Understanding & Surviving Ransomware
By Professor John Walker
Professor John Walker PGCert FRSA CFIP
Expert Witness, Digital Forensics & Training
What is ransomware?
Ransomware may be defined as:
‘An adverse logical condition with the inbuilt technological objective of compromising a targeted asset(s) to deny the legitimate user(s)/owner(s) access to the contents stored thereon’
There are basically two types of Ransomware Agents, and these are:
- File Ransomware: This type of agent will encrypt the files but leave access to the host computer.
- System Level Ransomware: System Level Ransomware will lock the entire system and deny the authorised user access to the host.
How is ransomware delivered?
Email: The most effective method which may be applied is of course delivery of the malicious object via email, presenting a high potential of target hit rate – all it takes now is to encourage the recipient user to be engineered into delivering the last element of the Attack Chain ‘Click’.
USB Based Delivery: Where the organisation allows the introduction of USB Keys to an endpoint asset, there will always be the potential for the introduction of a malicious component, which in this case is of course focusing on Ransomware. As an example of the dangers posed to the integrity of Digital Assets, consider the following real-life event which impacted the entire operations of an Outer-London based SME.
The Event: As users arrived at their place of work early one morning, some individuals noticed a USB key was laying in the car park. However, unbeknown to the multiples of individuals, they are not the only one to make such a discovery. Each USB key had various labels on the outside of the key to act as a Social Engineering Component, marked as, but not limited to:
- Pay Grades
- Julie – Pictures from Holiday
- Executive Salary Increases
- Sensitive Business Files
- New Year Promotions
Spam: There are occasions when it is necessary to look back, to understand where we have arrived at. For many years Spam (Unsolicited email) was tolerated as a nuisance – in fact just over ten years ago I presented a paper to the House of Lords Technology Committee on the potentials threats such communications carried. However, at that time, one senior member of the committee stressed with force, that Spam carried no threats, and could be ignored as presenting zero dangers. Again, my counter argument was it was a dangerous conduit into the enterprise. Here we are in 2021 now realizing that the toleration was a mistake, and Spam was more dangerous than was thought!
Network: At the Network level we are faced with many challenges when we focus on Ransomware such as the existent dangers of the mix of PowerShell and Windows Domain Controllers.
Proactive Defense:
The best-practice method of applying defense in any circumstance of adversity is to be in a position of preparedness – so:
Be Proactive [Before the Fact]
- Ensure that all important files are backed up [not forgetting Home/Mobile Users] at agreed intervals
- Conduct periodic tests of backups to ensure they are working as expected, and may be recovered
- Consider using a Write Protected Secure, Encrypted FIPS/140-2 drive – an example of which is the iStorage NCSC Certified Drive range
- Ensure that all system Updates and Patches are in place
- Maintain Anti Malware/Virus applications in a current state
- Self-Training – ‘if I don’t know it, don’t click it’ [NLP Strapline]
- Ignore those unexpected, unsolicited calls about your ‘detected errors’
- Where possible – deploy USB Controls
- Educate Users – Build that Human Firewall [again, not forgetting Home/Mobile Workers]
- Maintain Data Asset Registers – know your Critical and Sensitive Data Assets
- Deploy Infrastructure based Robust Backup Systems
- Where practical, create a SOC (Security Operations Centre)
- Evolve a CSIRT (Computer Incident Response Team (First Responder Team))
- Ensure that the teams who are expected to respond to such incidents are fully trained, and equipped with an adequate, up-to-date toolset
- Have up-to-date Policies deployed
Response (Reactive):
In the Reactive Mode, consider the following steps:
First Response reaction [After the Fact]
- Stop and think – do not be driven to an uncalculated response
- Do not turn the computer off
- If you must terminate the Network Connection, pull the cable – not forgetting WiFi
- Record the displayed screen – [camera, phone etc] – this is a key Artifact
- Do not respond to, or pay any demands
- Report the Incident to your IT Team, Service Desk, and CSIRT [await advice]
- Whilst waiting– assess Data Impact – say PCI-DSS, or GDPR Potentials
- Confirm the last backup status – and assess the potential for recovery from the held images/files
- If you have no Service Support – use another off-network system [e.g., PC] to investigate the implication
- Home User – Report this as an incident to the Police – they may not always be interested, but this incident is a CRIME
- Business Users – Record this as a Security Incident, and Educate Users – feed into the extended SOC – for purpose of Situational Awareness Alerting
Conclusion
To conclude, it may be an accepted opinion that the threats posed by Ransomware are significant, regular, and, it would seem such threats are able to overcome even the most stringent of supposed Cyber Security Postures. It may also be further concluded that, such is the success and financial gain for the practicing criminal actors, this is not going to be a digital threat that will disappear anytime soon.
The time has come in which all individuals, SME, Corporates, Government Agencies, and any other member of the Digital Generation who seeks Electro nic Survival will have to start to practice a posture of pragmatic and meaningful Defence in Depth to accommodate the desired level of protection. Time has arrived at a digital juncture that is accepting Digital Transformation, and Zero-Trust in an age that is anything but digitally secure. It is time to take Cyber Security and the Ransomware Pandemic seriously at the pragmatic level – and to move over into a mindset that is focused on security, rather than on buzzwords that infer that a state of total zero-trust is achievable.