Varonis Introduction to Ransomware – My Thoughts
Troy Hunt of HaveIBeenPwned.com, recently did a free course regarding ransomware with Varonis and as something I just sat down, watched, and took notes through, I wanted to impart some physical notes and thoughts on what he had mentioned. For those that don’t know, HaveIBeenPwned is a site that checks if a user’s account has been compromised in a data breach among a variety of other services as well such as alerting the user if an account pops up, learning about the most commonly breached services and sites etc. As Hunt mentions on his site, this is a resource for anyone to quickly assess if they have been put at risk due to compromised or “pwned” data breaches.
The reason that I am doing this is because of its relevant in healthcare today, simple as that. A while back, for the people that pop onto this blog every once in a while, I did a mini little tirade regarding the healthcare and hospital ransomware attacks and discussed the medical and IT drawbacks and a call to action from ransomware. I still had a ton that I wanted to write about but I just thought I should give it a break for a bit, collect some more information and then save my energy for another tirade so here’s the start to another! Hunt mentions that ransomware was a malicious attack (see what I did there eh eh?) and was devastating to Hollywood Presbyterian concerning the attack a few months ago, however as I wrote about, the biggest impact was due to the lack of incident recovery and disaster planning. In my Cyber Security Management class, those points were POUNDED into our heads and when I was doing research regarding these ransomware attacks I came across several infographics indicating that MANY companies did not have a fully fleshed out plan, despite how simple and common sense of a thought process it should have been. I truly believe that if post attack policies and training had been more enforced and implemented there would not have been nearly as much of an impact, same goes with preventative education, training and awareness. Although Hollywood Presbyterian ended up paying the ransom after 10 days, the loss in services, efficiency, and money proved far more damaging than the 40 bitcoin ransom. Furthermore, Hunt goes into a little segment regarding the impact on individuals and organizations and even brought up a story with a relative of his and how she was hit by ransomware but due to a strong backup policy, they were able to get through it without much of a problem despite the initial panic and irate behavior.
Kevin Beaumont says that, “I am seeing around 4,000 new infections per hour, or approximately 100,000 new infections per day”.
Ransomware is nothing new, it’s only how it’s been able to be delivered to the end user and clients. With most vulnerabilities, they are served through exploit kits and social engineering through phishing emails, phone calls, and tricking the user into allowing a “genuine” download of certain anti-viruses or permissions for Java and Flash. The only difference is how these embedded scripts have changed and how they can be much more selective than they were before, thus making the detection rate much smaller and thus not as prominent. Some of them will filter through the search engine method or country of origin and a variety of other purposes. Not only are these exploits served through vulnerabilities, primarily from Adobe Flash or Java, but also delivered through malicious ads as well. Halfway through the Varonis course, I thought that this was a really important area of conversation because it’s important to understand the delivery methods and how they’ve become so prominently lately.
Joseph Bonavolonta, FBI Counterintelligence Program, “To be honest, we often advise people just to pay the ransom”
So one ransomware variant, Locky, proven to be one of the most effective versions because of how efficiently it encrypts the files. Once on the target machine, it loads itself into memory and then deletes itself so it’s no longer on the file system but still works. Then it drops into the filesystem, Local Disk, and then begins to encrypt relevant files such as documents, music, PDFs etc. It encrypts only the valuable information but not the working files that keep the machine working as well. One of the greatest features for Locky and ransomware is that it can also propagate through network storage and shares to encrypt those as well. Now, I mentioned before that one of the best preventative methods is to have backup files in case of corruption or these situations, however I also mentioned that it is vital that these backups be taken off of the network or in a 3rd party vendor that the network cannot access normally because Locky ended up traveling through the network and deleted those backup files and shares as well, thus preventing rollbacks and refreshes for recovery. Furthermore, it sets the desktop wallpaper into an image regarding the instructions as well as dropping a text file with instructions for payment. So with ransomware, it’s not just about encrypting the file but also removing the avenues for backup and data restoration.
Allen Stefanek, Hollywood Presbyterian Medical Center, COO “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key”.
- Backup versions, rotational backups. How to do it to ensure that they are not overwritten? Are the encrypted backups negating the actual backups and recovery process?
- Prevention and PATCH! Plugins are vulnerable. Plugins are exploitable.
- Principle of Least Privilege. If they don’t have privilege? Don’t give them the access. Prevent people from having access they do not need. Do not allow untrusted software, or any software not allowed on a white list. What kind of networks should be segmented? Where in the network can people be allowed to go? Least privilege is all about reducing and containing risk.
- Security education, training, and awareness. Humans are the softest and weakest link of any network and organization.
Kevin Beaumont, “Many organizations are simply paying for the decrypter, which is basically paying your hostage takers for freedom”