Recently it was reported that in April 2016 an employee at Michigan-based utility company BWL opened an email and clicked on a malicious attachment laden with ransomware. The result? It shut down accounting and email systems as well as phone lines, which lead to a costly and laborious week of recovery.
The cost? $2.4 million.
Let That Sink in for a Second.
In a separate case, the $800K ransom heaped upon the City of Detroit by hackers in 2014 served as an anecdotal warning of the potential for this class of malware. But in the BWL case, only $25K was actually paid to the attackers with 99 percent of the costs related to technology upgrades and people responding to the attack. To save you on the mental math, the actual ransom was about 1 percent of the total costs. This could be the setting for a modern proverb based on For Want of a Nail. The silver lining is the improvement of the utility’s security and the overhaul of its IT communication policy.
What Does This Teach Us?
For all the talk of cost of the ransoms levied upon victims, the impact is much greater. In this example, it cost the organization in lost business, impact to the customer experience, and even more on the human resources side. It also serves as a poster child for ineffective spam management and phishing prevention. Ultimately this problem is happening around the world and despite the best intentions at stopping ransomware, it still persists.
What Do You Do If You Are Hit?
First of all, don’t panic. By default, you need to consider not paying the ransom and find a way to restore systems and data without giving in. Otherwise, it’s like feeding a feral cat; hackers will be found on your doorstep the next day. Simultaneously, you need to restore systems, discover the point of origin, and stop follow-on attacks. This is where the backup and security stories combine.
In the case of BWL, it took a lot of human resources and two weeks’ worth of time, most likely because the utility was not prepared for this type of attack. In your case, find the point of origin and restore a backup from before that event.
But What About Stopping Follow on Attacks?
Before the Firewall
I would like to say that out there is a single solution that will solve this but that isn’t completely true. In short, the answer is education, security and backup. The first thing to do is to build the human firewall; teach your employees not to click on attachments or links in suspicious emails, especially if you deal with payments. This is just the first step; a recent Barkly study stated that in their data set, 33 percent of ransomware victims had already undergone security awareness training.
Additionally, think long and hard before hanging “blamable” employees out to dry. It may be shortsighted to fire or reprimand an employee for unleashing malware unless they were clearly going outside the boundaries of ethical/lawful internet usage (e.g. browsing adult sites, downloading pirated material, etc.). In many cases, ransomware comes through a cleverly crafted phishing email, and given the fact that BWL’s accounting and email systems were taken offline, I’m assuming an accounts payable person opened an attachment from a hacker with an “unpaid invoice.”
When it comes to technology, you need to have a multi-layered approach to eliminate malware as it approaches your environment. Look at the image below and you can see how SonicWall stops ransomware via web and device traffic. In the case of watering hole attacks (e.g., downloading malware from a website), SonicWall Content Filtering Service (CFS) blocks millions of known malicious sites to help remove major sources of pulled malware from the equations. After this, deploy SSL/TLS decryption to help you see all traffic. Four years ago, the percentage of traffic being encrypted was very low by comparison today. Forget the advertised malware-catch-rate of a vendor’s firewall and sandbox; if they can’t inspect 50 percent of traffic, it’s like locking and guarding the front door while leaving the backdoor open.
The Firewall and Capture ATP
If you are using SSL decryption, now all of the traffic coming into your organization can be viewed by your firewall. Hopefully, this is a modern device that can inspect every byte of every packet to look for threats and approve files quickly. In the case of device traffic, it hits the firewall and should be directed to your mobile access or VPN appliance to decrypt data and control access to only approved device IDs. This traffic should be sent back to the firewall to begin its journey along with web traffic, through a gauntlet of rapid security measures.
The firewall and VPN appliances are the hardware portion of the equation with the firewall being the keystone of it all. Firewalls are defined by their services because they do a lot of the work at removing malware from your internet traffic. Traditionally, gateway security and anti-virus follow the firewall looking for malware based on a set of signatures; meaning this is how you eliminate known malware. Point in case, SonicWall eliminated nearly 90 million ransomware attempts in the month of May 2016 using this same technology. Malware is used over and over again and may be seen thousands of times within an hour of its release. Leveraging a cloud-based signature engine will enable you to have better protection against newer threats.
After going through gateway security, many networks leverage a network sandbox, which is an isolated environment to run suspicious code to see what it does. This is where a lot of unknown malware is discovered and stopped. Network sandboxes have been around for a few years now but hackers have found ways to design malicious code to evade their detection, which is why some analysts recommend leveraging multiple sandboxes from multiple vendors to see as much as you can. I recommend using SonicWall Capture Advanced Threat Protection (ATP) multi-engine sandbox that combines virtualized sandboxing, hypervisor level analysis and full-system emulation to help see what potential malware wants to do from the application, to the OS, to the software running on the hardware. Since ransomware variants are redeveloped throughout their lifecycle, it is important for sandboxes to create cloud-based sharable hashes for every version possible to block follow-on attacks and shorten the lifespan of ransomware. Through this process a lot of malware is scrubbed out from the point of origin to the server.
Endpoints and Backup
Although this setup is highly effective, you will need to maintain a healthy endpoint protection strategy. Anti-virus for endpoints is still important, but today it is easier to manage than before. Leverage an enforced anti-virus technology that doesn’t allow employees to access the internet through a web browser without up-to-date endpoint protection. In these cases, employees are directed to a download page to update their anti-virus software before they can go and click on that suspicious link in email.
Lastly: back up, back up, and back up some more. Ransomware exists because organizations keep paying the attackers for their data. If a ransomware attack evades the common sense of people and the fortifications of your security infrastructure, you can simply wipe the device or server clean and refresh from your back up.
Download our solution brief: How to protect against ransomware.