By Mitchell R. Sowards
What is Ransomware?
“Ransomware” is malicious software that infects your systems and instead of trying to steal or destroy any of your data, it simply “takes your data hostage” by encrypting it and then demanding you pay a ransom to be given the decryption key. Ransomware can be introduced into your systems in 3 general ways:
- Through email with infected attachments or weblinks to infected web pages.
- Through web browsing on infected websites
- Through hackers breaking into your network from the internet
The worst example ENTRUST has heard of was a local firm (not an ENTRUST client) that was stricken by ransomware through an email. Their entire server became infected and was held hostage. They belatedly discovered that their backups had been failing for over 8 months. (They fired their former IT company upon this revelation and hired ENTRUST and this is how we learned of the event.) Finally, because they had no backups they agreed to pay the ransom but the decryption process failed. So they paid the ransom and still lost 8 months of data. This is a worst case situation.
ENTRUST’s standard response to any successful ransomware attack is as follows:
- Isolate and eliminate the point of infection
- Delete all of the infected (encrypted) files.
- Restore all of the infected (encrypted) files from backup
For customers with the best backup systems (known as Business Continuity services) this usually means no more than a few hours of lost work and some hours spent waiting for data to be restored from backup. But it can easily be a whole lost day of productivity in typical cases. Downtime can easily cost hundreds or thousands of dollars per hour to a company. (To get an idea of how much a single day of downtime would cost your organization, please check out the Cost of Downtime Calculator on our website.) So, prevention is better than even the best recovery plan. But in the past, most clients did not deem the risk to be high enough to invest in better protections or to accept the inconveniences of better security.
The Tipping Point
Prior to 2016 ENTRUST encountered ransomware only rarely, perhaps once or twice per year. Starting in 2016 we began to see increasing occurrences, mostly through email attacks. By the end of 2016 we were seeing it about monthly. Now, in 2017 we are seeing it almost weekly! And more of them are coming though hackers breaching through the internet.
How Hackers Get Lucky
The hacker attack we have been observing is a “brute force” method of trying to guess a valid username and password which will give them access to your systems. Most of our clients’ systems are safely protected behind firewalls. But of necessity some servers must face the public internet to allow access by remote workers. Breaking in by guessing may seem far fetched. But if not required otherwise, most of your employees will choose simple passwords. And the hackers have lists of, for example, the 100,000 most common passwords along with lists of common account names. Many companies may still have long departed employees defined on their system or even “temporary” accounts that were created years and years ago for vendors or “service accounts” created for copiers and scanners with equally weak passwords. Those old accounts represent additional weaknesses waiting to be exploited. And, if proper protections are not in place, hackers can simply keep trying and trying common names with common passwords until they get lucky. And the moment they get lucky, they immediately install some ransomware on the breached computer.
Surely there is something you can do to protect yourself, right? Yes there is.
What You Must Do To Protect Yourself
Here is the high level list of things you must do to protect yourself from these intense and ongoing attacks:
- Make certain you have a fast and reliable backup mechanism so that should a breach occur we can at least get you back up and running quickly without too much lost data or productivity.
- Implement enhanced email protection. ENTRUST has long provided spam/malware filtering for our clients. But we can now offer higher levels of “Targeted Threat Protection” to protect users from ransomeware that comes by email.
- Implement web filtering to protect users from accidentally clicking on links to malware infested websites.
- Implement strengthened security policies by doing, at a minimum, the following:
- Strengthen Your Password Policies:
- Set Account Lockout of 1 hour after 10 attempts
- (this prevents the hackers’ robots from making any progress on their brute force approach – every time they make 10 attempts (in a second or two), they are completely blocked for the next 1 hour)
- Require users to change passwords at least twice per year
- Set Account Lockout of 1 hour after 10 attempts
- Require Password Strength:
- Complexity (3 of 4 criteria – capital letters, lowercase letters, numbers and special characters) OR 12 character minimum
- Implement a full password reset on all user accounts now to ensure compliance with the new policy above.
- Restrict firewall access to authorized networks only and implement VPN access for remote/travelling workers.
- Review and clean-up all privileged groups of users on your network to make sure that only authorized users can access systems remotely.
- Review all shared folders on your systems to make sure only authorized users have access to those folders.
- Verify no “extra” accounts exist on any servers (such as departed employees, unrecognized old service accounts or vendor accoutns, etc).
ENTRUST has recommended many of these best practices for a long time. But you will agree that many of them come with some inconvenience to users.
- Everyone hates using long or complicated passwords.
- Everyone hates having to change their password.
- NoOne wants to wade through folders and user lists.
- NoOne likes being slowed down from remote work by accessing a VPN first
But we have reached the Ransomware Tipping Point – the risk is so high and the costs of lost data and lost productivity are so great – and it is imperative that you heed this advice.
ONE MORE THING:
All of the above recommendations are considered the “minimum” you should do. ENTRUST also strongly recommends that you implement two-factor authentication for all remote access users. This requires each user to not only have a strong password but at every login they must provide a 2nd authentication such as a special “code” sent to them via text message. TwoFactor authentication completely defeats hacker brute force attacks because they will never have the special code! Think about it.