Recently, a number of Rapid7's customers have been evaluating the risks posed by the swift rise of ransomware as an attack vector. Today, I'd like to address some of the more common concerns.
What is Ransomware?
Cryptowall and Cryptolocker are among of the best known ransomware criminal malware packages today. In most cases, users are afflicted by ransomware by clicking on a phishing link or visiting a website that is either compromised is is hosting a compromised advertising network. While ransomware is usually associated with Windows PCs and laptops, there have been recent reports of new ransomware on Apple OSX called KeRanger.
Ransomware works by encrypting files that the user has access to, which is usually their local documents. However, some ransomware variants can target and encrypt files on mapped SMB drives as well. Once encrypted, the user is alerted with instructions on how to obtain the recovery key, typically for the price of $300-$500 equivalent in Bitcoin. Some attacks, however, are enterprise-centric and demand much more; the Hollywood Presbyterian Medical Center reportedly paid over $17,000 to a criminal enterprise to recover its encrypted data.
How Can I Avoid Ransomware?
Ransomware attacks happen similarly to other malware-based attacks. User education is the first line of defense -- people should not be clicking suspicious links, or visit websites that are known carriers of malvertising networks. In the event the user encounters a live link to a ransomware download, web-based threat prevention, email-based threat prevention, and application sandboxing can all help avoid infection.
In addition, enterprises can harden their user-based infrastructure preemptively by following some baseline cyber hygiene as described in Jason Beatty's blog post. Of special interest is the enforcement of role-based access control; all too often, organizations accrue "access cruft," where users inherit permission sets that are far too broad for their normal job functions as temporary access grants accidentally become permanent access grants. By limiting user access across network resources, the damage incurred by the compromise of a single user can be effectively contained.
I've Been Hit! How Can I Recover?
In the event a user or enterprise falls victim to a ransomware attack, the best solution is to treat the event as any other disaster: restore the lost data from backups, conduct an investigation into how the disaster occurred, and educate the users involved on how to avoid this disaster in the future. As of today, there is no known method for recovering lost data without cooperating with the criminals responsible for the ransomware.
Of course, backing up valuable data before an attack is critical in order to recover from this kind of attack. Backup schedules can vary widely between people and enterprises, many backup plans are implemented but remain untested, and the appearance of ransomware seems to have dramatically increased the chances of a data loss disaster. IT administrators who are concerned about ransomware affecting their users should investigate the relevance and reliability of their existing backup solutions, and weigh the costs of a sudden loss of data against the cost of more robust and frequent backup plans.
That Didn't Work. Should I Pay?
In most areas of crime, paying blackmail or ransom demands is counterproductive. It funds criminal enterprise directly and encourages more blackmail and ransom activity for both the original victim and future victims.
However, even the United States FBI seems to be advising people that, given no other disaster recovery alternative, victims may want to consider paying for recovery. In October of 2015, Joseph Bonavolonta of the FBI admitted, "To be honest, we often advise people just to pay the ransom." This position was later clarified that victims should only consider paying when there is no other recourse, such as recovering from backups.
The criminal enterprises running ransomware campaigns today are remarkably organized, and can even be considered helpful when it comes to getting their victims in a position to pay the ransom, nearly always via Bitcoin transactions. There is significant "victim support" built into these campaigns that walk users through the process of acquiring Bitcoin and ensuring that recovery is actually possible once they are paid. That said, these organizations are criminal, after all, and operate across international borders. It would appear that they are making good on their offers to decrypt the data held hostage, but there is absolutely no guarantee that they will continue to do so.
While ransomware represents the latest trend in drive-by, opportunistic malware, it is avoidable and containable by following fundamental security and disaster recovery best practices. Encouraging secure habits in an enterprise's user base is the cornerstone of avoiding the problem in the first place. Enterprises struck by ransomware are urged to treat the event as they would any local disk disaster: restore from backups, conduct a post-mortem investigation into how the disaster happened, and take the lessons learned to become more resilient in the event of future disasters.