Ransomware: Beware the Users, & Other Things As Well

By Christopher Folk (LAW ’17)

Various media outlets have reported a dramatic rise in ransomware attacks, and The New York Times reported that the most recent attacks impacted more than 200,000 machines running the Windows operating systems (OS) across 150 countries.  The Times article posits that hospitals, academic institutions, and technology companies were targeted during this cyberattack. The article goes on to state that it is likely that exercising caution while online may have prevented the malware from infiltrating and infecting the networks from the outset. 

“One would think that the concept of security updates and remaining current with patches would be a no-brainer—clearly that is not the case.”

While the malware has been identified as a “WannaCry” variant, it seems a security update was made available by Microsoft nearly two months ago, according to the article.  Thus, here we see a double-whammy: 1) administrators were not timely in rolling out updates; and 2) users clicked on or opened e-mails which facilitated the spread (this second point is contentious because some security vendors dispute whether or not the payload was delivered using a typical phishing scheme).

What Now?

Ultimately these ransomware attacks typically seem to come down to user behavior.  While IT professionals can implement policies and procedures to ensure that patches and security updates are applied regularly, it is the user who can make or break nearly any policy or procedure. Until artificial intelligence takes over and heuristics rule the day, we will continue to see successful (and yet rudimentary) attacks. AI and heuristics may help in the future, but they won’t help in the here and now. However, the following might: there are procedures that companies and individuals can implement to limit the damage that ransomware can inflict and hopefully avoid paying a ransom for the return of their un-encrypted data.

One would think that the concept of security updates and remaining current with patches would be a no-brainer—clearly that is not the case.  Therefore, “step zero” is to stay on top of this and ensure that all of your computing devices are using the latest supported versions with the latest patches and security updates applied. A standard user then should then practice good “cyber hygiene”: do not click on or open emails from unknown senders and do not click links in e-mails unless they are from a trusted source or do not exhibit any of the tell-tale signs of questionable emails: misspellings, poor grammar usage, a odd-looking link that points to an unknown domain, etc. 

It is equally important that users maintain backups of data that are in traditional backup format and ideally streamed to the backup device so that the backups themselves stay beyond the reach of ransomware. However, as I found in my previous career, a backup is only as good as the restore, and all too often restores are not fully (if at all) tested—and this creates a terrible scenario.  Ideally, a user would have a full-scale disaster recovery (DR) plan; however, these are largely beyond the expertise of the typical user and even some businesses. Without a DR plan both created and tested, companies will continue to find themselves victims of ransomware. To mitigate risk, they will often decide to pay rather than test their restore capabilities for the very first time.

The Takeaways

  • Know thy sender: if you aren’t certain an email is from a trusted source, delete it rather than opening. 
  • The same goes for any links you are sent: type the address to the domain yourself rather than clicking a link you aren’t sure of.
  • Updates and patches: turn on automatic updates, download and install the latest security updates, and check manually on a regular basis to ensure those “automatic” features are working.
  • Backup: if it is worth saving, it is worth backing up.  Don’t forget that with the technological advances of handheld devices, you should ensure that those are backed up as well.
  • Restore: test your restores, make sure you can restore a file, a folder, and an entire device.  Sometimes a “bare-metal restore” is the only option to make sure you can bring your data back online with an entirely new device.

http://blog.cybersecuritylaw.us/2017/05/16/ransomware-beware-the-users-and-other-things-as-well/

Christopher Folk earned his J.D. from Syracuse Law and his CAS in National Security and Counterterrorism Law from INSCT in 2017.