Since 1999

 

9 minutes estimated reading time.

Paying Ransomware is Harmful: Invest in proactive defense instead.

The headline of the day is Ransomware Hackers Demand $70 Million In Bitcoin, Claim Massive U.S. Attack As Biden Investigates Possible Russian Involvement (forbes.com). This is only the latest in a string of increasing attacks both in number of victims and the size of ransom demands. It shows the weakness in the software and services supply chain used for IT management and more. The lessons will come to light as more details emerge. However, in many ways we do not need the details from how this exact attack happened. We need to look at motivations and preparedness.

My view of the best way to handle the ransomware threat are most succinctly stated in the words of Robert Goodloe Harper:

| Millions for defense, but not one cent for tribute.

He was referring to the diplomatic situation known in history as the XYZ Affair during the term of President John Adams. The gist of the situation was the demand for a bribe for an outcome that the fledgling United States wanted. President Adams worked to expand the military power instead of paying as a form of national defense. Not many years later the mantle was taken up by President Thomas Jefferson to deal with the growing threat faced at the hands of the Barbary Pirates who demanded tribute from the United States in order to keep them from attacking American shipping. Instead, the United States built and deployed the Navy to take the fight to them rather than provide financial incentives to the bad actors.

How should we think about this as members of the private sector however. What is reasonable for a private organization to do to defend ourselves with the understanding that we are not sending our own private navies overseas to get the bad guys. The answer is simple but not easy. Don’t pay the ransom under any circumstances!

I can already hear the naysayers chime in with BUT! BUT! Frank!

  • private non-software companies don’t know how to do security!!!
  • Service providers prioritize cutting costs over security!
  • If [BIG TECH COMPANY] can’t get this right then what chance do we have?
  • But we are down now and we have to restore service and to do so is the most cost effective solution.
  • etc, etc

Maybe in the extremely short term but in the long term this is the path to an extremely negative environment where no one is safe and quite frankly this is the path to heavy regulation if the private sector doesn’t get its act together.

I get it, maybe you have to pay the ransom. It means you were not prepared to defend against a threat that is known ahead of time and has a finite set of countermeasures that can drastically reduce your risks. If you do so that should be the most shameful decision your organization ever has to make and you should know that you have made yourself, your customers, and every other organization that could become a victim less safe in the future. It is better to be prepared with an effective defense.

Ransomware is not a new phenomenon. It has existed in theory as long as computer viruses could employ public key cryptography to encrypt a lot of data with a key that only the bad guy has. However, what has changed is the financial incentives when the victims pay instead of wiping their systems and rebuilding and an increasingly networked infrastructure.

Primary Vectors for Ransomware Infiltration

In my recent article Top 5 Cyber Security Self-Defense Tips for Businesses with Custom Applications , I noted that most ransomware attacks are not all that sophisticated in theory. Software gets executed as a user with permissions to overwrite files.

What the malicious ransomware does with your files is limited by the laws of physics the capabilities given to the user credential that the code is executing as. This means that the ability of the ransomware to read, overwrite, and delete data is limited by the credential’s permission to do so.

Let’s think briefly about infiltration, data disposition (including if it can be stolen), and countermeasures.

Infiltration Vectors

The three main methods that code seems to get executed are:

# Name Description
1 Internal An person with authenticated access to your system responds downloads and runs malicious code
2 Credential Theft A malicious person obtains the credentials of a user of your system and uses those credentials to access and run code
3 Software Supply Chain A software dependency of your software is compromised and you pull that code down as an update and it can then execute or be deployed within your org or distributed to your customers

Data Disposition

Once the ransomware executes, depending on the capabilities granted to the user context under which it is run, it may do any of these activities:

# Name Description
1 Encrypt & Overwrite Read a file, encrypt it with public key cryptography, and overwrite that file
2 Destroy Backups Search for and delete/encrypt backups
3 Exfiltrating Transmit the data over the network to an external location in the malicious actor’s control

Most ransomware uses a public/private key encryption technique that allows the software to encrypt large amounts of data that can only be decrypted with a key that never had to be present on the victim computer. This is the same technology that we use every day to protect good people with TLS security and more, but it is being leveraged by the malicious actors in this case. An observation though is that the data doesn’t have to actually be transmitted anywhere for this to work.

Please note that I specifically said any of these. The ransomware need not do all of these activities. In fact, many might simply do Encrypt and Overwrite. Some might do Encrypt, Overwrite, and Destroy Accessible Backups. This means means that it is entirely possibly that the malicious party does not have your data themselves. However, you wont know this unless you have a very mature logging system in place that can catalog how much and what data was transferred. For all practical purposes you may have to assume that your data was exfiltrated but my point is it may not be the case in your situation.

Countermeasures via the Lense of Threat Actor / Capability Threat Modeling

Now that we have talked about reasonable counter measures.

Infiltration Data Disposition Counter Measures
Internal Encrypt & Overwrite
  • Limited permission to read, write, and overwrite
  • Versioned file system that keeps copies of data after overwrite
  • Automated 3-2-1 backups
  • Additional countermeasures left as an exercise for the reader.

Please note that antivirus is generally not effective at stopping these threats.

Internal Backup Destruction Same as above!
Internal Exfiltration
  • Logging and monitoring of file read and data transmit rates
Credential Theft Encrypt & Overwrite
  • Multi-factor authentication for authentication
  • Cryptographic-based authentication for remote access, such as key-only SSH access instead fo username and password auth.
  • Anomaly detection, new session with an unrecognized device, and other detection tools
  • Limited permission to read, write, and overwrite
  • Versioned file system that keeps copies of data after overwrite
  • Automated 3-2-1 backups
  • Additional countermeasures left as an exercise for the reader.
Credential Theft Backup Destruction Same as for Internal user!
Credential Theft Exfiltration Same as for Internal user!
Supply Chain Encrypt & Overwrite
  • Software dependency management and upgrade processes
  • Monitoring for known CVES
  • Strong automated test coverage to exercise software
  • Additional countermeasures left as an exercise for the reader.
Supply Chain Backup Destruction Left as an exercise for the reader.
Supply Chain Exfiltration Left as an exercise for the reader.

What I’ve done in this section is a quick and dirty threat actor / capability threat modeling exercise. It is not meant to be absolutely comprehensive but instead to show you a pattern to follow. Notice however that upon a little reflection that the countermeasures to face the insider threat are substantially similar to what is needed to stop the outsider threat.

Most ransomware attacks need little more than to have the malicious actor log in remotely with a username and password that was stolen with credential theft and then they have unfettered access to the victim’s network.

An astute reader / threat modeler will quickly notice that protecting against many of these scenarios drive to the exact same counter measures:

  1. Control/monitor remote access
    • Keys NOT just usernames and passwords
    • Network level limitations acceptable as a defense in depth, but not replacement for keys
    • Monitor network traffic to detect if data actually left the network in any volume if possible
  2. Limit permissions following the principle of least privilege
    • Can users be restricted from deleting?
    • At least have different permissions on different systems on the network so that a user on one system cannot overwrite network shares not belonging to them
  3. Effective, redundancy in storage and backups
    • Local copy on different system from the data being backed up
    • Offsite copy for restoration in case of disaster
    • Immutable versioning that lives for a sufficient amount of time

Conclusion

My hope is that you and your organizations will start thinking holistically about the ransomware threat from the standpoint of your preparedness. Defense is not easy and it is not cheap. But it is worth it. Set your mind that you will not pay the ransom and go about ensuring that you systematically have defenses in place.

Control access to your network by turning on security features even if your users protest. It is far better to require a cryptographic smart card for the remote access to work than to depend upon username and passwords alone. Smart cards cannot be phished and they cannot be remotely stolen by the bad guys! Search for “certificate authentication [your vpn software]” and follow the instructions to lock it down so that only computers with a valid certificate can connect remotely.

Then you need backups and you need to test them regularly, at least annually. I recommend looking at CrashPlan Pro for most small businesses and BackBlaze for families. Both of them have articles on setting up a 3-2-1 backup strategy:

For your cloud-based servers and resources, ensure that backups are enabled when available and that you have a sensible retention period long enough to be able to restore in the event of attack.

Practice restoring your data periodically, at least annually.