How to survive a WannaCry

Most anybody reading this has, by now, heard of WannaCry – the ransomware attack that is all over the news. As a cyberattack, its scale is massive – with some calling it the biggest of its kind ever. As I write this, it has infected 200,000+ devices in 150 countries, with possibly several more to come as the new week starts.

On the flip side, an attack of this scale has the positive impact of raising awareness worldwide.  Ransomware, despite being around for several years, was largely unknown outside the security or tech community.  It is a form of malware that has existed over the last 10 years or so, but really taken on a visibly destructive form over couple of years.  It operates by encrypting files on the infected computer and then demanding a bitcoin ransom in return for the decryption key.  Attacks can exploit a broad spectrum of vulnerabilities – although phishing is possibly the most common – basically enticing a user to click on an innocent looking email attachment, which then drops a deadly payload on the computer.

Here are a few chilling facts:

  • Despite its rise to become a top threat to businesses in 2016, one out of 3 SMBs until recently, had no idea what ransomware is.
  • There is a ransomware attack somewhere in the world roughly every 40 seconds
  • Roughly 32% or so of those attacked end up paying the ransom. Even so, around 20% of those who pay still don’t end up getting back their data!
  • Healthcare and Manufacturing companies generally seem to be the hot targets primarily due to their reliance on legacy systems combined with weak security – although nobody is really immune.

The attackers in these cases are always faceless and nameless – there is no opportunity to reason or negotiate with them.  The rise of bitcoin for transactions has also aided ransomware attackers by increasing their ability to remain anonymous.

Ransomware attacks can potentially be more damaging than classic breaches which result in stolen bank accounts or credit card information.  Many such losses are recoverable soon after the breach has been discovered, but lost business plans and product designs which are a company’s crown jewels can be irreplaceable.

While ransomware can attack any type of computer, in most cases, the infected computer is an end user’s laptop or workstation.  Therefore, any data stored on local disks, file shares and mapped network drives are vulnerable.  Most popular cloud storage solutions also become vulnerable due to the replicative nature of their working.  Since ransomware deletes the original files and replaces them with their encrypted versions, most cloud storage solutions faithfully replicate these changes in their repositories as well.  While some of these solutions have file versioning capabilities, they don’t usually have an option to perform a bulk restore of large amounts of data.

Sadly, existing anti-malware solutions cannot be relied upon to detect and stop all ransomware.  The rapid and quick moving malware underground ensures that anti-malware vendors are always playing catch-up.

Educating users on how to identify possible payloads and avoid them, would seem to be the best approach against ransomware – after all, prevention is better than a cure.  While this can be effective, the reality is that the ransomware authors have to bypass a defense just once to do their dirty deed, and they constantly change tactics in order to do so.   Even the best prepared amongst us can get outwitted at some point or another.

Much of the writing that has been done around WannaCry has mostly focused on the Microsoft vulnerability and the importance of keeping systems updated.  While this is certainly important, it cannot be a 100% defense against new ransomware variants that take advantage of zero day vulnerabilities that are yet, unprotected.

So, what can one do beyond keeping up to date with latest OS updates and security patches?  Experience tells us that the best defense against ransomware, is a data backup.  A clean backup of an organization’s data can prevent them from being held hostage by an attacker, even if their other ransomware defenses fail.

How to use Backups to defend against Ransomware:

  1. Invest in reliable backup software that can back up all your endpoints. Look for something that can handle both Windows and Mac computers.
  2. To make the solution more bullet proof, consider putting your backups on the cloud. This builds in more separation between the potential ransomware attack and your data copy.  Make sure the solution can utilize cloud storage as a backup target.
  3. Look for software that is cloud agnostic and doesn’t tie you down to their own cloud. You should be able to shop around for the best cloud storage prices and have the software work with the cloud of your choice.
  4. Make sure that the backup payload that is being sent to the cloud is encrypted – using encryption keys you control. After all, this is valuable data that you’re spending good money protecting.  Make sure it is safe from prying eyes.
  5. If you’re managing many endpoints, you’ll want to be sure to look for a solution that:
    1. Can be centrally managed via policies
    2. Can scale over tens of thousands of endpoints.
    3. Allows users to do their own restores.
    4. You’ll also want to look for some type of integration with the user namespace you’ve implemented – like Active Directory.
  6. Since your outbound network bandwidth can be at a premium, look for software that can minimally do the following:
    1. Perform incremental backups – i.e. identify files that have been modified and move only those to the cloud. Or even better, maybe even move only portions of the files that have changed – this could be especially useful for very large files like PSTs that change very little every day.
    2. Can resume a failed backup from the point of failure.
    3. Be resource sensitive and use techniques like compression and de-duplication to save network bandwidth and storage space.
    4. Allows you to manage data retentions by file versions – so you can get back data from a previous day or even a previous week.

While educating users on the damaging impact of ransomware, and keeping up to date on OS patches are both important things organizations should do, having a solid endpoint backup strategy is a critical step in readying yourself for a ransomware attack.