Ransomware

Posted by

Not a pretty site, to be encrypted with only two options.  Pay or Restore.

You can take a lot of steps to get ahead of this. If you know someone that has been a victim of this, chances are high they will tell you it could have been avoided with just one of the points I mention here.

This trend of encryption started with the need to encrypt things for security purposes around 2012.  As defenses grew for other nefarious means of attack, releasing malicious ransomware became very popular as the creator can just wait for a victim and hopefully get a payday out of it.

Check out this chart from GRC.  Notice that the amount of ransomware creators skyrocketed in 2016.  Forget about 2018+ as it would just bury this list.

ransomware timeline

I’m not saying there is a perfect set of rules as it depends on the business needs, and the level of risk you are allowing.  But here are a few things that should always be considered.

Keeping Administrative rights away from employees

You may have read my other post about admin rights at home, but even more importantly at the workplace, you need to lock down the users from admin access. Having admin rights on the machine is the fastest way to allow something malicious to happen.  When you have a support team, have them assist with and admin logon to complete the installation process.  This way, the experienced eyes are installing and aware of each piece of supplemental software joining that install and modifying your system.  Downloading and installing something to “check it out” can be one of the quickest ways to bring in things they did not even understand into your company environment.  Control this.

Making sure you are not allowing public facing access to ports

Having someone that knows their networking is a must in any tech support team.  Your firewall should be capable of Intrusion Protection, but more importantly you should know when to allow a port to be open, and when not to.  If someone is simply asking you to open a port on the firewall for something, you should ask a lot of qualifying questions.  Not to invade privacy, to ensure security.  A port open, is a direct path from the internet into something.  There needs to be a good reason for this access, and more importantly, a good plan for that destination to be protected and isolated in some cases because of that public connection.

Avoid Remote Desktop from the outside!!!

One of the easiest ways to take control of another workstation/server is Remote Desktop.  Just like me, you might use this everyday.  All it requires is a username and password to remotely access a machine or shared server.  This should absolutely not be allowed from a public IP.  Remote Desktop Gateway was introduced over a decade ago and is a must for anyone still using remote desktop from the outside.  This at least adds a security certificate, and a requires you knowing the name of the gateway server and destination machine names in addition to the username password.  However the best security choice is a VPN to the office.  This provides a secure connection to the office, and then you can remote into workstation/servers while connected securely.

Backup

Having the security of a good backup, is one of the best proactive measure you can take to minimize risk.  Hourly backups incrementally occurring ensures a stable environment.  I have had worked with many backup systems up through current devices that perform super fast recovery methods and almost immediate access to virtual machine images in the event of a server failure.  To minimize the risk even more, there are offsite backups to the cloud so that your data is always recoverable.

Audit them and make sure they are actually running.  Complete Disaster Recovery tests to prove they will work if needed.

Closing

I’m generally addressing from my friends and family POV.  If you are an actual tech, none of these points should be surprising, and in fact in unacceptable if you are not already taking a proactive approach against attacks.

I read that the WANNACRY ransomware caused havoc across the world in May of 2017 and only ended up with a small amount of money (ransom) paid at about $100,000 from all infected.  Now there is even a business out there called GrandCrab that creates ransomware for others to implement.  Basically for a small percentage of the ransom, they do all the hard work of creating current malicious software that worked against today’s vulnerabilities.  Someone buys that software and gets it into a company network and reaps the majority of the ransom paid making them all very wealthy.  They claim to the tune of BILLIONS.  Even if that is exaggerated, they are retiring very rich, and from anywhere in the world.

You have to be considering all the time the ways in which someone could have access or gain access to your network and infrastructure.

If you are not the tech, or Managed Service Provider, get one that is proactively protecting you!  Not just saying so, but showing you that protections, backups, and auditing is taking place.

Hope this helps!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s