Ransomware – What It Is And How To Stop Yourself Becoming A Victim

I recently hosted a series of open door events where clients on any of our serviced office sites could come and discuss IT security concerns with me. One thing that I was quite surprised about was how few people had ever heard of ransomware. I suspect that word is all too familiar throughout the population following last week’s NHS cyber-attack. However, regardless of its publicity, there is still a lot of uncertainty as to what happened, how it happened, and how it could be prevented.

Firstly, it should be pointed out that whilst the NHS is the most prolific victim in the UK, it is by no means the only one, and globally many other minor and major corporations have been affected. So is it true that no one is safe? Not really, which I hope will become apparent as we look at what has actually happened.

Its probably best to understand what Ransomware is before we look at how the attack took place. Ransomware is part of a family of viruses known as cryptoware. These are viruses whose malicious payload (i.e. that nasty programming that screws up your PC) specifically targets key files on your machine and encrypts them. These files are often word documents, excel spreadsheets, photos or Sage financial databases amongst others. What the virus actually does is to index your hard drive and any files with the right extension (.doc, .xls, .jpg etc) will get encrypted.

Think of a ransomware virus being like a burglar in your home who, upon having gained entrance to your house, finds nothing of worth to him or that he can sell on, but items of worth to you. So, instead of stealing your photos and egg-cups made by the kids, he locks them all in a box with a huge, complex lock on and a nice note asking for some money and he’ll give you the key.

Because viruses are becoming more and more sophisticated, along with the programming base moving from the classic disaffected geeky teenager to complex criminal organisations, their own complexity is also evolving. It is not unusual for a virus to infect early on, but stay dormant, just logging key bits of data and sending them out to an external source (data such as passwords, account details, sensitive company documents etc.) whilst simultaneously replicating itself in the background to other devices on the network. Then, after a pre-set fuse length, all PCs (hosts) infected with the virus begin to rapidly, and in synchronisation, encrypt all identified targeted files whilst now displaying a message to send an amount of money in the form of Bitcoins (web-based virtual currency) to an address and in return you’ll receive the code to unlock your files.

The cost of an attack like this comes from two sources. Either a) you get some money converted to Bitcoin to pay the ransom, to get the decryption key, which not only costs you, but probably puts you on a list as a potential future target as you’re known to pay up; or b) you shrug your shoulders, turn off your network, recover core data from backups and rebuild the network, machine by machine, cleansing it of the virus as you go. Either way, the financial cost to an organisation often runs to many thousands, be it from the ransom or the impact to the business. Look at your own organisation. If you turned off all PCs for just 1 day, what would the impact be? How many users would be unable to work and sent home? What about damage to your reputation with your clients?

So that is the ransomware virus type itself. Honestly, it is my single biggest nightmare to happen to any of my systems. We have backups, but I know first-hand how disruptive an attack like that can be, and that was when I had complete backups and managed to recover our entire platform in 5 hours whilst having a workable alternate system available in the meantime. I know of companies that have lots months of data, or employed people for weeks at a time to re-key lost information into databases. But how did it get in? This is easier understood. The attack made use of a known vulnerability in Windows. That is important, it was a known vulnerability. Software manufacturers, after they release new software, tend to update them regularly as bugs or security holes come to light. Microsoft release many patches a month for many different programs as it is so widely used that new problems come to their attention all the time.

In the case of the NHS, and others that have been affected recently, the problem most likely comes down to not updating servers and PCs with these patches once they’ve been released. Actually, this highlighted an underlying problem for the NHS, one I’m sure they were very much aware of but were probably hoping would never rear its head. A large portion (by that, any portion bigger than 0% was too high) were still running Windows XP, an operating system that went end-of-life over 3 years ago. This meant that, for 3 years, those devices got no security updates, no vulnerabilities patched, no bugs in the program fixed. It was a disaster waiting to happen, mostly because once a virus is in your network, it often spreads that much more easily, the work is done getting in. However, with Windows XP machines available, that’s a lot of security holes.

So, on to the most important bit, what can be done to stop this happening to you? Firstly, understand that there is no guarantee, no magic bullet that will stop you from an infection like that. You put in place measures to identify viruses, isolate unusual processes, mitigate threats with decent network policies. These are the quick and easy steps to make things more difficult for viruses like this to get a hold:

·        The first rule of malware is……...we talk about malware. Educate your users. They are the biggest threat to your network if left unchecked, but can also be your biggest ally if you get them on board with network security. Make them understand the ramifications of an attack (lost revenue to the company, possible redundancies as a result). It needs to be a team effort and I work hard with my users to keep the messages front and centre.

·        Patches are cool. On geography teachers elbows, maybe not, but definitely on your servers and PCs. The manufacturers release patches and updates for a reason, so put them on. For bigger organisations, often they need to vet these patches and see if they impact any existing systems, but if they test ok, get them on the machines. If they are patching a security flaw, all the time you’re not patched, you’re more open for attack.

·        Invest in security. Too many companies still see IT as a cost, rather than as an asset. You’d train your staff, invest in them as they are invested in the company? Well, the same applies to IT and your security. Get a good firewall. If your firewall ￡20 from PC World and was part of the router they sold you, it won’t be as good as a ￡200 dedicated firewall device. Which in turn will be less configurable and less capable than a ￡2000 device. Boundary security, stop the burglar even getting in your house in the first place. The same goes for anti-virus. It’s a small price to pay given the costs if you get hit. There are also systems that don’t just look for known viruses, but also look for suspicious behaviour, including encrypting files. Sound useful?

·        Invest in email scanning and filtering. I’ve put this separate to security above because email is such a massive threat vector and one of the most common routes into a company for malicious software. Scan for viruses, scan for junk email, scan for dodgy attachments, scan for links in an email that go somewhere other than where they say they do. If you let an infected email or one with links to viral sites land on someone’s computer, you’re relying purely upon their recognition of the threat. 4pm on a Friday afternoon, would you trust that person to notice, to not open a viral attachment?

·        If you use Remote Desktop/RDP/Citrix (or anything else that gives you a window on a machine inside your office), force your users to connect over a VPN. If you expose a Windows login to the outside world, this is like having your card in the ATM with anyone able to try as many attempts at your PIN as they like. Sooner or later, they’ll guess the right password. Make users connect over a VPN, a secure link into the office, then run Remote Desktop or whatever over the VPN. It’s a much more secure way of doing it.

·        Use complex passwords. Its not rocket science. Its not even R0ck3t Sc!enc3. It can be complex but memorable though. ‘correct horse battery staple’ was a famous example of a much harder to guess, but easy to remember password, although dictionary word attacks would get it sooner than if the words were each slightly misspelt (crorect hosre batteyr elpats would be harder to crack).

·        Have an IT usage policy. Emailing pornography around the office, regardless of its inappropriateness, is asking for trouble. Porn sites, warez sites, pirate film sites, all are the natural home of viruses. Accessing these sites is the IT equivalent of unprotected sex and you’ll eventually get the digital clap. A good, comprehensive policy sets the guidelines for what company equipment can be used for and so restrict this potential threat. This can also include not using USB drives that are not owned by the organisation. Found one in the car park? This is a known ploy, to leave an infected USB drive in an area outside an office. Drive over it!

·        If you’ve not got in-house expertise, get a good external IT company in. And don’t go with a director’s teenage son because he’s doing IT at college (seen this with a 100-user ￡15m site!). Also, the one-man band on the high street might be fine to swap the broken keyboard on your laptop, but is unlikely to have much experience with corporate networks.

For a lot of companies, a lot of the above might seem beyond the reach of financial resources. However, balance it with the impact of an hour, or a day, or a week without the IT. I’ve seen a company send 40 people home for a few days when their server that had gone out of warranty blew its motherboard. 40 workers, no data, no work (they were completely reliant on the IT) for 3 days. I think that probably paid the extended warranty cost a few times over. Another other reason to invest is herd immunity. If enough people get the flu vaccination, the virus struggles to spread easily. By making it hard for network viruses to spread, you’re not only protecting yourself, but you’re protecting companies you might do business with, maybe your clients.

The prospect of a ransomware attack is one that terrifies most IT professionals, if not the corporate board. But understanding what the threat is, like many things, is better than ignorance, and, once understood, it’s easier to justify a budget for protection for the users, for the network, and, therefore, for the company itself. If there is a good thing to come out of the recent attacks, it’s highlighting the vulnerabilities of so many companies and making employees at all levels give thought to their actions on the web and their potential consequences.