Euro Security Watch with Mathew J. Schwartz

Business Continuity/Disaster Recovery , Governance , Ransomware

Ransomware: Your Money or Your Life 9 Ransomware Defenses Thwart Cybercrime Scoundrels
Ransomware: Your Money or Your Life
Brian Honan talks ransomware at the AppSec Europe 2017 conference May 11 in Belfast, Northern Ireland. (Photo: Mathew J. Schwartz)

Criminals have been separating people from their possessions since possessions were first invented.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

So for anyone who follows ransomware, the emergence of the WannaCry outbreak - aka WCry, WannaCrypt - Friday won't come as a shock.

"We go into numerous companies that have put in security technologies, but failed to configure them properly." 

True, the attack's efficacy has been enhanced by attackers marrying their crypto-locking code with a worm, allowing it to spread more easily. But these small innovations are designed with a clear purpose: to allow them to more easily steal more money from victims.

In other words, what's old is new again, now in cyber-enabled form.

The advice for blocking these attacks is simple: Spend time and money on proper prevention, or else you may be forced into considering whether it makes business sense to pay a ransom when attempting to recover from a ransomware infection. Even then, however, there's no guarantee that the criminals that have infected your systems will bother giving you a decryption key.

Jeremiah Grossman highlights some of the many different faces of ransomware May 12 in a presentation at the AppSec Europe 2017 conference.

Brian Honan, a Dublin-based information security consultant who founded Ireland's first computer emergency response team - IRISSCERT - warns that there's no silver bullet for fixing ransomware. In an interview at last week's AppSec Europe 2017 conference in Belfast, Northern Ireland, he told me that too often, organizations' poor information security practices are partially to blame for their failure to prevent security incidents, including ransomware outbreaks, notwithstanding whatever tools they may have purchased.

"We go into numerous companies that have put in security technologies, but failed to configure them properly," Honan told me. "Why? 'Oh, we ran out of time,' they say."

9 Essential Ransomware Defenses

The basics of battling crypto-locking ransomware haven't changed of late. In the case of WannaCry, the ransomware can be spread via a worm that targets an SMB flaw in Windows, which all organizations should have fixed now regardless (see 5 Emergency Mitigation Strategies to Combat WannaCry Outbreak).

Following the WannaCry outbreak, the U.S. Computer Emergency Response Team - part of the Department of Homeland Security - has reiterated its advice for combating ransomware, as have multiple security experts.

Here's my summary of the experts' recommendations:

  • Maintain backups: Back up everything, do it frequently and ensure backups are stored on an isolated network. Also, test these backups frequently to ensure that they can be successfully restored.
  • Whitelist applications: Prevent malicious software and unapproved programs from executing. Mac OS X systems, for example, can be set to only allow Apple-reviewed applications to execute.
  • Update and patch: Known operating system and application flaws are often targeted by attackers to infect systems with malware. That's why patching remains the best and fastest way to help stay secure.
  • Use anti-virus: Keep anti-malware software up to date, and use it to scan all downloaded software before allowing anything to run.
  • Think 'least privilege': Administrators must restrict users' ability to install or run their own software applications. Likewise, individuals should ensure they don't regularly use an account with admin-level access.
  • Kill email-borne macros: Attackers continue to use macros to spread malware. "Macros are a leading way to get ransomware," Jeremiah Grossman, chief of security strategy for endpoint security firm SentinelOne, said at AppSec Europe 2017. In particular, he noted, attackers code the macro to download the virus, often routing around anti-virus defenses.
  • Don't click: "Do not follow unsolicited web links in emails," US-CERT says. In other words, watch what you click - not least because WannaCry victim Telefonica was apparently first infected via a phishing email.
  • Virtualize: Consider creating systems that use fast system recovery, via virtualization, to better respond to any malware outbreak. For example, Grossman says he knows of a New York bank that uses thin-client desktops running virtual machines. "Anytime they think there's an infection, they just reset" the virtual image running on all clients, he said.
  • Work with law enforcement: "We're going to need help from law enforcement to investigate and arrest ransomware gangs," Grossman said (see FBI to Ransomware Victims: Please Come Forward).

Scant Honor Among Thieves

Reminder: there's no guarantee that any individual or organization that does pay a ransom will ever receive the promised decryption key.

Security experts, including the researcher known as "Hacker Fantastic," say that's especially true for WannaCry. Many ransomware campaigns now use automated tools to receive bitcoin payments and send decryption keys to victims. But WannaCry's operators only have a manual process in place. As a result, computer science professor Alan Woodward at the University of Surrey tells me, it's likely that the attackers have no intention to trade decryption keys for ransom payments.

That's why the best, simplest and most effective advice remains: Prepare to battle ransomware outbreaks, or else prepare to pay the consequences.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network