Ransomware

10th Aug 2021

Ransomware – it’s a term that is banded around a lot these days and the very nature of its words can strike fear into the heart of IT and strategic leaders… Someone is holding you to ransom.

This is a quick explainer (in light technical words and focused on mitigation and strategic planning) for those that don’t know about how it works and how to avoid it …or act against it

Ransomware, like malware is just software that is used to hold business and private users’ information to ransom, for what else but money and sometimes lot of it.

Ransomware can take many different forms but works very similarly in that it securely encrypts data files so that the original owner can’t access them, until they pay a ransom. Only when they pay the ransom are you (hopefully) given the keys to unlock the security.

Ransomware

 

Ransomware Lifecycle

Deployment, Evade, Reconnaissance, Elevation, Payload

Deployment - Can take many different forms, but generally use a number of standard ways.

The weakest link in most IT systems are the humans, as we are prone to making ill informed or even darn right stupid decisions if we are enticed in the right way. The most common way is via links in email, IMs, etc that make a person click on something they believe is of interest that is actually malicious software.

Evade – Once inside if the ransomware can evade IT systems designed to prevent intrusion, then it has passed the first hurdle…and let’s be clear no network is 100% secure from intrusion but applying layers of security can help reduce the attack surface….more on this later

Reconnaissance – The ransomware will spread across the network looking for a number of items like data file structure, log files, backups, etc so it can understand how/what it can encrypt and what it will need to delete to cover its tracks and make resolving the issue hard

Elevation - If possible, it will try and find ways to get better rights. This may be by trying to login as a higher privileged user or finding a weakness in a security system

Payload – Once ready the ransomware will deploy, encrypting files, deleting backups and causing as much havoc as a small explosion within your data files.

Ensign Divider

 

Resolving

Ransom - What the criminals want is for you to pay the ransom (obviously), usually in the form of Bitcoin and to a value of many thousands of pounds/dollars. Once this is done, they will (or may not) provide the decryption key and you can try and recover.

Restoring Backups – If (and it’s a big if) you have backups that haven’t also been corrupted, deleted or encrypted you may be able to restore your IT systems. However, the ransomware usually does its best to go after backups too to ensure this is not a valid option

Impact

  • It’s obvious but loss of money by paying the ransom
  • Probably more important - Loss of IT systems meaning staff can’t operate as normal, with potential knock on to the service you provide your customers
  • Reputational loss – If investors, customers, suppliers find out about the compromise they may change how they interact with you or may even stop working with you
  • Increase staff and 3rd party costs for time to recover – The time to recover, even with a decryption key can be vast, burning lots of time and expense
  • Potential regulatory fines (GDPR, PCI) – If personal data is lost the Information Commissioner will need to be involved and fines may be levied for breaking data privacy regulation
  • Ongoing issues - even after decrypting systems, they still may not be working as expecting. Data structures may be malformed, some systems may not be recoverable, all adding up to more time and cost

 

Ok, so you may be saying “this is all very interesting, but So What. Why should I care, how does it affect me?” etc

Having many conversations across different levels of seniority and roles, some common responses are:

“We are too small, why would someone hack us”

“We don’t have any useful info that people will want”

“We’ve never been hacked before”

“We’re secure”

“Our systems and processes can deal with this”

All of which are generally untrue to differing levels

  • No company is too small to not be worth extorting for free money
  • Your data may not be useful to others, but its useful to you and that is why you can be targeted
  • Unless you have military grade protection how do you know you haven’t been hacked before, as hackers will work under the radar, they don’t come in with a big crash. Many major hacks have lain undetected for months before they deploy.
  • Your systems and processes may be able to handle this, but do you want to put them to the test by being held to ransom

Ensign Divider

 

Preparing/Mitigating

So as with so much in life having a plan prior to an issue is always better than trying to deal with an issue once it’s happened.

  1. Having a robust and tested Disaster Recovery plan in place that outlines the processes to follow in the event of such an attack is crucial…..and test, test, test
  1. Applying multiple layers of security that can Protect, Detect and Intervene, preferably autonomously without the need for a human…. This is where we can help you, see below

Secure perimeter/secure edge

It’s getting harder to secure the network perimeter as its constantly moving and fuzzy as workers now don’t necessarily always work from a centralised location. Therefore, protecting your central perimeter, remote workers and cloud systems is vital.

More info:

 

Network segmentation

Defining different classes of user and access allows for defined segmentation of the network, so that security policies can be applied granularly between each sub-section, which will help control the spread of malware and protect the most sensitive areas of your network.

More info:

 

Network Admission Control (NAC)

Absolutely everyone and everything that touches your network should be authenticated, whether its users, laptops, guests, printers, CCTV, etc as only in this way can you ensure that only valid devices/users are gaining access.

By deploying NAC, granular policies can be created around Who, What, Where, When meaning that different classes of users and devices get different access/segmentation, protecting your network infrastructure.

More info:

 

We will be releasing another blog very soon focusing just on NAC….watch this space

 

Untitled design (28)

 

Anomaly Detection and Intervention

The final piece of the jigsaw and some would say the most important, is understanding how users and devices use the network infrastructure. Crunching this data and providing intelligent Machine Learning to look for patterns that are suspicious and taking fast and automated actions to shut down any potential issues.

We’re not talking network performance monitoring here, but full Deep Packet Inspection to identify traffic patterns and the users and devices connecting so that if anything out of the ordinary is detected (anomaly detection) positive action can be taken to block malicious data flows.

More info

 

In summary

Combining multiple technologies and strategies is key

  • With a secure perimeter/edge you can minimise ransomware gaining access to your network
  • With segmentation you can limit the spread of ransomware if it finds its way in
  • With NAC, you can ensure only the permitted users and devices can access your network and are segmented based on the Who, What, Where, When criteria
  • If Ransomware does still get into the network use Machine Learning to look for anomalous traffic and users and shut them down before they become a threat