02/25/2021

Ransomware is for Everybody

The Hacker News has an article out on Ransomware that is worth a read if you are involved in IT and want a primer to get up to speed on this kind of attack. Ransomware is a kind of malware that through any of several means locks you out of your data and then offers to unlock the data if you pay the bad guys money. Historically there were differing ways of locking you out, but these days it's almost exclusively cryptographically encrypting your data then deleting the unencrypted files. Some bad guys will copy the data to some place outside of your organization before encrypting it. That gives them leverage over you in two ways: A) your data is encrypted and you can't access it; while B) they can access your data and do whatever they want like release it to the public. I don't know about you, but that is nightmare fuel to me.

Too many small and medium sized companies believe that only large companies are hit with this type of attack, but in reality that isn't true; it's just the big ones that make the news. From the article this is the criteria attackers use in picking ransomware targets:

  • Easy to evade defense. Universities, small companies that have small security teams are an easy target. File sharing and an extensive database make the penetration simple for attackers.
  • Possibility of a quick payment. Some organizations are forced to pay a ransom quickly. Government agencies or medical facilities often need immediate access to their data. Law firms and other organizations with sensitive data usually want to keep a compromise a secret.

So they're picking their targets and you and I are within the target population, but next lets look at how they get the malware into an organization to steal and encrypt the data. Again from the Hacker News article:

  • Email (spam)
  • Watering Hole attack
  • Malvertising
  • Exploit kits
  • USB and removable media
  • Ransomware as a service
  • Zero days

Email, exploit kits, USB and removable media, and zero day exploits could all be targeted to a specific organization. But are the rest? A "Watering Hole attack" is where attackers poison a website they know you go to so you'll get infected on your next visit. That is targeted, I just hope you don't go to that website too and get infected as an innocent bystander. "Malvertising" is malware published through advertising which doesn't sound particularly "targeted" to me. And if the email is spam and not targeted phishing, then it can infect anyone as well.

Conclusion

My point here is that the attackers have criteria that can include your company, but even if you aren't specifically targeted, ransomware can still infect your system and block your access to your data and systems. Once on your network most of the current generation of ransomware will look to expand to other computers by looking for known vulnerabilities and exploiting them. If the malware itself doesn't do it, then the attacker himself can use the foothold on your system to expand to others on your network. So what should you do about it? 

Here is my 6 point plan for not getting infected with ransomware:

  • ....

Hold up. There is no plan for 100% not getting infected with ransomware or any other kind of malware. Anyone who tells you so is an unethical salesperson or very misinformed. So let's try this, here is my 6 point plan to limit the chances of getting infected and mitigate the loss when/if you do:

  • Realize there is no such thing as 100% safe and plan for the worst; and
  • Get training for everyone on recognizing all kinds of phishing (email, voice, in person); and
  • Keep firewalls updated and audit the rules to make sure you know what is allowed in/out; and
  • Run a virus scanner on your computers and keep it updated; and
  • Keep those computers updated with vendor patches; and
  • Backups; have backups of critical data; have offline backups and occasionally test those backups to make sure they work; and
  • Have your security tested.

Obviously if you're in a larger company with a fully stacked IT department there is a lot more you can do. This is just the baseline. As for that last step, well...I know a guy.

Learn more about our internal or "assumed compromise" test today. Our certified pentesters will analyze your network to provide detailed analysis and reporting you can use to further secure your network.

Author

Kirby Angell is the CTO of Alertra, Inc. and a certified pentester. In addition he has written several articles on Python programming for magazines back when that was a thing. He contributed a chapter to the 1st edition of "The Quick Python Book" published by Manning. He was one of the first 10 Microsoft Certified Solution Developers. Ah the 90s...he probably still has a "Members Only" jacket. He is certified to teach firearms classes in Oklahoma and holds a black belt in mixed martial arts.

References

The Hacker News: Everything You Need to Know About Evolving Threat of Ransomware