How to survive a WannaCry
Wednesday May 17, 2017,
6 min Read
Ransomeware is in the news like never before. Everyone's talking about how important it is to keep up to date with Microsoft's security updates to avoid a recurrence. While that is undoubtedly important, is that all organisations can do to protect themselves? Here is a viewpoint on what businesses can do, even if ransomware does breach their security defences.
Most people reading this have, by now, heard of WannaCry, the ransomware attack that is all over the news. As a cyberattack, its scale is massive, with some calling it the biggest of its kind. As I write this, it has infected over 2,00,000 devices in 150 countries, with possibly several more to come as the new week starts.
On the flip side, an attack of this scale has the positive impact of raising awareness worldwide. Ransomware, despite having been around for several years, was largely unknown outside the security or tech community. It is a form of malware that has existed over the last 10 years or so, but really taken on a visibly destructive form in the past couple of years. It operates by encrypting ﬁles on the infected computer and then demanding a bitcoin ransom in return for the decryption key. Attacks can exploit a broad spectrum of vulnerabilities—although phishing is possibly the most common—basically enticing a user to click on an innocent-looking email attachment, which then drops a deadly payload on the computer.
Here are a few chilling facts:
- Despite its rise to become a top threat to businesses in 2016, until recently, one out of three SMBs had no idea what ransomware is.
- There is a ransomware attack somewhere in the world roughly every 40 seconds.
- Roughly 32 percent or so of those attacked end up paying the ransom. Even so, around 20 percent of those who pay still don’t end up getting their data back!
- Healthcare and manufacturing companies generally seem to be hot targets, primarily due to their reliance on legacy systems combined with weak security, although nobody is really immune.
The attackers in these cases are always faceless and nameless— there is no opportunity to reason or negotiate with them. The rise of bitcoin for transactions has also aided ransomware attackers by increasing their ability to remain anonymous.
Ransomware attacks can potentially be more damaging than classic breaches which result in stolen bank accounts or credit card information—many such losses are recoverable soon after the breach has been discovered, but lost business plans and product designs, which are a company’s crown jewels, can be irreplaceable.
While ransomware can attack any type of computer, in most cases, the infected computer is an end user’s laptop or workstation. Therefore, any data stored on local disks, file shares, and mapped network drives is vulnerable. Most popular cloud storage solutions also become vulnerable due to the replicative nature of their working. Since ransomware deletes the original files and replaces them with their encrypted versions, most cloud storage solutions faithfully replicate these changes in their repositories as well. While some of these solutions have file-versioning capabilities, they don’t usually have an option to perform a bulk restore of large amounts of data.
Sadly, existing anti-malware solutions cannot be relied upon to detect and stop all ransomware. The quick-moving malware underground ensures that anti-malware vendors are always playing catch-up.
Educating users on how to identify possible payloads and avoid them would seem to be the best approach against ransomware—after all, prevention is better than cure. While this can be effective, the reality is that the ransomware authors have to bypass a defence just once to do their dirty deed, and they constantly change tactics in order to do so. Even the best prepared amongst us can be outwitted at some point or another.
Much of the writing that has been done around WannaCry has focused on the Microsoft vulnerability and the importance of keeping systems updated. While this is certainly important, it cannot be a 100 percent defence against new ransomware variants that take advantage of zero-day vulnerabilities that are yet unprotected.
So what can one do beyond keeping up to date with latest OS updates and security patches? Experience tells us that the best defence against ransomware is a data backup. A clean backup of an organisation’s data can protect them from being held hostage by an attacker, even if their other ransomware defences fail.
How to use backups to defend against ransomware:
- Invest in reliable backup software that can back up all your endpoints. Look for something that can handle both Windows and Mac computers.
- To make the solution more bulletproof, consider putting your backups on the cloud. This builds in more separation between the potential ransomware attack and your data copy. Make sure the solution can utilise cloud storage as a backup target.
- Look for software that is cloud-agnostic and doesn’t tie you down to its own cloud. You should be able to shop around for the best cloud storage prices and have the software work with the cloud of your choice.
- Make sure the backup payload being sent to the cloud is encrypted—using encryption keys you control. After all, this is valuable data that you’re spending good money protecting. Make sure it is safe from prying eyes.
- If you’re managing many endpoints, you’ll want to be sure to look for a solution that:Can be centrally managed via policies.
- Can scale over tens of thousands of endpoints.
- Allows users to do their own restores.
- You’ll also want to look for some type of integration with the user namespace you’ve implemented, like Active Directory.
- Since your outbound network bandwidth can be at a premium, look for software that can minimally do the following:Perform incremental backups, i.e. identify files that have been modified and move only those to the cloud. Even better, maybe move only portions of the files that have changed. This could be especially useful for very large files like PSTs that change very little every day.
- Resume a failed backup from the point of failure.
- Be resource-sensitive and use techniques like compression and de-duplication to save network bandwidth and storage space.
- Allow you to manage data retentions by file versions so you can get back data from a previous day or even a previous week.
While educating users on the damaging impact of ransomware and keeping up to date on OS patches are both important things organisations should do, having a solid endpoint backup strategy is a critical step in readying yourself for a ransomware attack.
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)