Today another panic wave struck in the afternoon, central European time. I was on the bus on my way home, and scanning my Twitter feed, I find this tweet from my favorite Finnish security nerd:
What followed pretty much resembled the WannaCry media panic messages: things will be encrypted, there is nowhere to hide and society is going to crash hard… Of course, if somebody encrypts your files, and this spreads throughout your network, it is pretty close to an ocean of pain. At least if you are unprepared. So, instead of an analysis of the Petya virus, or some derivative of it, let’s get down to what we can do to prepare and survive a ransomware attack. Because it really isn’t that hard. Really.
A security baseline means the security controls you apply irrespective of risk level. The things that everybody should do, and that will actually stop almost every cyberattack. Yes, almost every attack, say like 90% of them. And it doesn’t even require you to buy a lot of expensive consulting services or other snakeoil to fix it. Here we go, this should be the minimum baseline for everyone:
- Patch your software as fast as you can whenever a new security patch comes out. Operating systems normally do this automatically if you do not configure your system otherwise. Sometimes organizations need to check compatibility for critical systems, and such, but the main rule is: patch everything as fast as you can.
- Do not allow users to perform regular work using an account with administrator rights. Most users don’t even need admin rights at all, but if they do, give them two accounts. Perform work using a standard account with limited privileges.
- Run a firewall that is configured to block all incoming traffic (unless you need it).
- If you run an organization: use application whitelisting. Do not allow execution of unauthorized code, or at least code running from unauthorized locations (like USB media or downloaded email attatchments).
- Backup everything. See below for details. This doesn’t stop any attacks but it saves the day when you are under siege. It is like a secret superweapon that more or less guarantees criminals won’t get their payday.
None of these will require you to buy any new software, or new services. So just do it – it will reduce the chance of having a very bad day by 90%.
Most cyber-attacks spread through some form of social engineering, and in most cases this is an email with a malicious link or attachment. Train your people to spot the danger, and get it into your organization’s culture that file sharing is not done via email attachments. Provide them with real collaboration tools instead. This would further reduce the chance of a very bad day by another 90%.
If you want to be sure, you can scrub attachments and disable links in emails – but people may feel that is a little extreme and start using private email accounts instead, which is completely outside of the organization’s control, so only do this if you really have a compliance culture in place. Most organizations don’t.
Backups and restore testing
Ok, so you can reduce the likelihood of getting hit, but that only goes that far. Sooner or later, you will reach a day when you end up having to recover systems and remove a virus infection. Ransomware is icky because they encrypt and make your files useless, so in most of these cases your AV program cannot save you. So how can you avoid paying criminals and help fund money laundering, human trafficking, terrorism and drugs trade? Here’s how.
Backup your data, with reasonable frequency and retention. And verify the backups. If you run a backup of your files every few hours, and you do an offline/offsite every night, and you keep the rolling backup (online) for 30 days, and the offline backups for 180 days, it will be very hard to put you in a hard spot. If you generate important data very fast, increase the backup frequency.
Make sure you also verify backup integrity. An easy way to make sure you are safe is to do binary image disk backups as offline backup, and to do a hash of the image that is stored separately in a different offline secure location. This way you can make sure your offline backups really stay the way they were when you copied them by checking the hash. Do the same for the rolling backup – this way you can check if the cryptovirus has changed something on your backup.
Many companies back up their data but they never test if they are able to restore their data. So to be sure that everything works the day the shit hits the fan, do regular restore testing. Try to restore your system from scratch using various backups to make sure everything works as it should. If it doesn’t, review your backup practice and find you what you need to change to make it work.
Response: security monitoring, escalation and crisis intervention teams
In addition to these technical things you need a response team. The team should be ready to respond in a well-prepared and structured way. Typically, you would go through a series of steps:
- Identify the threat and classify it as incident or not.
- Contain the problem. Make sure it does not spread (disconnect from network if feasible)
- Collect evidence. Create multiple binary images of the infected system, and store hashes of them. Some you will use for forensic analysis, some are collected as evidence and are not to be touched.
- Eradicate the attacker form your system. Normally this means to format everything and to restore from a safe backup.
- Test your restored system. Any signs of reinfection or problems? If not, bring it online step by step. One server or computer at the time. Monitor closely for strange behavior.
- Lessons learned: what did you do well, what should you have done differently? Collect experiences and share with your peers. This is the way we learn. This is what we should be better at than the bad guys. I’m not entirely sure we are better than them at shared learning, though.
Would it have helped in the cases of the Petya mutant and WannaCry?
You bet! First of all, WannaCry only worked on computers that were either beyond end-of-life versions of Windows, or unpatched versions of newer operating systems. Patching would have kept everyone safe.
What about Petya? The attack is still ongoing. It spreads using the Eternalblue exploit (that the NSA wrote and lost), which Microsoft issued a patch for in March: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx. In other words, if people had followed good baseline security practice, they wouldn’t have a problem now, most likely (you can never really be sure if there is another zeroday, but probably not).
So, who’s been affected? Just small and unknown companies? Nope. Here are a few examples:
- Rosneft (a Russian oil giant)
- Ukraine: Government, power companies, airports, supermarkets, and also the Chernobyl nuclear power plant. That one, yes.
- Maersk: one of the largest shipping companies in the world
To remember what to do: please keep this miniposter handy.