Ransomware is not a fatality - The First Global Cyber Security Observatory

Ransomware is not a fatality

In the past weeks, enterprises have been under a wave of strong malware attacks. Most of them were ransomware, a malicious software that encrypts data and asks for a ransom to recover it. Last October, over 200 ransomware attacks took place worldwide. All kind of enterprises are targeted from Small Office Home Office (SOHO) to the biggest, which are the preferred targets since they can afford to pay huge ransoms. This is called “big game hunting”.

Guillaume Poupard, in charge of the French government IT security agency, finds this trend of attacks worrisome and predicts that it will continue to increase in the coming months. In France alone, 128 attacks were recorded between the beginning of the year and last September. Some attacks are directly targeting very critical and sensitive organizations such as hospitals, government agencies or industrials.

An old attack that has evolved to become very efficient

Ransomware is not new. The first attack of this kind was a virus that infected computers from a floppy disk at the end of the eighties. After 90 reboots, the virus encrypted the data. The ransom was 189$ to pay to a postal box in Panama. Since this first attack, ransomware has become much more efficient and virulent. The threat reached a critical level after the WannaCry attack in 2017. In a few hours thousands of desktops were encrypted around the world. Now there are plenty of flavors of ransomware which are all different, but the goal is always the same: to make a lot of money as quickly as possible.

During the latest attacks, the operating mode was quite similar to APT (Advanced Persistent Threat). The attack begins by social engineering by mail or via a link to a corrupt website. This social engineering phase can be very sophisticated, after a deep profiling of the victim, to be sure to send a document or a link relevant to the situation.

Once the victim has clicked on the document or link, the attacker installs a malicious program on the victim’s system. From there the program finds its way to the enterprise network and replicates to new machines. The attacker then launches a first wave of attacks to encrypt the data in the backup to make sure that the enterprise cannot recover its data. The second wave of attacks encrypts desktops or critical servers and databases to block the enterprise activity. Finally, the attacker sends a message asking for the ransom and begins the negotiating. Clearly, paying the ransom is the worst solution.

First, it increases the cost of the attack by adding the ransom to the recovery costs. Second it does not guarantee that you will recover the data. Third, you are just enriching the cybercrime ecosystem and most of all, you are indicating that you are a “good customer” for them!

Innovators

Good practices remove most of the risk

Becoming a ransomware victim is not a fatality. Good practices can drastically limit the risk. Recently the ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information), the French agency for IT systems security released a practical guide compiling a series of good practices to protect you from ransomware attacks

The document recommends keeping systems and applications up to date, and quickly applying all patches and upgrades. Installing an antivirus and keeping it up to date will protect you against all known viruses. Another good practice is to segment the network by micro segmentation to avoid the attacker’s lateral moves and to create safe areas, for example administration domains for applications, servers…. Another measure is inspired by the Zero Trust concept. This concept is based on the idea that there is no confidence in the network and that the enterprise is already infected. As a result, you must keep the rights and access to an application at a minimum. For instance, users do not need to be administrator of their desktop or laptop. Monitoring the internet access is also a good way to limit data leaks. Installing a secured gateway is a good option to block unauthorized data flows. Journalizing events, logs, on all resources in the IT system is also an important measure to provide a quick and relevant view of what is happening in the IT system, and to react quickly after an alert.

One of the good practices described in this guide is already around… backup! Backups must be performed on a regular basis and follow the 3/2/1 principle: 3 copies on 2 different supports and 1 out of site. It is better if the latter is not connected to the network to make sure that a ransomware cannot encrypt the data.

The guide mentions not to rely solely on snapshots as they are not equivalent to a comprehensive backup solution. Snapshots are good in case of material failure but are not relevant in ransomware cases except if you have the possibility of storing an immutable snapshot before the infection.

All these elements will help prevent and limit ransomware attacks but, as ransomware evolves quickly, you could still fall victim to it even with the best prevention steps. Preparing for the crisis is important in order to adopt the right behavior in case of an attack. Write down all the facts around the attack: the time, the server on which it was detected, who alerted you…

Creating a War room to monitor the crisis is also important as communication during the crisis must be at the right level to avoid damaging the company’s image. To increase pressure on the victims, attackers are now disclosing the list of their victims on their underground websites even before asking for a ransom and detailing which kind of data were stolen.

With its complete product portfolio dedicated to data protection, Atempo.Wooxo Group will help protect your business against ransomware attacks by providing sound backup for your data. No need to pay the ransom, and most of all no data loss.

Your data, which is the fuel of your business, is safe with Atempo.Wooxo Group. Ransomware is not a fatality and enterprises have plenty of ways to limit or avoid this kind of attack. It is just a matter of day to day good practices in IT exploitation.

ANSSI: An Authority and an advisor to French enterprises

Created in 2009, the ANSSI is responsible for the security of French government agencies and sensitive industries such as Telecommunications, Energy, Healthcare, Defense… Its mission is to protect sovereignty, autonomous decision-making in political, diplomatic, and military sectors. At the end of 2018, the agency employed 600 persons with a budget of 100 M€. The number of employees should go up to 675 by 2022. The agency has resources to intervene on critical attacks and to do forensics on these attacks. Its role is also to provide advices to enterprises and to infuse good security practices. The agency maintains tight links with European partners and the ENISA, the European agency on systems security.