Recovering From a Ransomware Attack: The Do's and the Don'ts
Ransomware. Just that one word can strike fear into the hearts of the most hardened security professionals. The word itself has become scary but because of what Ransomware can mean to livelihoods should a company be successfully attacked by a bad actor and machines are compromised or encrypted. What’s the big deal though, it’s just some computers and some files, we can remove it and move on with our lives…. right? Maybe.
Maybe? With the risks involved, you can’t settle for “maybe”. There are many factors that go into the potential recovery after a successful ransomware attack, many of which most corporations are woefully unprepared. The quickest and easiest way to recover from ransomware was by restoring from backups which allows you to carry on your day like nothing happened. More importantly, restoring from a backup meant nobody external to the company would need to know of the successful attack. While quick and easy is great, it also comes with hidden costs which can quickly inflate! What are the costs to recover from a ransomware attack, both upfront and hidden on the back end? For the sake of this article, I am going to use the Maersk incident as it’s very well-publicized and had a staggering price-point associated with recovery.
June of 2017 is the timeframe we are looking at, and Maersk was hit with NotPetya, at the time, a particularly nasty piece of ransomware. The scope of impact was ~4000 servers and 45,000 PCs along with ~2500 applications over a period of just under 2 weeks in time. I am going to focus on the cost of 49,000 machines (server and workstation) and break down the total cost (~$300 million) over the duration of the 10 days that they were out of order. At $300 million and just over 240 hours, it cost Maersk approximately $1.25 million per day in both recovery and business interruption. To give some perspective of a smaller scale, small businesses spend ~$80k on recovering from a ransomware incident.
For the sake of being thorough, I am going to take you through the typical lifecycle of an attack and the effectiveness of ransomware attack, in the hope this will help you identify the signs to look for in an affected environment. Please note, the names of the steps are not “industry standard”, but I believe they more adequately explain the lifecycle and make it more understandable.
Step 1 – Probing. For a successful ransomware attack to be pulled off you need to know about the company and their defense capabilities. Are you running a next-gen solution? How are your perimeter defenses configured? Are you using anything which would give them “easy access” to your environment with preferably elevated credentials or permissions? (An example of this would be an open RDP to the outside world with weak security). A common practice will be dropping several different tools or programs on machines to see what is prevented and what isn’t, then using one of the undetected programs (mostly dual-use tools) after being weaponized to bypass the local security of the machine. You can generally see this in the management console of any security solution, but this requires manpower and time to continuously monitor. An option to try and augment this would be the implementation of a zero-trust model, but that will only protect from internal sources (such as employees) and does not include the requisite zero-time model.
Step 2 – The Attack. Once the bad actors have the lay of the land being your environment and its shortcomings, they will start to launch their attacks. If they have access to an RMM tool with weak security, that will make for a prime entry point. The permission set usually granted to the RMM tool is more than enough to run anything. Alternatively, the bad actors could use a standard e-mail campaign with a “document” attached which is password protected in an archive (prevents the removal by endpoint solutions as they cannot scan inside protected archives). Yet there are still other options that could be utilized, such as weaponizing dual-use tools that are already in the environment. Part of the attack is the payload which includes the encryption subroutines, which depending on how they are coded, could attack one machine and any mapped network drives. This is where the discomfort sets in, as almost every ransomware instance I have seen uses at least AES-256 encryption to encrypt the files.
Step 3 – The Ransom. By this point, all your files are encrypted on the machine with AES-256 encryption and you have a lovely ransom note on your machine from the bad actors stating how much money they want (or how much bitcoin, which is common). They explain to you via the note how to upload the money to an anonymous wallet and in return, you will be provided a utility that will decrypt all your files and allow your return back to functionality. This has been the modus operandi of most bad actors looking for a payday and in my experience, those who paid the ransom had their files decrypted, albeit I still wonder if the “entity” you were working with kept any of our files on their side.
The most common statement I have heard in the security realm pertaining to this specific situation was “Don’t pay it! Restore from backup and go on with your day!”. Honestly, not a bad idea in theory, but what if your company was woefully understaffed and did not have a regular backup process? What if one of your file servers was hit due to a mapped drive and there’s no backup available to recover? Even if you have the backups, you are looking at days, sometimes weeks, of being down while going through the recovery process on those machines. How is that impacting your business? If that wasn’t enough to worry about, we now have a new curveball thrown into the mix. I call it “The Chaos”.
Step 4 – The Chaos. While the above is enough to strain any company to its limits, “the chaos” adds a whole new level of worry to the process. It’s all about naming and shaming to try and add further leverage towards getting their payday. This means that even those organizations that do have stellar backups now have something altogether less enjoyable to worry about. You see, the bad actors have finally learned that encrypting environments is not enough to ensure a payday, especially as more and more companies started beefing up their backup plans after the first hints of ransomware came out years ago. They have learned that something exists which is more valuable than the data on the machines, and that is the reputation of the company.
Companies pride themselves on being able to say they keep their customer data private and their internal IP private as that’s often what makes the company unique. The chaos aspect of this started back in late 2019 and has greatly picked up momentum in the first month of 2020 with five law firms being hit. They were all threatened with public exposure of the data which was encrypted in order to enforce payment. The basis of the data exfiltration is to show how the said company was breached, as part of the process some data is shown to the customer to indicate they are extremely serious.
If you fail to pay the ransom the data becomes available on the dark web. They also reach out to the companies you were dealing with, to offer the data in the event they enter litigation against you for breach of data protection. Many people think the best way out should be to just pay the ransom and move on, but there is a major part of the recovery process which people often don’t take into consideration.
Some ransomware use persistence methods which mean that stopping the ransomware process won’t be enough, since after a period or reboot the ransomware will still be active. The only way to combat persistence is by knowing and being familiar with all the places or methods that malware, not just ransomware, gain its persistence capabilities. Persistence within malware is not uncommon at all, some common versions would be keys used by Winlogon, BootExecute keys, Shortcut hijacking, even the Windows Scheduler has been known to be manipulated. Without knowing if or how the malware you were infected with utilizes persistence mechanisms, the act of paying the ransom is futile if the machine would still be able to re-infect either itself and other machines (if there is a network component) upon the next run of the software.
Step 5 – The Fallout. Bad actors (correctly) assume that admitting you were compromised is the last thing a company wants to do publicly. The damage to a corporate image due to an encryption incident can be catastrophic, and if your business happens to be cybersecurity, it could be game over if word gets out. As a result of these additional “endeavors” by bad actors to ensure they are paid, we have a new security layer being introduced by businesses to proactively cover this kind of incident, ransomware insurance.
Many articles have been published about companies using ransomware insurance to pay off the bad actors to get data back. As the company is only liable for the deductible, roughly $10,000 when it comes to a ransom of over $400,000, the cost-benefit becomes self-evident. While the insurance will help keep the company humming along, it doesn’t close all vulnerabilities. It can be easily found out a deductible was paid to remediate a ransomware-based event and that your security was compromised. Not only is that a signal to other bad actors that you are a guaranteed payday, but an unwilling admission that your security posture was less than stellar. Adding salt to the wound, insurance companies have been known to find any way to state the issue is not covered due to the circumstances of the attack. This leaves many companies on the hook for the total amount of the ransom, which often they don’t have the liquid cash available to resolve.
Step 6 – The Best Way Out and the Future. Your company name and reputation are important, and these bad actors absolutely know this. They are counting on a lax security posture and a desire to keep things hushed to guarantee a payday. This is not helped with the knowledge that companies hit with ransomware have almost a 50% chance of a repeat attack occurring in the very near future. In fact, in one story from the trenches, a security officer recalled how once after paying a ransom and data was decrypted as promised, at the end of the decryption an unknown icon was left on the screen of the impacted user (where the whole infection started). Being curious the user double-clicked on the icon, triggering a second encryption subroutine on the machine and data was once again encrypted!
So what do you do? How do you prevent the decryption of your data, the threat of exposure of your data to enforce payment and the possibility of a repeat offense?
A strong security posture would be the best start. Working with a next-gen solution is the best option you could leverage in your environment. Zero-trust combined with zero-time is the perfect intersection of security, and that’s where Deep Instinct steps in. We thrive in the realm of the unknown threat to keep your environment safe from bad actors and their terrifying ransomware.
Deep Instinct, we prevent what others can't find