Ransomware WHAT TO DO IF YOU’RE HIT BY FBI SPECIAL AGENT TIM LAUSTER
A
fter enjoying a pleasant holiday or weekend with your friends and family, you return to work on Monday recharged and focused on completing your latest engineering research project. When you log into your workstation, you struggle to access your files and discover a file named “RyukReadMe.html” in your research folder. Curious, you open the file: Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies were also removed. We exclusively have decryption software for your situation. No decryption software is available in the public. To get info (decrypt your files) contact us at: example@badguyemail.com Ryuk No system is safe While the above scenario focused on the Ryuk ransomware, the many different ransomware variants generally follow the same attack pattern. Typically, a spam or spear phishing email entices a user to open a file attachment, which unbeknownst to the user installs a dropper program. This dropper is the initial point of compromise the bad actors leverage to further exploit the network. The bad actors then move laterally across the victim’s network to identify intellectual property, backup servers, executive’s email, and accounting information, which are all used to calculate an appropriate ransom demand. More recently, the bad actors may attempt to discretely exfiltrate intellectual property data and threaten to release it to the public if their ransom demand is not met. Once the intellectual property data has been exfiltrated and the backup servers compromised, the bad actors launch the ransomware program to encrypt data as it moves across the victim’s network. This final step is typically executed late on a Friday or over a holiday weekend to increase the likelihood the activity will not
28
|
TechCentury
SPRING 2022
be immediately detected. The bad actors are generally willing to negotiate the ransom amount, but ransom demands over $1 million USD are not unusual for larger organizations. Unfortunately, the “No system is safe” tagline from the Ryuk ransomware note is accurate, but there are meaningful steps you and your organization can take to reduce your likelihood of being victimized and reduce the damage if an attack does occur. Spam email or spear phishing is a common infection vector for malicious software ultimately leading to a ransomware attack. End users should receive regular training on tips for identifying phishing emails and how to handle suspicious email messages. As a best practice, this training should be accompanied with unannounced simulated phish emails drafted by your organization and sent to the end users. If a user clicks on the simulated phishing email, they should be directed to a refresher course. Finally, email system administrators should strongly consider adding a visual flag to denote email messages originating from outside of the company’s network. This practice would help to reduce the threat from spear phishing emails originating from similar sounding domain names. Strong passwords can also reduce your threat profile for ransomware attacks. Passwords should consist of a combination of at least 12 letters, numbers, and special characters and should not be reused across different accounts. One solution for generating a complex password is to use the first letter or character from an easy to remember sentence. For example, the sentence “Bob, John & I grew up in 1 small red house outside of Memphis, TN” would create the passphrase, “BJ&Igui1srhooMTN”. Literally overnight, the COVID pandemic prompted a significant increase in the use of Remote Desktop Protocol (RDP) or other remote access solutions. Unfortunately, these remote access technologies also create a new attack vector for bad actors to penetrate your network. Appropriate technical resources and manpower should be dedicated to monitor and ensure appropriate patching for these remote access portals.
