebooted. Anti-virus scans should not be run. Making any additional changes to the files may modify the already encrypted files making them totally unrecoverable at a later time.
To Employees: If you see something, say something
Ransomware frequently spreads through a company’s network because employees are afraid to report it. An Intermedia report found that 59% of employees would choose to pay a ransom out of their own pocket in order to avoid having to tell their employer. An employee who does not immediately inform IT of a possible ransomware attack is putting the fate of the entire company at risk. One of the most important variables in recovering from ransomware is responding to it as soon as possible. Cultivating a culture where employees are not afraid to raise their hand when they notice a possible problem is key. Hiding a possible ransomware infection for too long could imperil the operability of the company and jeopardize its future. Encourage employees to notify IT the minute they see something suspicious.
Lock your network down – kick the hackers out and keep them out!
The vast majority of ransomware attacks occur by hackers forcing their way in via remote services that utilize RDP (remote desktop protocol) ports. This means the hackers have gained access to your network and have likely harvested some administrative credentials. They have likely moved laterally around your network installing ransomware executables as they go. The hackers have likely tried to encrypt or wipe your backups in the process, in order to leave you with no options but to pay the ransom. All of this is time consuming for a hacker, so if you notice an attack early then you may be able to thwart their progress. If you notice suspicious activity your first priority is to close all RDP ports. Network attached storage that is open to the Internet should also be immediately closed. Next, admin credentials should be changed. If possible, change all user passwords, just in case they elevated themselves after compromising a single employee. If your backups have not been compromised, put two-factor authentication on top of the admin credentials to ensure the hackers can’t get to your backups.
Being confident that the hackers no longer have access to your data is important for peace of mind during the recovery and forensics process. Once you are confident your network is secure you should review log activity and user sessions to try and determine the time frame of the attack. SDCC will assist you in this process.
Inspect all machines and document the ransomware infection.
Every machine and data stores on the network should be surveyed for signs of encryption, this includes all backups. All cloud storage should be checked as well (AWS, DropBox, Google, Microsoft One…etc.). Once every machine and data store is inspected, infected devices should be cataloged by name, type, size and extent of encryption. Any ransom notes, unique encrypted file extensions or ID’s should also be cataloged so that the extent of the attack can be readily understood by IT, your management team, and your recovery assistant firm. Written documentation, rather than an oral explanation, can shave hours off of a recovery and streamline engaging with an external team to assist in your recovery.
Catalog encrypted data vs available backups
SDCC’s standardized practices call for encrypted, offsite backups to be maintained and mirrored every 24 hours. A list of encrypted machines should be cataloged against daily backup record reports. These reports should also state the daily backup status including complete/incremental backups, and which encrypted machines are without any backup. It is important to complete the documentation as thoroughly and quickly as possible.
Take a time-out and assess your operability
Once a full inventory of the network is established, you should have a fairly complete picture of the operability of your IT infrastructure. Be sure to contact all persons and departments impacted by the infection and discuss their operability. The questions below should be asked and discussed internally with executive stakeholders to determine the relative urgency of your unique situation:
- Is each person or department able to conduct business?
- Can the company get through a payroll?
- Can customers receive orders and communicate with you?
- Can you invoice customers and interact with your supply chain?
- Are you in, or at risk of being in, violation of any service level agreements because of your impaired operations?
If the answers to the above point to a critical situation, then be prepared for a significant time outlay both by staff and those organizations assisting with the recovery. Accordingly, keeping an even keel and attitude can assist with avoiding bad or impulsive decisions that can have permanent and catastrophic results. Working with an expert IT ransomware recovery entity like SDCC (or its contract ransomware recovery groups) greatly assists with this competent decision making and appropriate actions.
Is there a chance the ransom will need to be paid?
If any critical data was encrypted by the ransomware, and backups are either unavailable or corrupted, then there is a chance engaging with the hacker and paying the ransom is necessary. Although a last resort, it is widely understood that if data loss is not an option, then negotiating for and paying a ransom may be a necessary path to recovery.
If this is the case, a common mistake is to delay engaging with the hacker. Contact should be made soon so that parallel efforts can be under way simultaneously. Searching for viable backups for encrypted data while establishing contact and negotiating with the hacker means you’ll be exploring all options in parallel. If working backups are uncovered down the line, then communications with the hacker can be dropped.
However, by waiting to make contact, you may risk making the worst-case scenario even more dire. The hacker may have abandoned their email, or you may be more desperate than you initially thought. If you do need to contact the hacker, don’t do it yourself, but utilize the expertise of an experienced data recovery team. When your business is held hostage and emotions are running high, a trained incident response professional such as SDCC (and its ransomware recovery groups) can streamline and improve your recovery.
Determine the ransomware strain you have
There are several free resources available that can assist in the identification of the ransomware you have, but there are also several bad resources that will take advantage of your situation monetarily and otherwise. SDCC and its ransomware recovery group will take the guesswork out of this process and adhere to your RIGHTS AS A RANSOMWARE VICTIM. These rights include:
Decryption Truth – A victim of ransomware deserves to know if the type of ransomware observed can be decrypted without paying the hacker. Either the ransomware type has been decrypted by a member of the security community or the only way to decrypt it is by purchasing a key from the hacker. Some data recovery firms may claim to decrypt ransomware using ‘proprietary technology,’ when they are just quietly paying the hacker without the victim knowing and charging exorbitant data restoration rates well beyond what was paid. This is practice is unethical.
Right to Negotiate – Any victim of ransomware that is forced to pay a ransom deserves the opportunity to negotiate a price they can afford. Ransomware disproportionately impacts small businesses The capacity to pay a ransom, regardless of the lost data, can be an existential risk. Victims deserve the opportunity to negotiate or have a service provider negotiate on their behalf. Helping a business negotiate can be crucial as typical ransomware amounts can be multiple thousands of dollars. No business deserves financial ruin because of ransomware or the ability to afford the initial demand of a hacker.
Right to Cost and Process Transparency – Any victim of ransomware has the right to understand how much a service provider will charge, how the process will work, and access documentation that supports and justifies both. Too often service providers take advantage of the high emotion that comes along with a ransomware attack and can deceive victims with predatory restoration pricing. Sometimes, the hackers themselves will (selfishly) warn victims about cost of third party recovery options.
Resources to leverage:
NomoreRansomware.org and ID Ransomware are publicly available resources that can help identify ransomware. To use these resources be prepared with a copy of the ransom notice and a sample encrypted file. The sample encrypted file should be free of any PCI or confidential information.
Submitting your information directly to San Diego Computer Consulting will entitle you to a quick assessment of your situation. This will start the process of identifying the ransomware and determining the best course(s) of action.
Use the ransomware identification to inform your strategy
At any given time there are dozens of ransomware variations in circulation. Ransomware variants have unique attributes that inform how the decryption process works. The cyber criminals that distribute ransomware also have their own unique attributes on how they target companies, how they negotiate (or don’t), how technologically astute they are, and most importantly – how economically rational they are. When combined with the desperation of a victim company, the permutations of these ransomware variants can be bewildering. However, when you understand the main attributes of your ransomware, and have identified the urgency of your situation, then San Diego Computer can help you to identify and develop a strategy.
As an example, if your company had no backups, a high budget, and high urgency after being attacked by a more well-known ransomware agent, the decision to pay the ransom would be relatively straightforward given the high likelihood of recovering data. Conversely, a company with low urgency, minimal budget that was attacked by an agent with a history of high cost and low data recovery rate, would likely opt not to engage with the hackers or bother paying.
The Ransomware recovery stage: Making copies, killing malware, and decrypting data
Generally, ransomware recovery consists of a combination of backup restore, ransom payment and data loss. The proportions in each bucket will determine how successful the recovery will be.
Restoring from a backup
Any company without backups dances on the edge of a black hole where a single ransomware attack can easily bankrupt a business. San Diego Computer uses SolarWinds™ cloud-based server backup systems with daily off-site mirroring to maintain the security of our clients.
If you do have complete or partial backups, the first step is to ascertain the condition of your backups. San Diego Computer’s cloud-based system backups are monitored daily and an individual report is generated for each server every 24 hours. Problems related to any individual server backup are reported to the client daily. The other variable in the restore process is time. Restoring huge volumes of data can take a great deal of time. Prioritizing which portions should be restored first can have a material impact on restoring operability to your company (hence the importance of cataloging your critical systems up front).
San Diego Computer does not use or recommend “shadow copies” as a restore source since a vast majority of ransomware deletes the shadow volume copies as a standard part of the attack.
How to Remove the Ransomware Executable
Most ransomware deletes itself once the encryption process is completed. This is by design so that encryption can be controlled, and so samples are hard to find and thus analyze.
Occasionally ransomware remains on a machine. If that particular machine is to be restored by a decryption tool, the malware must be removed. Software can be used to find the executable, as can manually reviewing the processes running from the Task Manager.
Keep in mind that in the long term, any infected machine should be wiped and rebuilt, so don’t feel shy about killing any non-critical executable.
Make a copy of your encrypted data
Before we get into negotiating with cyber criminals and paying for decryption keys, the first step to take if you have decided you need to pay a ransom is to make a copy of all your encrypted data. Even if this seems unfeasible, it should be considered.
Even though paying for decryption keys has a relatively high success rate, there is always the risk of data loss or file corruption during the decryption process. It is worth having a copy of everything just in case. Also, free decryption tools may be available in the future, and you want to use them.
Paying the ransom and receiving decryption keys
In cases where backups don’t exist and data loss is not an option, your only course is to engage the hacker and try to safely negotiate the release of decryption keys. San Diego Computer can assist with this process as we do not recommend undertaking this option on your own. In an emergency situation, interacting with cyber criminals and fumbling with crypto currency is not a good strategy. The urgency of the situation is something that cyber criminals will take advantage of. San Diego Computer and their incident response team can save significant time and money through their security expertise and knowledge of your local business. Downtime is a business killer and our goal is to focus on recovery as soon as possible.
Procuring bitcoin in a hurry is extremely difficult. Most bitcoin exchanges take days or weeks to approve new accounts. Funding a new account can take time as well, as traditional banks can cause friction during the funding process. Additionally, most bitcoin exchanges take measures to prevent users from paying ransomware from their accounts. These measures include withdrawal speed bumps (you can buy, but can’t transfer), and blocking known hacker wallets. Meanwhile business downtime continues to accrue. San Diego Computer has established Bitcoin accounts to streamline this process if necessary.
How to decrypt files encrypted by ransomware
Every type of ransomware has unique quirks and nuances. San Diego Computer’s incident response team maintains updated documentation on most types of ransomware so you can expect the use of verified decryption tools. Despite their differences, SDCC has developed a few best practices. We help ensure that original external drives, shared or mapped drives, are remapped and reconnected in the way they were at the time of the original encryption. If any datastores are not reconnected, the decryption tool will neither locate them nor decrypt the underlying data.
After the Attack is Over, How to Protect Against Ransomware
Never let a crisis go to waste and not be a learning experience. San Diego Computer will help you better protect your business for the future. Below is a short list of security and continuity tools every organization should implement after a ransomware attack.
Backups: Investing in bomb proof, properly partitioned backups and off-site mirroring systems can save your company from bankruptcy. It is just that simple. San Diego Computer specializes in off-site backup services to meet the needs of all customers.
Endpoint and AV: Invest in high quality endpoint and Anti-Virus protection. Malware and ransomware WILL get in, endpoint and AV can limit the damage and maintain continuity. Ensure RDP ports are well secured.
Security Awareness Training: Your employees are the weakest link and always will be. Invest in security awareness training as you would in HR training. Create a culture that encourages employees to raise a red flag and report IT issues. It could save your company.
If you have further questions, or are experiencing a ransomware attack and need help, please contact us.
Don’t Become a Ransomware Target – Secure Your RDP Access Responsibly
Most businesses assume they are too small to be targeted by hackers. How would a hacker even find the digital footprint of a small company with only a few IP addresses? Since a vast majority of ransomware attacks exploit Remote Desktop Protocol (RDP), the answer is clear: It does not matter how large or small you are, if you are using RDP and not securing it properly, you are being actively targeted.
RDP is a common protocol used by businesses of all sizes, and if you are not employing a multi-layered approach to securing RDP access, then it is only a matter of time before the resilience of your backups is tested via a ransomware attack that encrypts your entire network. If you are not using two-factor authentication (2FA) and least privilege principles to access critical security systems, then you are truly playing roulette with ransomware. San Diego Computer can help review your security systems to meet the best criteria for blocking unwanted system access.
What Is RDP and Why Is It a Popular Attack Vector for Ransomware?
Remote IT access has been popular with service providers for decades as it allows them to point & click through on any system from their own location (via Remote Desktop Protocol) rather than being on site. RDP dramatically lowered the cost and complexity of troubleshooting support issues and helped the modern Managed Service Provider industry grow, evolve, and avoid costly on-site client visits.
Like most conveniences, however, RDP had shortcomings – the most serious being that it created a new cyber security vulnerability. Since its release, RDP has become a common attack vector as it allows a hacker to sidestep endpoint protection and makes lateral proliferation between partitioned networks (and backup systems) simple, the perfect access point for planting ransomware.
How Do Ransomware Hackers Breach a Company via RDP?
Attackers generally breach Remote Desktop Protocol by:
- Port scanning and brute-forcing RDP credentials with Internet-connected search engine sites.
- Purchasing leaked credentials from online (typically foreign) crime forums and marketplaces.
- Phishing and other email trickery of an employee of a company to gain access and control of their machine. Then brute-forcing RDP access from inside the network via the compromised machine.
There are tens of thousands of corporate RDP credentials available for purchase for as little as $3 on dark web marketplaces. The wide availability of hacked RDP credentials is low-hanging fruit for cyber criminals looking to launch ransomware attacks. If ransomware like “Dharma” or “SamSam” strikes, it’s likely not the initial breach. The first breach likely led to the compromise of RDP access credentials that were subsequently sold to the ransomware hacker.
What Happens After a Hacker Gains Access via RDP?
Once in the network, the hacker will use programming tools like mimikatz to harvest administrative credentials and elevate access privileges across a domain. The administrative privileges can be used to disable anti-virus, two-factor authentication, or wipe/encrypt backups.
The hacker will typically take network notes so that they understand the topography of the network that they are about to cripple with ransomware. These notes help the hacker understand how the company will respond, and how they can most effectively curtail that response and increase the odds receiving a ransom payment.
Hacking is not a passive process! Once a system is vulnerable, the hacker waits for an optimal time before pushing the ransomware executables into the most valuable portions of your network. Nights, weekends or holidays are common, as are important periods of time for your business such as tax time for accounting firms. The executables encrypt PCs, servers, databases, applications and any backups that the hackers have discovered and obtained access. Once complete, the ransomware executables generally delete themselves and leave nothing behind but encrypted files and ransom notes.
What Are Best Practices for Securing RDP from Ransomware?
In general, RDP should only be used when necessary. However, if RDP must be used, then it should be secured with the following measures:
- Limit RDP Access: Limit access by requiring a VPN to access RDP. The default port number should be changed as well. Access should be granted to a select whitelist of IP ranges and lockout provisions enacted so that brute forcing attempts trigger lock out or admin alerts.
- Two-factor authentication (2FA): The vast majority of corporate ransomware attacks could be thwarted by enabling two-factor authentication on remote sessions and all remotely-accessible accounts.
- Endpoint & alternative solutions: Today’s endpoint solutions can detect anomalies in network usage (such as an in-office workstation attempting opening a RDP session) and stop them before damage is done. Additionally, several new products offer alternatives for remote access that are more secure than RDP.
- Least Privilege: Users that do not need to service important internal services should not have access to them. Double check your permissions and make sure employees have the minimum access required to complete their job. Accounts that can access critical systems, including backups, should have 2FA on them.
- Disaster Recovery: Should RDP configurations become compromised, it’s critical that a company’s BCDR plans be codified and up to date. Backup systems should have up-to-date, on-site and off-site versions of all critical data. San Diego Computer is here to assist with all of these processes and will be on standby in case the unthinkable ransomware infiltration happens.
What Will Happen If I Don’t Secure My RDP Access?
In short, you ARE being actively targeted if you continue to use RDP access without proper security protocols in place. How well your defense efforts will hold up to an RDP based attack is the only question.
In 2018, over 90% of ransomware attacks occurred due to RDP exploits, making it the most common attack vector by an order of magnitude. It is typical for ransomware attacks to cause at least 4 days of downtime. Organizations like “No More Ransom” that seek to educate the public about ransomware and provide free tools to help companies recover can be helpful, but they are not a solution that companies can rely on for recovery if they are attacked. Unfortunately, most current ransomware attacks use encryption malware that is not necessarily commercially decryptable. In lieu of functional backups, victims of ransomware may have no choice but to consider paying the hacker as part of its recovery action plan or face data loss.
If you would like to bolster your disaster recovery and incident response plan, contact San Diego Computer for more ideas.