July 19, 2017

Protecting against ransomware attacks

Posted in Cybersecurity by Gene Killian |

Awhile back, I saw a pretty good article on cybersecurity in an on-line tech magazine.  I e-mailed the link to a friend who’s the General Counsel of a major corporation. He responded, in essence:  “Let me get this straight.  You’re trying to protect me from cyber-crime by asking me to click on a link in an e-mail?”  (Yes, folks, I am an idiot.  At least my heart was in the right place though.) 

Now, I should preface what I’m going to say in the rest of this post by confessing that I’m a bona fide Baby Boomer who, like most Boomers, has at best an uneasy truce with technology. I do, however, have computers in my blood.  After getting out of the Army in the 1950s, my dad went to work for Western Electric, where he learned to program giant Univac computers with BASIC and COBOL, now the Latin of the computer world.  (I wonder how he’d feel to know that I have more computer power in my iPhone than he had in his entire company.  But I digress.) 

The recent massive “NotPetya” cyberattack got my attention, as it probably did yours, if you’re in the business world.   When a massive corporation like Maersk has its computer systems shut down, despite having an army of IT technicians on the payroll, you have to wonder whether there’s any hope for mere mortals.  But, of course, the size of an organization can be part of the problem.  The larger the organization, the more numerous the potential points of failure.

To recap:  Petya is a kind of ransomware that first appeared in 2016.  Basically, Petya targets Windows-based systems, encrypting the hard drive and preventing Windows from booting.  Then it demands a payment in Bitcoin to allow re-access to the system.  Last month’s attack was originally identified as Petya, but it now appears to be a Petya offshoot, with added refinements such as stronger encryption. Some researchers call this new iteration “NotPetya” or “GoldenEye,” while others still refer to it as Petya. Regardless of the name, it hit over 2,000 targets and caused a lot of problems.

Here’s an interesting point about NotPetya, though:  If the malware designers were looking for ransom, they were pretty incompetent about it.  The payment mechanism was too amateurish to have been carried out by serious criminals. The ransom note included the same Bitcoin payment address for every victim, for example. Most sophisticated ransomware creates a custom address for every victim. Also, the malware asked victims to communicate with the attackers via a single email address, that was promptly suspended by the email provider after the provider discovered what it was being used for. So, even if someone paid the ransom, there was no way to communicate with the attacker to request the decryption key.  That leads to suspicion that the purpose of NotPetya was something other than money.  Some sort of international intrigue involving a foreign government? The “joy” of vandalism and getting attention? Who knows.  (By the way, the FBI suggests that you never pay a computer ransom, and instead report the situation through the FBI’s Internet Crime Complaint Center.)

So what are you supposed to do to keep your company safe?  Here are a few random thoughts:

First and most obvious, make sure your employees are trained in how to recognize “phishing” e-mails, since they’re often the initial point of attack.  If an e-mail is addressed to “undisclosed recipients,” for example, or if the “from” e-mail address doesn’t seem to match the name of the sender in the body of the e-mail, look out.  Also, fraudsters often change one or two letters in the address to make it look like it belongs to someone you know. Never click on links or attachments unless you’re 100% sure they’re legit (by calling the sender to confirm).  If the e-mail contains poor grammar or spelling mistakes…red flag.  If you’re being asked to transmit account numbers or personal information…red flag.  The bottom line is what Las Vegas security teams call “JDLR” – “Just Doesn’t Look Right.”

Second, talk to your IT people now, before trouble happens, and begin to formulate a defense plan.  Make sure your systems are set up for maximum protection, for example.  The question to ask is:  Who can (and should) be able to access what, and why? The use of privileged accounts should be carefully restricted, for example; only use administrator accounts when necessary. Configure access controls, including file, directory and network share permissions appropriately.  Your IT people can also disable certain information contained in office files transmitted over email. Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular internet browsers, compression/decompression programs).

Third, if you think you’ve been hit, don’t wait and hope the problem gets better…get your IT people involved immediately.   In NotPetya’s case, the ransomware infects computers and then waits for about an hour before rebooting the machine. While the machine is rebooting, you can switch off to prevent the files from being encrypted, and try to rescue the files. Your IT people may instruct you to disconnect your PC from the Internet, reformat the hard drive and reinstall your files from backup.  (If the system reboots with the ransom note, don’t pay the ransom – as I said, with NotPetya at least, there’s no way to get the decryption key to unlock your files anyway.)

Fourth, make sure you’re backing up your data properly, and make sure that your IT people frequently test the systems for integrity and physical security.  (If you can restore the bulk of your data from the cloud, the fraudsters lose a lot of their leverage.)  Keep operating systems, software and firmware up-to-date and patched. (I know it’s a pain in the neck, but do it anyway.) Make sure that antivirus and anti-malware solutions are also updated, and are regularly scanning network resources looking for invaders.

Finally, call your broker and review your cyberinsurance (or lack of it). If you don’t have the coverage, think about getting it, and at least go through the exercise of completing the application even if you don’t bind.  The application tends to be fairly detailed and may alert you to gaps in your company’s procedures, which could save you from trouble later. Make sure the policy provides coverage for ransomware-related costs. Despite the dramatic rise in ransomware, insurance coverage for this particular threat isn’t always included.  (There’s no standard-form policy, so you have to review the specific wording.)  Since ransomware incidents often don’t result in the destruction or actual “theft” of any data, policies that limit coverage — like business interruption coverage — to situations where data is altered or destroyed may prove useless in a ransom situation.  Remember, also, that policies may require the insurance company’s consent before paying any ransom.  Better figure all this out now, before it’s too late.