Ransomware is a celebrated term today, and the nightmare of any IT department; a position it earned by the devastating nature of the catastrophe it brings. However, in reality, it is the big brother of the traditional computer virus, which sneaks, spreads and hides itself in your computer and create far more dreadful destruction. Let us recapture some of the ransomware attack incidents that we came across in the past few years – the events that led to ransomware outbreak, its impacts, steps taken to recover, and moreover the lessons learned about preventive measures to secure or at least minimize the impact on the IT infrastructure. And this just happens to be our first blog post!

As we all know, ransomware is a kind of malware, which sneaks into your computer through email, downloads, USB flash drives etc., and encrypt the data on your computer and demand money (ransom) for decrypting the data. Even the data on servers/shared folders (which the user has access to) may also get encrypted, that increases the impact multifold. The attackers display a threatening message on the infected computer demanding for ransom money in bitcoins to get back the data. In most cases, even the best data recovery companies in the world cannot help you once the data has been scrambled with encryption. In many cases, the victims succumb to the threat and pay ransom, without any guarantee to get back the data, which is not at all recommended.

With time, ransomware also evolved, gaining capability to scan the network and plant itself onto more computers silently and stay under the antivirus radar.  The latest sensation, named ‘WannaCry’ spreads utilizing the vulnerabilities of Windows operating systems. If one computer on your network is infected with this specific flavor of ransomware, and the Windows vulnerability on your computer is not patched, then chances are very high for your computer getting infected with WannaCry. This peculiarity differentiates WannaCry from its peers, and resulted in gaining the biggest footprint in the history of ransomware attacks.

How does this whole thing look like? Below are certain case studies of real attacks, which our clients came across. Scroll down to see a close look of the monster and painful lessons on IT security.

 

  1. ORGANIZATION #1

A user reported that he is not able to open some files on his computer. On quick inspection, it was found that the files on the computer are encrypted. On restart, the computer showed a message asking for ransom, confirming that it is a ransomware attack. Two days earlier, the user had received an email with a malicious attachment with .scr extension. The user opened the file thinking that it is related to his work. By the time the computer was isolated from the network, the ransomware had encrypted the files on that computer and many folders on the file server.

The files on the server were restored from last day’s backup and the user’s computer was formatted. Preventive measures like securing email gateway, implementing user/application/file restrictions etc. were carried out to prevent similar attacks in future. All users were immediately notified of the attack with instructions to identify and stay away from similar malicious mails.

Analysis: The attack happened after passing through the checkpoints below:

  1. The email gateway did not detect the malicious attachment.
  2. Antivirus software on the user’s computer did not detect the file or the unusual behavior that followed.
  3. The user permissions on the operating system / domain policy allowed the user to run the malicious program.
  4. The user decided that the mail is legitimate.

 

  1. ORGANIZATION#2

The IT department suspects virus activity on its computers since it shows a message on all the computers and the network services don’t work well. On investigation, it was found that the company is under the clutches of a ransomware with malware spread on all its servers and many computers. Further investigation proved that the incident was triggered by an external contractor with administrative privileges on the domain. The malware got in through the contractor’s VPN connection to the servers and it was not late before all the servers were infected. More alarmingly, it was not only the data on the servers that were infected, but a lot of operating system files were also infected. This made recovery impossible without wiping and reinstalling the whole system. Even the backup server had critical system files infected, which killed the restore jobs well before finish.

The only solution, in the end, was to restore the virtual machines from earlier storage snapshots and rebuild the physical machines from scratch. Preventive measures like limiting VPN access, controlling administrative access, segregation of network etc. were carried out to prevent similar attacks in future.

Analysis: If we visualize the malware’s journey to the organization, it passed the following flaws in the company network:

  1. An external VPN connection was allowed on a contractor’s computer that was untrusted.
  2. The contractor’s credentials did not have any restrictions. It was a plain administrative account that had all access to the company’s servers from the VPN network, that is basically the production network.
  3. The servers did not have any mechanism to block unknown or untrusted programs.
  4. The antivirus program on the servers did not detect the risk.
  5. There was no proper network segregation that could have limited the spread of the incident to all computers.

 

  1. ORGANIZATION #3

One server used for application testing got infected by ransomware which encrypted most of the files on the server, including some operating system files and displayed a message asking for ransom. The server was isolated from the network, and rebuilt from scratch. Since the server was not in production network, and was not in the domain, the damage was minimal. Later, it was found out that the server was accessible from guest WiFi network and got compromised by a bruteforce attack.

Preventive measures like preventing access from guest network to internal network, implementing security measures on servers, re-evaluating security policies of all internal networks etc. were carried out to prevent similar attacks in future.

Analysis: The below flaws resulted in the attack:

  1. The access from guest network (which was created for important guests, but later became accessible to broader user-base) to servers and printers (mainly for printing) was the security flaw that resulted in the problem.
  2. The brute-force attack was not detected/blocked on server.

 

Now, the key question: How to keep this uninvited guest outside my gates?

And the short answer is there is no single-point solution which will protect your network from such attacks. There is no ‘silver bullet’ to this problem. The reason is that security measures should be implemented at different levels of the IT infrastructure, which should work in unison for securing the network. Again, each organization is different, and correspondingly, the security measures to be implemented will also differ.

Generally, an organization should evaluate the channels through which attacks can happen with the help of IT department or a consultant, and implement security measures for those channels.

  1. E-mail attachments

Ransomware and similar malware attacks originate mainly through emails. These attacks can be prevented using an email gateway security device, securing user computers using antivirus/anti-malware solutions, implementing domain-level security policies, and most importantly, educating users to identify the tricky emails.

  1. Internet downloads

Attacks can originate from applications downloaded from untrusted websites which lure users to provide applications/services (like VPN) for free. In most cases, such applications will be bundled with malware. Such attacks can be prevented to a large extent by using a good firewall which can provide content filtering, implementing proper user permissions etc. which should prevent execution of malware.

  1. Removable media

Removable storage media like USB flash drives are very convenient to move data between computers. However, it also works as the easiest way to spread viruses and malware. This kind of attacks can be prevented to a large extent by controlling the usage of removable storage media through policies and user education. Also, a good antivirus/anti-malware should be installed on the computers.

  1. Internal network attack

Attacks can happen from guest users/visitors connecting to the internal network through wired/wireless media. Typical examples include guests who want to connect to your network for printing, contractors who want to access your servers/computers etc. These kind of attacks can be prevented by separating production and guest networks, segregating production network, controlling access between VLANs, implementing port security, restricting use of external/personal devices on corporate network, updating operating system & antivirus software on computers regularly (through a centralized platform), enforcing device posturing for BYOD, implementing multiple authentication methods for corporate wireless network (instead of a secret password which is known to all) etc.

  1. External access to company network

VPN and remote desktop access are two other major sources of attack. Unless it is absolutely necessary, do not enable remote desktop access to corporate devices through internet. Instead VPN can be used, but with properly defined security configurations and access permissions. VPN access also should be provided to limited users, with well-defined access restrictions. Also, the VPN users should be educated about the securing the computer which they use to connect to the corporate network.

CONCLUSION

As described above, securing a corporate network from ransomware/malware attack is a multi-step process which will vary with the structure and workflow of each organization. Every organization should assess the channels through which they may face an attack with the help of their internal IT department or a consultant, and should take preventive measures to secure those channels to protect themselves from these threats and resulting financial/reputational losses.