Paying your way out of a ransomware attack can be a viable option, but this route is not only expensive, it’s dangerous. A better strategy is to build a successful defence and response plan. Here’s how.
We all know ransomware is one of the most destructive malware variants out there. You’re talking about clicking on the wrong link and having your organisation’s data disappear into a swamp of encrypted gibberish, or even its server operating systems (OSes) and other critical files simply vanishing one day. You can pay the ransom, but that can be not only expensive but also holds no guarantee that the bad guys will give you back your data.
IT Watch bug art When you’re hit, your choices are bleak: either hope that you can restore your systems to operation by using cloud-based backups or pay the ransom and hope that the decryption key works. But that’s only if you’re hit. The better choice is to keep from having your files encrypted in the first place or, if some files are hit, then keeping the attack from spreading. The key is to up your company’s security game to keep from being attacked.
How to Avoid a Ransomware Attack
The first step is what Israel Barak, Chief Information Security Officer (CISO) of endpoint detection and response software developer Cybereason calls “IT and security hygiene.” This means avoiding vulnerabilities and filtering email and web traffic. It also means providing user training, and making sure that patches for your OS, applications, and security products are completely up to date.
The second step is having a business continuity and recovery strategy. This means actually making a plan for when things go bad instead of just hoping they won’t. Barak said this includes having backups in place and tested, knowing how you’ll recover impacted services, knowing where you’ll get computing resources for recovery, and knowing that your full recovery plan will work because you’ve actually tested it.
The third step is to have anti-malware protection in place. Barak said this includes having protections against malware entering your network and protections against malware executing while on your systems. Fortunately, most malware is fairly easy to spot because malware authors frequently share successful routines.
Why Ransomware Is Different
Unfortunately, ransomware isn’t like other malware. Barak said that, because ransomware is only resident on a computer briefly, it’s not hard to avoid detection before it’s completed its encryption and sent the ransomware message. In addition, unlike other types of malware, the malware that actually performs the file encryption may arrive on the victim’s computers only moments before the encryption begins.
Two relatively recent types of malware—Ryuk and SamSam—enter your systems under the guidance of a human operator. In the case of Ryuk, that operator is probably located in North Korea, and with SamSam, in Iran. In each case, the attack starts with finding credentials that allow entry into the system. Once there, the operator examines the content of the system, decides what files to encrypt, elevates privileges, looks for and deactivates anti-malware software and links to backups to also be encrypted, or in some cases, deactivates backups. Then, after perhaps months of preparation, the encryption malware is loaded and launched; it may finish its job in minutes—far too quickly for a human operator to intervene.
“In SamSam, they didn’t use conventional phishing,” explained Carlos Solari, Vice President of cybersecurity solutions developer Comodo Cybersecurity and former White House CIO. “They used websites and stolen credentials of people and used brute force to get the passwords.”
Solari said these intrusions frequently aren’t detected because there’s no malware involved until the very end. But he said that, done properly, there are ways to stop the attack at this point. Usually, he said, the criminals will go after the directory services for the network, and attack those so they can gain the administrative-level privileges required for their staging for the attack. At this point, an intrusion detection system (IDS) may detect the changes and, if the network operators know what to look for, then they can lock the system down and kick out the intruders.
“If they are paying attention, then they’ll realize that someone is on the inside,” Solari said. “It’s important to find internal and external threat intelligence. You’re looking for anomalies in the system.”
How To Protect Yourself
For smaller companies, Solari suggests that companies find a Managed Detection and Response (MDR) Security Operations Center (SOC) as a service. He added that larger companies may want to find a Managed Security Services Provider (MSSP). Either solution will make it possible to keep an eye on security events, including the staging before a major ransomware attack.
In addition to monitoring your network, it’s also important to make your network so that it’s as inhospitable to criminals as possible. According to Adam Kujawa, Director of Malwarebyte Labs, one critical step is to segment your network so that an intruder can’t simply move across your network and have access to everything. “You shouldn’t keep all of your data in the same place,” Kujawa said. “You need a deeper level of security.”
But, if it turns out that you didn’t detect the invasive stages ahead of the ransomware attack, then there’s another layer or response, which is behavior detection of the malware when it starts encrypting files.
“What we’ve added is behavioral mechanism that relies on behavior that is typical to ransomware,” explains Barak. He said such software watches what ransomware might be doing, such as encrypting files or erasing backups, and then it takes action to kill the process before it can do any damage. “It’s more effective against never before seen strains of ransomware.”
Early Warnings and Protections
To provide a form of early warning, Barak said Cybereason takes another step. “What we’ve done is use an exception mechanism,” he said. “When Cybereason software goes on an endpoint, it creates a series of base files that are positioned in folders on the hard drive that would make ransomware try to encrypt them first.” He said changes to those files are detected immediately,
Then, Cybereason’s software or similar software from Malwarebytes will terminate the process, and in many cases, containerize the malware so that it can’t do any further damage.
So, there are several layers of defense that can prevent a ransomware attack and, if you have all of them functional and in place, then a successful attack would have to follow a series of failures in order to happen. And you can stop those attacks anywhere along the chain.
Should You Pay the Ransom?
But suppose you decide you want to pay the ransom and restore operations immediately? “For some organizations, it’s a viable option,” Barak said.
You would have to evaluate the cost of the business interruption to determine if the cost of getting back into operation is better than the cost of restoration, all things considered. Barak said that, for business ransomware attacks, “in most cases, you do get the files back.”
But Barak said that, if paying the ransom is a possibility, then you have other considerations. “How do we prepare in advance to have the mechanism to negotiate the cost of getting the services back? How do we pay them? How do we form the mechanism to broker that type of payment?”
According to Barak, nearly every ransomware attack includes a means of communicating with the attacker, and most enterprises try to negotiate a deal to which ransomware attackers are usually open. For example, you may decide that you only need part of the machines that were encrypted and just negotiate for the return of those machines.
“The plan has to be put in place ahead of time. How will you respond, who will communicate, how you will pay the ransom?” Barak said.
While paying is a viable option, for most organizations it remains a last-ditch option, not a go-to response. There are many variables you can’t control in that scenario, plus, having paid once, you can never guarantee you won’t be attacked for more cash in the future. A better plan is using a solid defense that’s difficult enough to deflect most malware attacks and defeat those few that succeed. But whatever you decide, remember that virtually every solution requires that you back up religiously. Do it now, do it often, and test often, too, to make sure things will work smoothly in a pinch.