Ransomware has hurt more businesses than anyone expected only a year ago. This real threat to your organization could steal a great deal of productivity while systems are “locked” or directly cost the cryptocurrency demanded as ransom. For any organization that's ill prepared, it could cost you in both of these ways and there's no criminal customer service line if the purchased decryptor fails [though I'm excited to finally have a use for a balaclava-related stock photo].
Given their creativity and desire to make money from the susceptibility of others, we should have anticipated that organized criminals would take the destruction of the Sony breach, the anonymity of cryptocurrency, and add a little entrepreneurial innovation to yield ransomware. Now, with its many “successes” for these unlawful organizations, ransomware isn't going away any time soon, so you should prepare your organization against it.
As is common for him, Rapid7's own Tod Beardsley responded to this trend with a helpful FAQ earlier this year. Since that time, a lot of vendors have seized this opportunity to add niche prevention and detection as a third guaranteed ransomware cost to your organization. This soliciting at disaster sites is spun to sound better than the boring truth: the best way to protect your organization from this threat is the very disaster recovery process you should have in place before any security program is even budgeted.
There are a lot of people with their hands out, so here's what to avoid
Just in the past week, I've received some fearmongering emails and tripped over a few “ransomware solutions” on LinkedIn, so in the interest of breaking down the fourth wall [like Deadpool!], here are some of the buzz-iest promises I've seen:
“Detect ransomware as it enters corporate networks” – There are a lot of vendors offering to help you detect ransomware for an additional fee. Since the majority of ransomware today isn't trying to hide its existence [because then, how would you know where to send the check?], your money is best spent elsewhere.
“Machine learning for detection of zero-day ransomware” – This is like a perfect storm of buzzwords. Machine learning is probably best applied to finding hidden issues, and much stealthier malware, you'd otherwise struggle to identify. In addition, the vast majority of ransomware is using old exploits in the most targeted applications, so “zero-day” here is likely being used to add buzz to malware with unknown hashes (and the 2016 Verizon DBIR found that 99% of malware is only known for 58 seconds or less).
"Think you are safe from ransomware with Office 365? Think again.” – I didn't even read this email and neither should you. Just make sure you include your cloud infrastructure in your disaster recovery plan.
Preventing and detecting malware needs to be part of any security team's goals, but just as you probably didn't change your entire information security plan to combat the Zeus Trojan in 2007, you cannot afford to forget your broader security and business continuity goals because you've happened upon some snake oil or machine learning.
Backing up your systems [and testing the restore] should be a high priority investment, anyway
The healthiest way to think about your ransomware-locked systems is the way you'd think about laptops your employees dropped on business trips. Sure, you might recover the data on them if you keep at it, but it would save everyone a lot of time and effort if you just restore the backup images from last night to the impacted systems (or replacement laptops). I am not advocating for any one backup solution, but this blogger says it well: “Prevention is good, but backups are your insurance when ransomware strikes.” The beauty of thinking about ransomware in this manner is that you can be better prepared for natural disasters (like floods), building disasters (like broken water pipes), and even an office full of people getting suddenly brainwashed and throwing their laptops off the roof [I have strange dreams, yes].
My dad, an IT consultant for 20 years, would take away my TV privileges if I didn't also insist that you test the restore process regularly. It turns out that's the buggiest feature in the backup solutions out there and you don't want to find out that you have thousands of useless backup images once you really need them. There really isn't a downside to solidifying and regularly testing your disaster recovery plan because it's probably required by your insurance provider and it can help you with a lot more than just ransomware.
Focusing too much on ransomware exposes you to other less headline-grabbing attacks
For those with a tested disaster recovery plan and desire to still do more, beware the common mistake the human mind makes called the focusing illusion, or convincing oneself that a current event or problem in focus is the most important one. This frequently leads to losing sight of the bigger picture and improperly planning for the future. If you are going to focus your defensive efforts solely on ransomware, it will make you more susceptible to the many other security threats to your business. A lot of these point solutions are emerging to charge more money while the truth is, as some security professionals are blogging, a few of the fundamental security controls you should already own today are the most effective defense:
- Security awareness training – your users should understand the importance of security, know not to install unknown software, and what to do when they believe they're being phished.
- Malware prevention – antivirus or similar solutions should be installed and up-to-date with browser plug-ins for website reputation scoring against drive-by malware that doesn't require a click to install.
- Exploit mitigation – for scenarios in which users aren't knowingly installing anything, Microsoft offers the Exploit Mitigation Experience Toolkit (EMET) free of charge and it is very effective at preventing malware from using wide array of its tricks. Your organization should absolutely install it across all Windows systems. I'll say it again: it's free.
- Patching – in tandem with exploit mitigation, you should always install the latest version of all operating systems and applications in your organization. The most affordable centralized tool for doing this is Microsoft System Center Configuration Manager (SCCM).
These security and IT measures should be in place for any organization to defend from a great deal more than just ransomware. Unfortunately, there is no magic snake oil for all that ails you. There never has been.
Whether you need a partner to help with the security fundamentals, a second set of eyes for your disaster recovery plan, or somewhere in between, Rapid7's Global Services can help. Sorry, but my dad's just retired or I'd send him.