How to Stop Ransomware Attacks like Petya and WannaCry
On Friday, May 19th the world woke up to one of the biggest cyberattacks in history. The WannaCry ransomware attack spread like wildfire through vulnerable Windows machines across the globe late last week, infecting over 230,000 machines in 150 countries and blocking users from their data unless they agreed to pay approximately $300 in Bitcoin.
The attack’s spread finally slowed when security researcher MalwareTech accidentally discovered a killswitch for the malware by registering a domain for a DNS sinkhole found in the virus’s code, but by then the damage was already done.
Now, another attack is ripping through the world’s unsecured and unpatched systems using the same exploit as WannaCry. This new malware, known as “Petya” has quickly spread throughout the globe, infecting multiple large companies including the advertiser WPP, food company Mondelez, legal firm DLA Piper and Danish shipping and transport firm Maersk,.These attacks, amongst others, has made one thing abundantly clear: ransomware is the number one cyber threat to businesses in 2017 and for the foreseeable future.
The situation is serious—hackers have been know to request ransoms up to $73,000 per attack. With numbers like that, it’s unsurprising that ransomware payments totaled over $1 billion in 2016, skyrocketing from just $34M paid in 2015.
And Bitcoin payoffs aren’t the only cost of an attack. The cost of disinfecting machines, stabilizing systems and restoring data often dwarfs the initial ransom. What’s worse, it could be days or even weeks after an attack before your network is fully operational. That makes prevention and preparation for ransomware attacks a worthwhile investment.
So what’s the best way to make sure your organization is prepared to fend off ransomware stick-ups?
In a pertinent blog post from April, Identity Automation’s Scott Kortright laid out a few best practices for preventing ransomware infections, and limiting the damage it can do once inside:
- Have a plan. Ransomware is a system of shock and awe. Your attackers are relying on you to panic and give them what they want. For that reason, it’s important to have a plan in place detailing the actions your organization will take in the event of a ransomware attack.
- Backup your data. Your data should be backed up on a daily basis. The 3-2-1 principle is a good rule of thumb here: keep at least three copies of your data, back up your data on at least two different storage types (cloud and on-premise, for example), and keep at least one backup copy offsite. You don’t have to pay them to get access to what you still have.
- Educate your users. Phishing emails are the most common method of ransomware distribution, so it’s important to teach your users how to identify suspicious emails and links. You can even go the extra mile and spam your user’s fake phishing emails, which will help you identify your most at-risk users.
- Maintain strong perimeter defenses. Anti-malware and anti-virus (AV) are your first line of defense against ransomware, and good ones will be able to detect and stop many ransomware variants. However, it’s unwise to rely solely on AV defenses, as they can easily be subverted by the newest malware variants.
- Block ads. Malvertisements are a standard method of distributing ransomware, and let hackers target based on location, demographics, browsing habits, and more. You can lower your risk of infection by using adblockers to keep ads from being served to your users.
- Patch, patch, patch. When it comes to ransomware, every day is patch Tuesday. Out-of-date applications and operating systems are a favorite target of ransomware attacks—there are several variants of ransomware targeting outdated versions of Flash and Silverlight—so keep your apps up to date.
The principle of least privilege access
The tips above will get you on the right path, says Kortright, but it’s important not to overlook the ways that modern Identity and Access Management (IAM) tools can help prevent and minimize the success of ransomware attacks.
One way to see the benefit of IAM is to thing about the principle of least privilege access, says Kortright. That principle recommends that organizations limit access to applications and data to those who need it when they need it.
However, for organizations still manually provisioning access requests, that’s easier said than done. In most IT environments, users have more access than they should—especially administrative accounts.
“When manually provisioning access, human error is a fact of life,” Kortright explains.
“Accidental over-assignment of permissions, access granted to improper data—these things happen, and they make hackers jobs easier. A robust IAM solution will prevent this kind of access creep by ensuring the consistent application of rules and policies across your organization.”
Privileged Access Management (PAM) capabilities, such as time and location-based access controls, will help implement least privilege and minimize your ransomware attack surface. After all, hackers can’t demand ransom if they can’t get access to your critical systems.
In the end, there’s no silver bullet for stopping Ransomware attacks, says Kortright, but following the best practices above and implementing some advanced identity and access management solutions – you can put yourself in a much less vulnerable position. It’s your decision, says Kortright: “Invest in security today, or invest in Bitcoin tomorrow.”
Check out this link for related tips on backup and disaster recovery.