The notorious Maze ransomware gang announced Wednesday that it will not attack any healthcare organizations during the COVID-19 pandemic.
The pandemic has put a strain hospitals and public health agencies in recent weeks as governments across the globe struggle to contain the spread of COVID-19, also known as the new coronavirus. Some security vendors have expressed concern that coronavirus-related threats could soon include ransomware attacks, which would have a crippling effect on healthcare and government organizations working on treatment and containment of the virus.
But at least one cybercrime outfit is pledging to refrain from such attacks, at least on healthcare organizations. The Maze ransomware gang, which last year began “shaming” victims by exfiltrating and publishing organizations’ sensitive data, promised to ” stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus,” according to an announcement on its website.
BleepingComputer, which first reported the announcement, also contacted other ransomware operators about stopping attacks on healthcare and medical organizations during the pandemic. The DoppelPaymer gang also pledged to stop such attacks, though other ransomware groups such as Ryuk and Sodinokibi/REvil did not respond to Bleeping Computer’s queries.
The Maze gang’s pledge, however, says nothing about attacks on city, state or local governments or public health agencies. The Maze gang also said it will “help commercial organizations as much as possible” during the pandemic by offering “exclusive discounts” on ransoms to both current and future ransomware victims; the cybercriminals said they will provide decryptors and deleted any data published on its website.
Despite the promises of the DoppelPaymer and Maze ransomware gangs, it’s unclear how much control they have over what organizations are attacked. Many outfits use a ransomware-as-a-service model where they develop the malicious code and then sell it to other cybercriminals, which are often called affiliates.
These affiliates then conduct the actual intrusions, data exfiltration and ransomware deployment and pay the authors. Many ransomware incidents are initiated through phishing emails and brute-force attacks on remote desktop protocol instances; threat researchers have said it’s likely that ransomware actors aren’t specifically targeting organizations by name or industry and are merely capitalizing on the most vulnerable networks.
Ransomware payments to cybercriminals could soon become the rule rather than the exception, according to new research from Proofpoint.
Proofpoint’s sixth annual “State of the Phish” report, released Thursday, surveyed 600 working infosec professionals across seven countries: the U.S., Australia, France, Japan, the U.K., Spain and Germany. The report showed that 33% of global organizations infected with ransomware in 2019 opted to pay the ransom. In the U.S. alone, 51% of organizations that experienced a ransomware attack decided to pay the ransom, which was the highest percentage among the seven countries surveyed.
Gretel Egan, security awareness and training strategist at Proofpoint, said she wasn’t surprised that a third of survey respondents had made ransomware payments after being attacked. While law enforcement agencies and infosec vendors have consistently urged victims not to pay ransoms, she said she understood “the lure” such payments represent, especially for healthcare or critical infrastructure organizations.
“Often you see a hospital or a medical center having to completely shut down and turn patients away because life-saving services are not available,” she said. “Those organizations, in that moment, can look at a $20,000 ransom [demand] and say ‘I can be completely back online and running my business again very quickly’ as opposed to going through a relatively lengthy process even if they’re restoring from backups, which can take weeks to be fully operational again.”
Egan said that even when organizations do make ransomware payments, there are no guarantees. According to 2020 State of the Phish report, among the organizations that opted to pay the ransom, 22% never got access to their data and 9% were hit with additional ransomware attacks. Because this was the first time Proofpoint asked survey respondents about ransomware payments, the vendor couldn’t say whether the numbers represented an increase or decrease from 2018.
However, Egan said Proofpoint observed another concerning trend with ransomware attacks where threat actors exfiltrate organizations’ data before encrypting and then threaten to shame victims by making sensitive data public. “They’ll say ‘I’m going to share your information because you’re not going to pay me.’ It’s almost like doubling down on the blackmail,” Egan said. “I tell people there is no low that’s too low for [cybercriminals].”
Refusal to pay ransoms did not deter threat actors as 2019 saw a resurgence of ransomware attacks, according to Proofpoint’s report. Last year’s State of the Phish report showed just 10 percent of organizations experience a ransomware attack in 2018, as opposed to a whopping 65% in 2019.
“2018 was such a down year for ransomware in general, but it came storming back in 2019,” Egan said.
In addition to the survey, Proofpoint also analyzed more than 9 million suspicious emails reported by customers and an additional 50 million simulated phishing attacks sent by the vendor. Egan said the data showed phishing emails aren’t as big of a threat vector for ransomware attacks as in the past, which indicates cybercriminals are changing their strategies.
“We’re not seeing as many ransomware payloads delivered via e-mail,” she said. “From a threat level side, infections are coming in as secondary infections. There’s a system already compromised with malware and then threat actors take advantage of first level infiltration to then launch ransomware within the system.”
BEC on the rise
The report also found a significant rise in cybercriminals utilizing business email compromise (BEC) as a preferred attack. An alarming 86% of organizations surveyed by Proofpoint faced BEC attempts in 2019. Like ransomware payments, BEC attacks can result in millions of dollars in losses for organizations; 34% of respondents said they experienced financial losses or wire transfer fraud.
“There are many ways for attackers to benefit financially from initiating a BEC attack,” Egan said. “For example, the FBI has flagged cases of people going after W2 employee forms and using that to commit tax fraud. In many cases, BEC attacks are underreported because of the embarrassment and issue with having to admit you’ve been fooled.”
Egan said BEC attacks are typically successful because threat actors take their time and do their research, forging emails that appear innocuous to both the human eye and some email security products designed to detect such threats.
“Attacks like BEC are favorable for attackers because they don’t have malware or payload attachments. There are no dangerous links imbedded in them so it’s difficult for technical safeguards to stop and block them, particularly if you’re dealing with an account that’s been compromised,” she said. “Many of the emails are coming from a known and trusted account, or within an organization, or person-to-person from an account that’s been compromised. Attackers are switching to a more people-centric approach.”
The trend of more people-centric attacks led to 55% of organizations dealing with at least one successful phishing attack in 2019.
“Business email compromise is a longer-term kind of con,” Egan said. ” Threat actors don’t launch out of the gate asking for bank routing information. They establish a relationship over time to lull someone into believing they’re a trusted email account, so the user isn’t questioning it.”
Proofpoint said security awareness training is a method that saw success in combating such threats, with 78% of organizations reporting that training resulted in measurably lower phishing susceptibility. The report emphasized the importance of understanding who is being targeted, and more importantly, the types of attacks organizations are facing and will face, to reduce social engineering threats such as BEC and spear phishing emails.
If your defenses and backups fail despite your best efforts, your ransomware recovery effort can take one of several paths to restore normalcy to your organization.
Ransomware is bad enough. Don’t rush to bring systems and workloads back online and cause additional problems. The first item on your agenda is to take inventory of what still functions and what needs repairs. This has to be done quickly, but without mistakes. Management will want to know what needs to be done, but you can’t give a report until you have a full understanding. While you don’t need to break down every single server, you will need to have everything categorized. Think Active Directory, file servers, backups, networking infrastructure, email and communication, and production servers to start.
Take stock of the situation
The list of affected systems and VMs won’t be comprehensive. You have to start with machines that are a priority, and production servers are not in this case. If Active Directory is down, then it’s a safe bet most of your production servers — and the IT infrastructure — won’t be running correctly even if they weren’t directly affected.
To start with a ransomware recovery effort, check your backups first before anywhere else. Too many folks have deleted encrypted VMs only to find the malware wiped out their backup systems and end up going from bad to worse. Mistakes happen when you rush.
A somewhat easy path of restoring servers does exist if your backups are intact, current and operational. The restoration process needs to be tested before you delete any VMs. Rather than removing affected machines, try relocating them to lower-tier storage, external storage or even local storage on a host. Your goal is to get the encrypted VMs out of the way to give yourself space to work, then try the restores and get the VMs running before you remove their encrypted counterpart.
It might be time to make difficult choices
If the attack corrupted your backup system or the ransomware recovery effort failed, then someone above your pay grade will have to make some decisions. You will have to have a few difficult conversations, partly because the responsibility of the backups — and their reliability — rested on you. It’s possible it’s not entirely your fault for different reasons, such as not getting proper funding. This will have to be a conversation for a later time. At the moment, it’s time to make a decision: Pay the ransom, rebuild the systems or file a report.
Reporting requires the involvement of senior management and the company legal team. If you work for a government entity or public company, then you might have very specific guidelines that you must follow for legal reasons. If you work for a private company, then you still have possible legal issues with your customers about what you can and cannot disclose. No matter what you say, it will not be taken well. You want to be honest with your customers, but you also need to be mindful and limit how much data you share publicly.
The other aspect to reporting involves the authorities. Your organization might not even have been the intended target if you were hit by an older ransomware variant. If that’s the case, it’s possible there might be a decryption tool. It’s a long shot, but something worth check before you rebuild from scratch.
While distasteful, paying the ransomware is also an option. You need to consider how much will it cost to rebuild and recover versus handing over the ransom. It’s not an easy call to make because a payment does not come with any guarantees.
Most companies that pay the ransom typically don’t disclose that they paid or that they were even attacked. I suspect most organizations get their data unlocked, otherwise the ransomware business model would collapse.
The challenge with rebuilding is the effort involved. There are relatively few companies that have people who fully understand how every aspect of their environments work. Many IT infrastructures are the combined result of in-house experts and outside consultants. People install systems and take that knowledge with them when they leave. Their replacements learn how to keep these systems online, but that is very different from installing or building them from scratch. Repairing Active Directory is a challenge, but to rebuild an Active Directory with thousands of users and groups with permissions from documentation — with any luck — is next to impossible unless you have a lot of time and expertise.
Recovering from a ransomware attack is not an easy task, because not every situation is identical. If your defenses and backup recovery fail, the reconstruction effort will not be easy or cheap. You will either have to pay the ransom or spend money in overtime and consultants to rebuild mission-critical systems. Chances are your customers will find out what is happening during this recovery process, so you’ll have to have a communication plan and a single point of contact for the sake of consistency.
Ransomware isn’t something just for the IT department to handle; the decisions and the road to recovery will involve several stakeholders and real costs. Plan ahead and map out your steps to avoid rushing into bad choices that can’t be reversed.
Two attacks found on the Maze ransomware list have been confirmed.
The original list of alleged Maze ransomware victims, posted earlier this month, included seven possible victims, as well as sample files the group claimed were stolen during the attacks and a full 3 GB dump from one company. SearchSecurity discovered two more companies were added to the Maze ransomware victim’s list, one of which had previously confirmed a ransomware attack.
On Dec. 13, Busch’s Fresh Food Markets, an independently owned supermarket chain based in Michigan, disclosed that it was the victim of a ransomware attack on Dec. 9. Busch’s asserted it there was no evidence that payment card data was compromised and that they believed “this ransomware was only designed to lockdown our internal systems and interrupt our business, not to steal data.” Busch’s also detailed the reasons it didn’t pay the ransom.
“First, even if we had paid the ransom, there was no guarantee that we would ever actually get access to our systems again. Second, if we had paid them it was more likely that they would try and extort us again,” Busch’s wrote in a blog post. “Finally, we chose not to pay because doing so would perpetuate this type of behavior and give them funds to go after other companies.”
Busch’s spokesperson had not responded to SearchSecurity’s request for comment at the time of this post, so the validity of the documents leaked by Maze could not be confirmed.
On Wednesday, Canadian insurance firm Andrew Agencies Ltd., one of the original companies listed on the Maze ransomware site, admitted to being hit with ransomware.
Dave Schioler, executive vice president and general counsel for Andrew Agencies, confirmed in an email to CTV News that the company was the victim of a ransomware attack and said the company did not pay the ransom. Schioler did not mention the Maze gang, but the threat group contacted Lawrence Abrams, CEO of BleepingComputer, to provide more proof it was behind that attack.
The stated goal of the victim’s list published by Maze was to pressure companies to pay the ransom, but it is unclear how successful the group has been with that goal. The two new names added to the list add up to nine possible victims that have not paid, but only two of those companies have even admitted to being attacked. There is no information on how many organizations were hit with Maze ransomware and did pay the ransom.
A recent ransomware attack has affected roughly 110 nursing homes and acute care facilities in 45 states, cutting caretakers off from patient records.
Virtual Care Provider Inc. (VCPI), a Milwaukee-based IT consulting, security and management service company, first became aware of the attack Nov. 17. In a letter to clients, VCPI said the business was attacked with Ryuk encryption ransomware, which is used to target large software systems, and that it was spread by the TrickBot virus, a malicious program that targets Windows machines.
The company estimated 20% of its servers have been affected by the attack, and that roughly 100 physical servers will need to be rebuilt. VCPI said it is using a virus-specific software application to scan individual Microsoft Windows servers to verify they aren’t infected. If the server is infected, the business plans to restore it. The company maintains roughly 80,000 computers and servers for the affected facilities, according to KrebsOnSecurity, which broke the story.
Attackers are demanding $14 million in Bitcoin as ransom for a digital key that VCPI could use to unlock access to its files, a price the company doesn’t want to pay, according to KrebsOnSecurity. VCPI CEO and owner Karen Christianson said in an interview with the security news site that the attack affected nearly all of its offerings, including email and internet service, client billing and phone systems, and access to patient records. She said the ongoing attack is keeping care facilities from accessing patient records.
Experts said the incident shows even the best organizations with the best procedures and controls can fall victim to attack, providing a stark warning to healthcare CIOs to educate employees on best cybersecurity practices.
Ransomware’s impact on healthcare
Larry Ponemon, founder of data protection research company Ponemon Institute in Traverse City, Mich., described the recent ransomware attack as especially devastating.
“It’s very serious because it’s not just about losing some data or preventing people from accessing their data,” he said. “It’s about the ability to provide services that can be life and death.”
If a ransom isn’t paid to retrieve a digital key to unlock the files, Ponemon said it can take months, or even years, for an affected healthcare organization or business to rebuild its systems after a ransomware attack.
In the letter sent by VCPI, the company said its plan is to rebuild servers and install them into newly created network segments. It is prioritizing servers that provide access to email and EHR applications. The company acknowledged it doesn’t know when clients will have access to VCPI systems again and noted that it intends to investigate if the recent ransomware attack has resulted in the acquisition of client data.
“We are working diligently, nonstop, without resource constraint, according to our documented plan, and with experienced expert leadership,” the letter stated. “We need to ensure the integrity of the new environment. We are prioritizing critical VCPI infrastructure, including Microsoft Exchange email system, and electronic health record software.”
David Chou, vice president and principal analyst for Constellation Research in Cupertino, Calif., said he was struck not by the ransomware attack but by the fact that the victim is a technology company that provides technology services to healthcare organizations.
Chou said the incident highlights the importance of properly educating employees to be aware of the ways attackers will try to infiltrate an organization’s systems and to ask questions before opening external emails with potentially malicious attachments. “If you don’t, you’re going to pay the price,” he said.
Ransomware is changing the threat landscape yet again, though this time it isn’t with malicious code.
A spike in ransomware attacks against municipal governments and healthcare organizations, coupled with advancements in the back-end operations of specific campaigns, have concerned security researchers and analysts alike. The trends are so alarming that Jeff Pollard, vice president and a principal analyst at Forrester Research, said he expects local, state and city governments will be forced to seek disaster relief funds from the federal government to recover from ransomware attacks.
“There’s definitely been an uptick in overall attacks, but we’re seeing municipality after municipality get hit with ransomware now,” Pollard said. “When those vital government services are disrupted, then it’s a disaster.”
In fact, Forrester’s report “Predictions 2020: Cybersecurity” anticipates that at least one local government will ask for disaster relief funding from their national government in order to recover from a ransomware attack that cripples municipal services, whether they’re electrical utilities or public healthcare facilities.
Many U.S. state, local and city governments have already been disrupted by ransomware this year, including a massive attack on Atlanta in March that paralyzed much of the city’s non-emergency services. A number of healthcare organizations have also shut down from ransomware attacks, including a network of hospitals in Alabama.
The increase in attacks on municipal governments and healthcare organizations has been accompanied by another trend this year, according to several security researchers: Threat actors are upping their ransomware games.
Today’s infamous ransomware campaigns share some aspects with the notable cyberattacks of 20 years ago. For example, the ILoveYou worm used a simple VB script to spread through email systems and even overwrote random files on infected devices, which forced several enterprises and government agencies to shut down their email servers.
But today’s ransomware threats aren’t just using more sophisticated techniques to infect organizations — they’ve also built thriving financial models that resemble the businesses of their cybersecurity counterparts. And they’re going after targets that will deliver the biggest return on investment.
The McAfee Labs Threats Report for August showed a 118% increase in ransomware detections for the first quarter of this year, driven largely by the infamous Ryuk and GandCrab families. But more importantly, the vendor noted how many ransomware operations had embraced “innovative” attack techniques to target businesses; instead of using mass phishing campaigns (as Ryuk and GandCrab have), “an increasing number of attacks are gaining access to a company that has open and exposed remote access points, such as RDP [remote desktop protocol] and virtual network computing,” the report stated.
Raj SamaniChief scientist, McAfee
“The concept of ransomware is no longer the concept that we’ve historically known it as,” Raj Samani, chief scientist at McAfee, told SearchSecurity.
Sophos Labs’ 2020 Threat Report, which was published earlier this month, presented similar findings. The endpoint security vendor noted that since the SamSam ransomware attacks in 2018, more threat actors have “jumped on the RDP bandwagon” to gain access to corporate networks, not just endpoint devices. In addition, Sophos researchers found more attacks using remote monitoring and management software from vendors such as ConnectWise and Kaseya (ConnectWise’s Automate software was recently used in a series of attacks).
John Shier, senior security advisor at Sophos, said certain ransomware operations are demonstrating more sophistication and moving away from relying on “spray and pray” phishing emails. “The majority of the ransomware landscape was just opportunistic attacks,” he said.
That’s no longer the case, he said. In addition to searching for devices with exposed RDP or weak passwords that can be discovered by brute-force attacks, threat actors are also using that access to routinely locate and destroy backups. “The thoroughness of the attacks in those cases are devastating, and therefore they can command higher ransoms and getting higher percentage of payments,” Shier said.
Jeremiah Dewey, senior director of managed services and head of incident response at Rapid7, said his company began getting more calls about ransomware attacks with higher ransomware demands. “This year, especially earlier in the year, we saw ransomware authors determine that they could ask for more,” he said.
With the volume of ransomware attacks this year, experts expect that trend to continue.
The ransomware economy
Samani said the new strategies and approaches used by many threat groups show a “professionalization” of the ransomware economy. But there are also operational aspects, particularly with the ransomware-as-a-service (RaaS) model, that are exhibiting increased sophistication. With RaaS campaigns such as GandCrab, ransomware authors make their code available to “affiliates” who are then tasked with infecting victims; the authors take a percentage of the ransoms earned by the affiliates.
In the past, Samani said, affiliates were usually less-skilled cybercriminals who relied on traditional phishing or social engineering tactics to spread ransomware. But that has changed, he said. In a series of research posts on Sodinokibi, a RaaS operation that experts believe was developed by GandCrab authors, McAfee observed the emergence of “all-star” affiliates who have gone above and beyond what typical affiliates do.
“Now you’re seeing affiliates beginning to recruit individuals that are specialists in RDP stressing or RDP brute-forcing,” Samani said. “Threat actors are now hiring specific individuals based on their specialties to go out and perform the first phase of the attack, which may well be the initial entry vector into an organization.”
And once they achieve access to a target environment, Samani said, the all-stars generally lie low until they achieve an understanding of the network, move laterally and locate and compromise backups in order to maximize the damage.
Sophos Labs’ 2020 Threat Report also noted that many ransomware actors are prioritizing the types of data that certain drives, files and documents encrypt first. Shier said it’s not surprising to see ransomware campaigns increasingly use tactics that rely on human interaction. “What we’ve seen starting with SamSam is more of a hybrid model — there is some automation, but there’s also some humans,” he said.
These tactics and strategies have transformed the ransomware business, Samani said, shifting it away from the economies of scale-approach of old. “All stars” affiliates who can not only infect the most victims but also command the biggest ransoms are now reaping the biggest rewards. And the cybercriminals behind these RaaS operations are paying close attention, too.
“The bad guys are actively monitoring, tracking and managing the efficiency of specific affiliates and rewarding them if they are as good as they claim to be,” Samani said. “It’s absolutely fascinating.”
Silver linings, dark portents
There is some good news for enterprises amid the latest ransomware research. For one, Samani said, the more professional ransomware operations were likely forced to adapt because the return on investment for ransomware was decreasing. Efforts from cybersecurity vendors and projects like No More Ransom contributed to victims refusing to pay, either because their data had been decrypted or because they were advised against it.
As a result, ransomware campaigns were forced to improve their strategies and operations in order to catch bigger fish and earn bigger rewards. “Return on investment is the key motivator to the re-evolution or rebirth of ransomware,” Samani said.
Another positive, according to Shier, is that not every ransomware campaign or its affiliates have the necessary skills to emulate a SamSam operation, for example. “In terms of other campaigns implementing similar models and techniques, it’s grown in the past 18 months,” he said. “But there are some limitations there.”
On the downside, Shier said, cybercriminals often don’t even need that level of sophistication to achieve some level of success. “Not everyone has the technical expertise to exploit BlueKeep for an RDP attack,” he said. “But there’s enough exposed RDP [systems] out there with weak passwords that you don’t need things like BlueKeep.”
In addition, Samani said the ransomware operations that earn large payments will be in a position to improve even further. “If you’ve got enough money, then you can hire whoever you want,” Samani said. “Money gives you the ability to improve research and development and innovate and move your code forward.”
In order to make the most money, threat actors will look for the organizations that are not only most vulnerable but also the most likely to pay large ransoms. That, Samani said, could lead to even more attacks on government and healthcare targets in 2020.
Shier said most ransomware attacks on healthcare companies and municipal governments still appear to be opportunistic infections, but he wouldn’t be surprised if more sophisticated ransomware operations begin to purposefully target those organizations in order to maximize their earnings.
“[Threat actors] know there are organizations that simply can’t experience downtime,” Shier said. “They don’t care who they are impacting. They want to make money.”
Ransomware. Just the word quickens the pulse of every Windows administrator who might have lingering doubts about the effectiveness of their security approach.
Many IT folks lose sleep over the effectiveness of their ransomware protection setup, and for good reason. Your vital Windows systems keep most companies running, and thoughts of them going offline will have many IT pros staring at the clock at 3 a.m.
Unfortunately, ransomware will hit you in some capacity, despite any measures you take, but it’s not a futile effort to shore up your defenses. The key is to fortify your systems with layers of security and then to follow best practices for both Windows and your backup products to minimize the damage.
Give a closer look at your backup setup
Backups are something companies make with the hope that they are never needed. Oftentimes, backups are a secondary task that is shuttled to an ops group to be done as a daily task that is a checkbox on some form somewhere. This is how trouble starts.
You need to make backups, but another part of the job is to secure those backups. A backup server or appliance is a very tempting target for attackers who want to plant ransomware. These servers or appliances have network access to pretty much everything in your data center. It’s your company’s safety net. If this massive repository of data got encrypted, it’s likely the company would pay a significant amount to free up those files.
Most backup products are public, which means ransomware creators know how they work, such as how the agents work and their paths. With all that information, an attacker can write software tailored to your vendor’s backup product.
Now, most backup offerings have some level of ransomware protection, but you have to enable it. Most people find the setting or steps to protect their data after the backups have been wiped. Don’t wait to verify your backup product is secured against ransomware; do it today.
An old security standby comes to the fore
This also brings up a secondary practice: air-gapping.
This methodology was popular in the days of tape backup but fell out of favor with the introduction of replication.
Some would argue that data that is several weeks or several months old has little value, but is the alternative — no data — any better? Anyone with IT experience who has seen organizations wiped out after a ransomware attack might change your mind if you feel old data is not worth having in an emergency.
[embedded content] Windows Server 2019 ransomware protection settings.
A small network-attached storage product you use for a data store dump every six months and lock away suddenly doesn’t sound like such a bad idea when the alternative is zero data. It’s a relatively inexpensive addition to the data center used as an extra repository of your data.
Think of it this way: Would you rather get hit with ransomware and lose a few months’ worth of data or all 15 years? Neither is a great situation, but one is much preferred over the other. These cold backups won’t replace your backup strategy, but rather supplements it as a relatively economical airgap. When it comes to ransomware, more layers of safeguards should be the rule.
Air-gapping is a practice that is not followed as closely now with the pervasiveness of online deduplication backup products. For organizations that can afford them, these offerings often replicate to online backup appliances in remote locations to make the data accessible.
Don’t overlook built-in ransomware protection
There are more than a few ways to mitigate the ransomware threat, but using a layered approach is recommended.
These malicious applications quickly move east-west across flat networks. Internal firewalls, whether physical or virtual, can do a lot to stop these types of attacks.
An often-overlooked option is the Windows firewall. When it first came out, the Windows firewall had a few stumbles, but Microsoft continued to develop and improve it to build a solid software firewall. This is a low-cost offering that is free but does require some administration work. The Windows firewall is not going to stop all possible ransomware, but very few products can.
Looking at the big picture, the Windows firewall gives an additional layer of protection against ransomware. It’s already there and should have little performance impact.
The rise of ransomware has had a significant effect on modern disaster recovery, shaping the way we protect data and plan a recovery. It does not bring the same physical destruction of a natural disaster, but the effects within an organization — and on its reputation — can be lasting.
It’s no wonder that recovering from ransomware has become such a priority in recent years.
It’s hard to imagine a time when ransomware wasn’t a threat, but while cyberattacks date back as far as the late 1980s, ransomware in particular has had a relatively recent rise in prominence. Ransomware is a type of malware attack that can be carried out in a number of ways, but generally the “ransom” part of the name comes from one of the ways attackers hope to profit from it. The victim’s data is locked, often behind encryption, and held for ransom until the attacker is paid. Assuming the attacker is telling the truth, the data will be decrypted and returned. Again, this assumes that the anonymous person or group that just stole your data is being honest.
“Just pay the ransom” is rarely the first piece of advice an expert will offer. Not only do you not know if payment will actually result in your computer being unlocked, but developments in backup and recovery have made recovering from ransomware without paying the attacker possible. While this method of cyberattack seems specially designed to make victims panic and pay up, doing so does not guarantee you’ll get your data back or won’t be asked for more money.
Disaster recovery has changed significantly in the 20 years TechTarget has been covering technology news, but the rapid rise of ransomware to the top of the potential disaster pyramid is one of the more remarkable changes to occur. According to a U.S. government report, by 2016 4,000 ransomware attacks were occurring daily. This was a 300% increase over the previous year. Ransomware recovery has changed the disaster recovery model, and it won’t be going away any time soon. In this brief retrospective, take a look back at the major attacks that made headlines, evolving advice and warnings regarding ransomware, and how organizations are fighting back.
In the news
The appropriately named WannaCry ransomware attack began spreading in May 2017, using an exploit leaked from the National Security Agency targeting Windows computers. WannaCry is a worm, which means that it can spread without participation from the victims, unlike phishing attacks, which require action from the recipient to spread widely.
How big was the WannaCry attack? Affecting computers in as many as 150 countries, WannaCry is estimated to have caused hundreds of millions of dollars in damages. According to cyber risk modeling company Cyence, the total costs associated with the attack could be as high as $4 billion.
Rather than the price of the ransom itself, the biggest issue companies face is the cost of being down. Because so many organizations were infected with the WannaCry virus, news spread that those who paid the ransom were never given the decryption key, so most victims did not pay. However, many took a financial hit from the downtime the attack caused. Another major attack in 2017, NotPetya, cost Danish shipping giant A.P. Moller-Maersk hundreds of millions of dollars. And that’s just one victim.
In 2018, the city of Atlanta’s recovery from ransomware ended up costing more than $5 million, and shut down several city departments for five days. In the Matanuska-Susitna borough of Alaska in 2018, 120 of 150 servers were affected by ransomware, and the government workers resorted to using typewriters to stay operational. Whether it is on a global or local scale, the consequences of ransomware are clear.
Taking center stage
Looking back, the massive increase in ransomware attacks between 2015 and 2016 signaled when ransomware really began to take its place at the head of the data threat pack. Experts not only began emphasizing the importance of backup and data protection against attacks, but planning for future potential recoveries. Depending on your DR strategy, recovering from ransomware could fit into your current plan, or you might have to start considering an overhaul.
By 2017, the ransomware threat was impossible to ignore. According to a 2018 Verizon Data Breach Report, 39% of malware attacks carried out in 2017 were ransomware, and ransomware had soared from being the fifth most common type of malware to number one.
Ransomware was not only becoming more prominent, but more sophisticated as well. Best practices for DR highlighted preparation for ransomware, and an emphasis on IT resiliency entered backup and recovery discussions. Protecting against ransomware became less about wondering what would happen if your organization was attacked, and more about what you would do when your organization was attacked. Ransomware recovery planning wasn’t just a good idea, it was a priority.
As a result of the recent epidemic, more organizations appear to be considering disaster recovery planning in general. As unthinkable as it may seem, many organizations have been reluctant to invest in disaster recovery, viewing it as something they might need eventually. This mindset is dangerous, and results in many companies not having a recovery plan in place until it’s too late.
While ransomware attacks may feel like an inevitability — which is how companies should prepare — that doesn’t mean the end is nigh. Recovering from ransomware is possible, and with the right amount of preparation and help, it can be done.
The modern backup market is evolving in such a way that downtime is considered practically unacceptable, which bodes well for ransomware recovery. Having frequent backups available is a major element of recovering, and taking advantage of vendor offerings can give you a boost when it comes to frequent, secure backups.
Vendors such as Reduxio, Nasuni and Carbonite have developed tools aimed at ransomware recovery, and can have you back up and running without significant data loss within hours. Whether the trick is backdating, snapshots, cloud-based backup and recovery, or server-level restores, numerous tools out there can help with recovery efforts. Other vendors working in this space include Acronis, Asigra, Barracuda, Commvault, Datto, Infrascale, Quorum, Unitrends and Zerto.
Along with a wider array of tech options, more information about ransomware is available than in the past. This is particularly helpful with ransomware attacks, because the attacks in part rely on the victims unwittingly participating. Whether you’re looking for tips on protecting against attacks or recovering after the fact, a wealth of information is available.
The widespread nature of ransomware is alarming, but also provides first-hand accounts of what happened and what was done to recover after the attack. You may not know when ransomware is going to strike, but recovery is no longer a mystery.
Why does the SamSam ransomware work so well? Why does the threat actor behind the campaign take a more manual approach to targeting and infecting victims? Will other cybercriminals take a page from SamSam’s increasingly sophisticated and effective playbook? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.
With version 4, GandCrab ransomware has undergone a major overhaul, adding an NSA exploit to help spread and targeting a larger set of systems.
The updated GandCrab ransomware was first discovered earlier this month, but researchers are just now learning the extent of the changes. The code structure of the GandCrab ransomware was completely rewritten. And, according to Kevin Beaumont, a security architect based in the U.K., the malware now uses the EternalBlue National Security Agency (NSA) exploit to target SMB vulnerabilities and spread faster.
“It no longer needs a C2 server (it can operate in airgapped environments, for example) and it now spreads via an SMB exploit – including on XP and Windows Server 2003 (along with modern operating systems),” Beaumont wrote in a blog post. “As far as I’m aware, this is the first ransomware true worm which spreads to XP and 2003 – you may remember much press coverage and speculation about WannaCry and XP, but the reality was the NSA SMB exploit (EternalBlue.exe) never worked against XP targets out of the box.”
Joie Salvio, senior threat researcher at Fortinet, based in Sunnyvale, Calif., found the GandCrab ransomware was being spread to targets via spam email and malicious WordPress sites and noted another major change to the code.
“The biggest change, however, is the switch from using RSA-2048 to the much faster Salsa20 stream cipher to encrypt data, which had also been used by the Petya ransomware in the past,” Salvio wrote in the analysis. “Furthermore, it has done away with connecting to its C2 server before it can encrypt its victims’ file, which means it is now able to encrypt users that are not connected to the Internet.”
However, the GandCrab ransomware appears to specifically target users in Russian-speaking regions. Fortinet found the malware checks the system for use of the Russian keyboard layout before it continues with the infection.
Despite the overhaul of the GandCrab ransomware and the expanded systems being targeted, Beaumont and Salvio both said basic cyber hygiene should be enough to protect users from attack. This includes installing the EternalBlue patch released by Microsoft, keeping antivirus up-to-date and disabling SMB version 1 altogether, which is advice that has been repeated by various outlets, including US-CERT, since the initial WannaCry attacks began.