How to prepare for and survive a computer virus epidemic

Today another panic wave struck in the afternoon, central European time. I was on the bus on my way home, and scanning my Twitter feed, I find this tweet from my favorite Finnish security nerd:

What followed pretty much resembled the WannaCry media panic messages: things will be encrypted, there is nowhere to hide and society is going to crash hard… Of course, if somebody encrypts your files, and this spreads throughout your network, it is pretty close to an ocean of pain. At least if you are unprepared. So, instead of an analysis of the Petya virus, or some derivative of it, let’s get down to what we can do to prepare and survive a ransomware attack. Because it really isn’t that hard. Really.

Baseline Security

A security baseline means the security controls you apply irrespective of risk level. The things that everybody should do, and that will actually stop almost every cyberattack. Yes, almost every attack, say like 90% of them. And it doesn’t even require you to buy a lot of expensive consulting services or other snakeoil to fix it. Here we go, this should be the minimum baseline for everyone:

  1. Patch your software as fast as you can whenever a new security patch comes out. Operating systems normally do this automatically if you do not configure your system otherwise. Sometimes organizations need to check compatibility for critical systems, and such, but the main rule is: patch everything as fast as you can.
  2. Do not allow users to perform regular work using an account with administrator rights. Most users don’t even need admin rights at all, but if they do, give them two accounts. Perform work using a standard account with limited privileges.
  3. Run a firewall that is configured to block all incoming traffic (unless you need it).
  4. If you run an organization: use application whitelisting. Do not allow execution of unauthorized code, or at least code running from unauthorized locations (like USB media or downloaded email attatchments).
  5. Backup everything. See below for details. This doesn’t stop any attacks but it saves the day when you are under siege. It is like a secret superweapon that more or less guarantees criminals won’t get their payday.

None of these will require you to buy any new software, or new services. So just do it – it will reduce the chance of having a very bad day by 90%.

Awareness Training

Most cyber-attacks spread through some form of social engineering, and in most cases this is an email with a malicious link or attachment. Train your people to spot the danger, and get it into your organization’s culture that file sharing is not done via email attachments. Provide them with real collaboration tools instead. This would further reduce the chance of a very bad day by another 90%.

If you want to be sure, you can scrub attachments and disable links in emails – but people may feel that is a little extreme and start using private email accounts instead, which is completely outside of the organization’s control, so only do this if you really have a compliance culture in place. Most organizations don’t.

Backups and restore testing

Ok, so you can reduce the likelihood of getting hit, but that only goes that far. Sooner or later, you will reach a day when you end up having to recover systems and remove a virus infection. Ransomware is icky because they encrypt and make your files useless, so in most of these cases your AV program cannot save you. So how can you avoid paying criminals and help fund money laundering, human trafficking, terrorism and drugs trade? Here’s how.

Backup your data, with reasonable frequency and retention. And verify the backups. If you run a backup of your files every few hours, and you do an offline/offsite every night, and you keep the rolling backup (online) for 30 days, and the offline backups for 180 days, it will be very hard to put you in a hard spot. If you generate important data very fast, increase the backup frequency.

Make sure you also verify backup integrity. An easy way to make sure you are safe is to do binary image disk backups as offline backup, and to do a hash of the image that is stored separately in a different offline secure location. This way you can make sure your offline backups really stay the way they were when you copied them by checking the hash. Do the same for the rolling backup – this way you can check if the cryptovirus has changed something on your backup.

Many companies back up their data but they never test if they are able to restore their data. So to be sure that everything works the day the shit hits the fan, do regular restore testing. Try to restore your system from scratch using various backups to make sure everything works as it should. If it doesn’t, review your backup practice and find you what you need to change to make it work.

Response: security monitoring, escalation and crisis intervention teams

In addition to these technical things you need a response team. The team should be ready to respond in  a well-prepared and structured way. Typically, you would go through a series of steps:

  1. Identify the threat and classify it as incident or not.
  2. Contain the problem. Make sure it does not spread (disconnect from network if feasible)
  3. Collect evidence. Create multiple binary images of the infected system, and store hashes of them. Some you will use for forensic analysis, some are collected as evidence and are not to be touched.
  4. Eradicate the attacker form your system. Normally this means to format everything and to restore from a safe backup.
  5. Test your restored system. Any signs of reinfection or problems? If not, bring it online step by step. One server or computer at the time. Monitor closely for strange behavior.
  6. Lessons learned: what did you do well, what should you have done differently? Collect experiences and share with your peers. This is the way we learn. This is what we should be better at than the bad guys. I’m not entirely sure we are better than them at shared learning, though.

Would it have helped in the cases of the Petya mutant and WannaCry?

You bet! First of all, WannaCry only worked on computers that were either beyond end-of-life versions of Windows, or unpatched versions of newer operating systems. Patching would have kept everyone safe.

What about Petya? The attack is still ongoing. It spreads using the Eternalblue exploit (that the NSA wrote and lost), which Microsoft issued a patch for in March: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx. In other words, if people had followed good baseline security practice, they wouldn’t have a problem now, most likely (you can never really be sure if there is another zeroday, but probably not).

So, who’s been affected? Just small and unknown companies? Nope. Here are a few examples:

  • Rosneft (a Russian oil giant)
  • Ukraine: Government, power companies, airports, supermarkets, and also the Chernobyl nuclear power plant. That one, yes.
  • Maersk: one of the largest shipping companies in the world

To remember what to do: please keep this miniposter handy.

sleepwell

Here’s a picture telling you how to prepare for and survive almost any type of cyberattack. First you make it difficult for the bad guys by keeping your systems patched, not giving regular users admin rights, denying execution of applications that are not approved, and giving people the training the need to spot and avoid social engineering attacks. Then you start reducing the impact for the day when the inevitable happens: segregate your networks and control traffic in and out of each subnet/vlan using firewalls (with logging). Take backups – rolling and offsite/offline. Use strict firewall rules. and test that you can actually restore when you need to. Then you can sleep well, reasonably sure that you will not have to dance to the hacker’s tune. 

 

 

5 key success factors for dealing with ransomeware – free whitepaper

Ransomeware is by far the fastest growing threat online. Losing your files can feel as so great a loss that paying criminals to give you your files back can seem like a reasonable thing to do. The problem with that is just that there is no guarantee they will give it back and end the blackmail against you, and you would be helping organized crime with the money you are forking over.

cropped-20150512_122333851_ios.jpg

Dealing with ransomeware requires preparations. Although there is no way to be 100% sure of avoiding problems – there are certain things you can do to reduce the risk of losing to the scammers. These include:

  • Keeping your software up to date
  • Denying unwanted network traffic by using a firewall
  • Knowing how to detect social engineering attempts
  • Avoiding the use of admin accounts for regular users
  • A solid backup policy using offsite and offline storage

Register as a Safecontrols Insider today and download the free whitepaper that can help you set up the necessary defenses, and also to prepare for the actions you need to take if cybercriminals are able to get past those defenses and lock down your files anyway.

Rita the Designer’s Ransomware Litigation Nightmare

As you are likely aware of, ransomware is the fastest growing breed of malware, and it is very profitable for the criminals who run these attacks. Rita the Designer, our fictional web designer and UX expert from the filesilo story, is running into ransomware trouble. But not of the obvious kind. 

She’d been working long hours to finish a project for a demanding client. Still a bit shaky from the filesilo incident she was determined not to fall into any security traps. She was a great designer but not so great with contracts and liability, and she new this. It hasn’t been much on her mind previously but she was feeling more anxious lately. 

Law firms can point fingers at you for things you never thought about. Rita the Designer was suddenly facing claims from the insurance company of her client. What the h*ll was going on?

Monday morning a messenger was at her door with a personal delivery; she was being accused of failing to secure the app she’d made for the client, causing his users to become victims to ransomware scammers. 

She contacted the client and asked what this was about? They met to discuss things and she learned that the infections had happened via malicious ad banners. She’d never placed any ad banners on the site. The client claimed she must have, because he’d not touched the code. 

Rita thought to herself: – what if something was fishy with the filesilo templates she downloaded? They closed the meeting and she promised to respond to the claims within the week. 

As she stepped out she texted Johnny the Hunter to ask him out for coffee. Johnny met with her right away – after all he was single and she was attractive enough – and heard her out. He promised to help her look into it. 

Impact of security issues can be hard to estimate. Here a developer is being sued after a client’s end users got infected with malware. We don’t know the end of the story but we can think of some practices she could have changed to better protect her business. 

  • Never trust downloads. Particularly not from insecure sites like filesilo, with insecure authentication and no integrity checks
  • Include liability clauses in contract, to define and limit your business’ risk exposure
  • Always run security tests before deployment. Don’t allow injection vulnerabilities to live
  • Prioritize client relationship management; don’t let the first contact about trouble be a letter from your client’s lawyer delivered with your breakfast. 

Hackers try to trick you into paying ransome using simple javascript hijacking

When people talk about ransomware they typically think about malware that encrypts all of your files using strong encryption, forcing you to fork over money to unlock your files again. Some of these species are quite elaborate, with reinfection routines and integrated botnets. But perhaps hackers can get higher return on investment (ROI) by using som simple browser hijacking scripts?

ransom_fakebsod

One of the most common and profitable scams in 2015-2016 was the FakeBsod.A malware. According to the Microsoft info page on this ransomware it accounted for 15% of ransomware infection in the period from Dec 2015 to May 2016. The way the malware works is that it hijacks your browser and displays a message that you have encountered “BLUE SCREEN ERROR 0x000000000CE” in your browser. Your browser becomes unusable, the adress bar does not work and you cannot close it unless you kill the application. The error message gives a phone number to “Microsoft” for help. If you call them, you are asked ot pay a certain amount by credit card to “fix the problem”. Of course, forcing the browser to close and then removing the js file FakeBsod.A from your system is a better choice of action. Most users don’t know this, and the js browser hijacking technique has earned cyber criminals enormous sums of money from user seeing no other option to get their browser back. Note that no files are harmed by the malware – this is an effective scareware tactic that has worked very well for the criminals, with very little upfront investment.

This particular ransomware is not dangerous in contrast to cryptoviruses that can be in practice impossible to recover from without a good backup. It is like a robbery using a water pistol. Still – the criminals manage to steal a lot of money using this malware . It is like other phone scams – but instead of Microsoft scammers calling you they use ransomware as an inbound marketing tool – making you call their call center.

A nice and somewhat more technical post on this time of “phonescamware” can be found here by Xavier Mertens: https://isc.sans.edu/diary.html?date=2015-10-13.