6 minute read
Ransomware: What to Do If You’re Hit
Ransomware
WHAT TO DO IF YOU’RE HIT
BY FBI SPECIAL AGENT TIM LAUSTER
After enjoying a pleasant holiday or weekend with your friends and family, you return to work on Monday recharged and focused on completing your latest engineering research project. When you log into your workstation, you struggle to access your files and discover a file named “RyukReadMe.html” in your research folder. Curious, you open the file:
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies were also removed. We exclusively have decryption software for your situation. No decryption software is available in the public. To get info (decrypt your files) contact us at: example@badguyemail.com Ryuk No system is safe
While the above scenario focused on the Ryuk ransomware, the many different ransomware variants generally follow the same attack pattern. Typically, a spam or spear phishing email entices a user to open a file attachment, which unbeknownst to the user installs a dropper program. This dropper is the initial point of compromise the bad actors leverage to further exploit the network. The bad actors then move laterally across the victim’s network to identify intellectual property, backup servers, executive’s email, and accounting information, which are all used to calculate an appropriate ransom demand. More recently, the bad actors may attempt to discretely exfiltrate intellectual property data and threaten to release it to the public if their ransom demand is not met.
Once the intellectual property data has been exfiltrated and the backup servers compromised, the bad actors launch the ransomware program to encrypt data as it moves across the victim’s network. This final step is typically executed late on a Friday or over a holiday weekend to increase the likelihood the activity will not be immediately detected. The bad actors are generally willing to negotiate the ransom amount, but ransom demands over $1 million USD are not unusual for larger organizations.
Unfortunately, the “No system is safe” tagline from the Ryuk ransomware note is accurate, but there are meaningful steps you and your organization can take to reduce your likelihood of being victimized and reduce the damage if an attack does occur.
Spam email or spear phishing is a common infection vector for malicious software ultimately leading to a ransomware attack. End users should receive regular training on tips for identifying phishing emails and how to handle suspicious email messages. As a best practice, this training should be accompanied with unannounced simulated phish emails drafted by your organization and sent to the end users. If a user clicks on the simulated phishing email, they should be directed to a refresher course. Finally, email system administrators should strongly consider adding a visual flag to denote email messages originating from outside of the company’s network. This practice would help to reduce the threat from spear phishing emails originating from similar sounding domain names.
Strong passwords can also reduce your threat profile for ransomware attacks. Passwords should consist of a combination of at least 12 letters, numbers, and special characters and should not be reused across different accounts. One solution for generating a complex password is to use the first letter or character from an easy to remember sentence. For example, the sentence “Bob, John & I grew up in 1 small red house outside of Memphis, TN” would create the passphrase, “BJ&Igui1srhooMTN”.
Literally overnight, the COVID pandemic prompted a significant increase in the use of Remote Desktop Protocol (RDP) or other remote access solutions.
Unfortunately, these remote access technologies also create a new attack vector for bad actors to penetrate your network. Appropriate technical resources and manpower should be dedicated to monitor and ensure appropriate patching for these remote access portals.
For example, all remote access portals should be secured with dual-factor authentication, which typically entails entering a password along with a randomly generated number from a soft-token device or application.
Along with phishing and RDP exploitation, timely patch management is critical to securing your network. A particular emphasis should be placed on any unpatched software reachable from an external IP address. In addition, your organization should consider hiring an outside party to conduct penetration testing to identify any vulnerable systems and other avenues of attack.
A comprehensive and well executed data backup strategy can be invaluable in mitigating an attack. The first step is to identify your critical data, which will be the primary focus of your backup strategy. This data should be backed up on a regular basis to both a network share and offline media. Ideally, the offline media would be stored in an off-site location to also avoid physical threats (e.g., floods or fires). Equally important is to regularly test the backup by randomly restoring files. The scope of the backup should also be regularly monitored to account for any changes to network or server infrastructure.
Despite all your best efforts, it is certainly possible to fall victim to a ransomware attack. The key to mitigating the damage is to have a response plan in place before the attack occurs. This plan should encompass all facets of your organization, including executive management, information technology, legal, accounting and operations personnel. Assuming your organization does not have sufficient resources to respond to such an attack, your organization should consider preselecting a thirdparty incident response firm to assist with your threat mitigation efforts. Finally, please report the intrusion to law enforcement as we may be able to provide you with valuable intelligence regarding your ransomware variant and your organization may have important evidence to advance our criminal investigation.
A complaint may be submitted to the FBI Detroit Division at (313) 965-2323 or https://www.ic3.gov/ Home/Ransomware.
For more information, please see the following: % Federal Bureau of Investigation: https://www.fbi.gov/scamsand-safety/common-scams-and-crimes/ransomware % Cybersecurity and Infrastructure Security Agency (CISA): https://www.cisa.gov/stopransomware
Special Agent Timothy F. Lauster, Jr., has investigated computer intrusion, internet fraud, intellectual property rights, crimes against children and terrorism matters. He has a bachelor’s degree in computer science and a Master of Business Administration. He serves as adjunct faculty at the FBI Academy providing instruction on cybercrime investigations.
