The Problem: In the digital age, the protection of information is vital and a primary tool for this is encryption. Encryption allows for information to be sealed up behind a password, passphrase, PIN or other type of protection in order to keep it from prying eyes and make it only available to the authorized user.
“Ransomware” is the exact opposite of this: The authorized user is denied access to their own data through the use of what appears to be encryption setup by an unauthorized party, who charges a not-insignificant amount of money to restore access to the data. These types of malware can look extremely legitimate sometimes- using the NSA, FBI and DHS logos and very official looking threats. With ransomware looking so authentic, sometimes victims take it so seriously that the outcome is sometimes tragic (as in the case of a 17 year old boy who committed suicide recently). On the other hand they can look exactly like a magazine cut-out ransom note, it all depends on the style of the malware author. There are several different ways of resolving the issue, although not all may be feasible in all cases.
Solution the First: Lock down the endpoint
The “Endpoint” is what most IT security first starts at -the problem with this style is that it keep changing. 30 years ago the endpoint was the modem going into the server room. 20 years ago it was the Firewall on a T1 line. 10 years ago it was the individual workstations. 5 years ago it was the mobiles. Today it’s the user directly. What will it be tomorrow? Embedded devices and wearables seem to be the consensus with their on-board sensors and difficulty to track as they get smaller and smaller. As a result, having the users on your side is absolutely critical as they can make or break any security method just by not agreeing to work with you. As a result, the users’ perspective determines how effective your defenses will be. Do your users feel like they are in a fortress- protected against forces trying to take down their work? Or do they feel like they are in a prison- being watched every second of every day for one slip up? If the users feel like what they do makes a difference, understand what is at stake and realize that they play a major role in the front line defenses, then they will behave accordingly and report when things are going weird or if something has happened on their system.
Solution the Second: Know what you are up against, and know your environment
“If you know others and know yourself, you will not be imperiled in a hundred battles; if you do not know others but know yourself, you win one and lose one; if you do not know others and do not know yourself, you will be imperiled in every single battle.” Sun Tzu may not have predicted the web, but he still knows conflict. Knowing what you are up against in a ransomware situation is critical as that determines what method you will be using to resolve the issue. If your files are not encrypted at all, then just cleaning off the infection and restoring access to the files is enough. If the encryption being used is weak, then breaking it may be possible. However if it is strong, then your only feasible option will likely be restoration from known good data. Knowing what you have at your disposal and understanding what is attacking you will help to make accurate and informed judgements about what solutions are viable for you.
Solution the Third: Have your staff prepared for an outbreak.
Training, simulations, spot checks, audits, Condor Crest, whatever you call it- it is preparation. Your users and admins need to know what is possible, know what is at their disposal, and how to act in a situation. Because if you don’t, you will inevitably have somebody causing fear and panic and any remaining hope of containment will go down the tubes. The users will be panicked and spooked. Your admins will be panicked and spooked. You yourself will likely be panicked and spooked, but they need to be held together. The minute you start hearing somebody say “This company is headed for a disaster of biblical proportions. Fire and brimstone coming down from the skies! Rivers and seas boiling! Forty years of darkness! Human sacrifice, dogs and cats living together… mass hysteria!” its all over. Plan ahead. Have exercises to test out where your weak points are and improve on those aspects. Get your people to the point where they know what to do without even thinking about it- muscle memory for the mind.
Defenses have to work well every time. Attacks only have to work well once. Knowing this, you want to be aware of what is in your network and facilities. Having people work with you instead of against you is vital to getting on top of a situation and resolving it quickly while its still small instead of catastrophic. Then when something does happen, use it to your advantage- use what you learned in that situation to become stronger and improve defenses so that either you won’t run into it again, or that if it does happen a second time that you are better prepared than before.
Kurt Ellzey has been involved in Information Security and Technology for the better part of the past 15 years. During that time, he has been published as part of the compilation Security 3.0, the writer for the Ramp with 5 Levels, and a contributor at LIFARS with the Weird Security Term of the Week series. More information about Kurt can be found on LinkedIn or on Twitter.