Cry Me a River…Really?

Yep. That’s one headline I saw this weekend about the WannaCry attack. And I guess we can understand that sentiment, maybe. Our view at Global Data Vault, is our job is to be ready to help any of our customers hit by this outrageous attack. Our customers use our services to recover from Ransomware attacks quite regularly and this one is far from over, and I suspect we’ll help our customers perform more than a handful of recoveries. We may all know this by now, but here is some background on the subject.

Ransomware is malware that encrypts and sometimes later deletes files from computers, smartphones, and other intelligent devices – now even including TVs. Ransomware is operated by organized crime gangs, many of whom are based in Russia. The proceeds of these attacks are being used to fund terrorism, human trafficking, drug operations and other nefarious activities.

The first known Ransomware attack occurred at a World Health Organization AIDS conference in 1989. At the time, the intent was to extort small amounts of money. Another early implementation posed itself as antivirus software which the victims were encouraged to purchase in order to eradicate malware that was planted by the same code.

Today, with attacks from so many sources, and with the advent of untraceable virtual currencies like Bitcoin, and through the existence of sophisticated encryption algorithms, ransomware has become a billion-dollar industry.

There is even a market that supplies tools to build ransomware and tech support for implementing attacks. The encryption is often now 256 bit RSA grade and is too sophisticated for even large technical organizations to solve. Citrix reports that many large companies are keeping Bitcoin available as a last-resort.

Even further frightening are cases where remote access trojans have been used to monitor a potential victim to determine the scope of the organization and assess its ability to pay a given ransom.

History

CryptoLocker was the first wideapread attack and first appeared in 2013. It was supported by a large network of malware bots (together called a botnet) which is used to distribute the actual attack. Cryptolocker extorted over $3 million before being shut down by the Department of Justice who took control of the botnet and issued a warrant and a bounty for Russian hacker Evgeniy Bogachev for his involvement.

New threats exist; Cryptowall is believed to have extorted over $350 million; Locky operated in 30 languages; Petya encrypts entire hard drives. As bad as these are Cerber is the most prevalent, accounting for 90% of Windows ransomware.

Cyber attacks through email attachments. Word, Excel and PDF files containing dangerous macros are sent as bait – usually calling themselves invoices, etc. If the user opens the file and allows the macro to run, the attack will generally succeed. Your inbox has become your most vulnerable point.

Avoidance and Prevention

1. Patch Everything – as often as possible – patch every application.
2. Do not allow local admin rights on user desktops.
3. Desktop antivirus is helpful but not enough because the attackers are continually recompiling their code to escape detection. Secure email gateways also help but are also limited for the same reason.
4. BACKUP – is the only real protection!
5. Follow the 3-2-1 rule: Always have 3 backups, on 2 media types and 1 offsite. More on the 3-2-1 rule later.

Backup Strategy

As a service provider working in this area, we see attacks on a weekly basis. We have performed hundreds of recoveries. The following points are the lessons learned from our own experience and the well-organized thoughts on this subject from Rick Vanover Director of Technical Product Marketing at Veeam Software.

1. Use different credentials for backup jobs! An attack or attacker with credentials to access your system might also attack your backups.
2. At some point commit data to offline media such at tape. If it’s offline, it cannot be attacked.
3. Use Veeam Cloud Connect (we do). It uses a different method of authentication and a different backup API.
4. Store backups in a different file system.
5. Take SAN snapshots of your local backup repository.
6. Expand and master the 3-2-1 rule – use the 3-2-1-1 rule: have 3 copies of your data, on 2 types of media, have least 1 offsite and at least 1 offline.
7. Test – have 0 errors after recovery is tested! Veeam’s Sure Backup verification is one great way to test.

While this is a good start, there are other many other technical strategies we implement for our customers. GDV employs as many as possible for each of our customers. We’re always happy to discuss how you can leverage these ideas.

We hope this is helpful. Good luck and stay ready.

More Cybersecurity Posts