Defending against Ransomware Attacks
Some time ago, I got a call from a friend. He had a job for me: a company he knew the CEO of had been hacked. It was an accounting company. The spreadsheets of all their customers were encrypted. A ransomware hit again.
It was a Thursday when an employee, ‘Alex’, opened a phishing email while backing up the system with the only disk of the office. It was particularly bad because it was literally the only backup disk they had. The ransomware spread on the whole network, encrypting all the computers, which had no antivirus and no firewall, and had not been updated for more than a year. One-shot, it got them all.
My friend wanted me to go there, decrypt the files without reporting it to the authorities, get paid some cash, and stay cool. The most absurd part of the story was that the friend who called me was upset because her child’s photos were on the encrypted computers and she didn’t have a backup. I love my work and I know how things should be done, so I rejected the work. But I learnt an important lesson: get a defence line and prepare yourself for this.
The Defence Line
Once you get your environment set up and start using it, every step can lead to ransomware. This can sound alarming but ransomware attacks are constantly evolving and they are not going to stop. Statistics say that during last years, ransomware attacks increased by 300% with more than 4,000 attacks taking place per day on average. If you think about it, that’s a huge number! And the only way to avoid becoming a target is to be prepared!
A good starting point is updating literally everything on your system. Updates can be very annoying, especially when they take more than 10 minutes. That’s when they make your connection slow or break your system dependencies and you have to figure out how to make everything work again.
Some time ago I was hired as a consultant to check the security of a company and log it. I didn’t have to perform an attack. They got me to their office, showed me everything they had, and let me do my stuff with my laptop. The first thing that screamed unsecure network at me was an old computer still attached to the network with Windows XP.
For the company, that computer was still worth it because they had a license for a commercial software designed for them that only ran on Windows XP. But that software wasn’t updated and was totally dead because the software house that had to maintain it was shut. And even if the software was unsecure, the cost of a new software wasn’t worth it for that company.
I didn’t analyse that software in detail but what I noticed was that it had some “hook” on the network for some CSV coming and going through him. Doesn’t it sound secure?
Once your setup is updated and ready to use, you should have an antivirus and/or a firewall for your daily usage. At the very least, you should do periodic scans on your system to check whether you’re good to go. You can get a “complete kit”, the so-called one-for-all solutions, like Kaspersky Security. These solutions are always a good starting point if you don’t want to overthink anything.
You get your solution installed and then just use your system. They’ll provide literally everything — from firewall to continuous monitoring — and they usually offer some cool stuff like browser sandboxing for secure payments.
If you’re a more advanced user you can pick different software for different stuff and combine them. If you’re on a Linux distro you can use other software combinations like Maldet for malware detection, rkhunter for rootkit protection, and fail2ban to detect strange behaviour incoming. For example, you can setup a CronJob to perform a scan for you every day like this:
When combining software, remember that configuration is key. If you’re using more than one software, you can have problems due to conflicts.
Next, when your whole architecture is set up, you need a testing framework to perform analysis and check if you’re ready for the internet. For example, lots of ransomware comes via phishing emails. I recently got an email where the sender seemed to be a former client company. The subject was “Test” and it had an encrypted attachment whose password was sent as plaintext in the body of the message.
I knew the company so it was possible that the email was a real email from the company. But as an IT professional, I had to check the source of the email first. I started reading it and so many alarm bells started ringing around me. But curiosity doesn’t ever stop. So, I got a sandbox, extracted the zip, and there was a doc file. A doc file in an email screams unsecure email!
For your reference, here is the file scan from VirusTotal:
And so I was happy to have not opened the email. Some companies may use this kind of email as a test. But not all companies can handle preparing emails with fake attachments to test someone.
If you feel you are prepared to handle an attack, you can use a tool like Cymulate to test yourself against a ransomware attack. Cymulate can get installed as a daemon in the target computers of your company, and you can simulate attacks from your dashboard on target devices to check their security.
Its best feature is you can automate your attacks and perform tests on multiple layers of the whole architecture, targeting firewalls or single computers. This way you can check how vulnerable your system is.
The fact of the matter is that your system is only as strong as its weakest point. If your firewall is vulnerable, it can be exploited to open a backdoor to your network. Then the attacker can simply try different attack vectors until the final target is reached.
With Cymulate you can test your whole architecture very easily, planning one attack after another. Moreover, the test results are provided in a detailed report that tells you how your devices responded to the attacks. And once you know where you’re vulnerable, you can fix everything and do it again until you’re confident on what’s running on your network.
Always Be Smart 💀
Ransomware can come from anywhere, friendly emails, good-looking websites, or even copying files from a friend’s USB drive. As pointed out before, remember to update your system, actively monitor your platform, test against possible attack vectors, and have a backup of your data. And remember, if you think smartly and be a little more sceptical about what is going on around you, you can dodge some big bullets!
