Last week saw another large-scale ransomware attack taking place with computers on a global scale. KeyPass (a variant of the STOP ransomware) started infecting PCs on 8th August 2018 and has spread to over 20 countries at the point of writing this blog.
KeyPass is a fairly typical ransomware attack; it infects a machine and uses the on-board security tools to encrypt and lock up user data. Instructions are then provided to the user to pay a $300 ransom for the files to be released.
One worrying aspect, is that forensic examination of the code shows that this ransomware attack has some new components that potentially enable control over an infected system after the user data has been encrypted; but at this point, it’s not entirely clear how this might be used or what further impact it might have for the user.
This time around, it doesn’t seem to have had the same impact at WannaCry did last year. However, this is more likely due to the composition of the ransomware itself and its delivery network rather than a sign of improved defences across the global IT estate. It’s still early days too; WannaCry was first spotted in the wild in February 2017, but it didn’t really hit the headlines until 12th May 2017, when it had reached enough machines to start infecting thousands per hour.
If we use that timeline as a guide, this means that we probably have about 30 days before KeyPass reaches epidemic proportions, so there is time to make some practical changes to your enterprise in order to protect your users and data from attack, as much as is possible.
Change your data storage policy
One standard piece of cybersecurity advice that we give to all customers, all of the time, can save you from some ransomware attacks altogether.
Don’t store any data locally on your device.
In today’s world of connected computing, there are very few occasions when you are so isolated that you could only access data stored locally on your device.
For customers using Office 365, you have a significant storage solution in OneDrive for Business that will host all of your data in a fully patched, secured and encrypted data vault, with some redundant backups. You can access this data anywhere that you have an internet connection. Using OneDrive for business, or a similar secure cloud storage solution, as your primary user data drive would be the best recommendation.
The same principal is true for solutions where data is stored in your enterprise’s private infrastructure, i.e., SharePoint on-premise, providing you have kept this up-to-date in terms of version and patching.
Don’t trust anything that is local to the device, i.e., any USB or network-attached storage solutions, as these could be potentially controlled and encrypted by the ransomware.
The current crop of ransomware attacks are really only effective on PCs, and can only encrypt data stored on the device. If there is no data stored on the device, (or if you have backups elsewhere), you have no data loss, no business impact and no reason to pay the ransom.
Make sure you have a good backup strategy
In addition to the above, or in place of the above, having a good backup strategy in operation is the next best step you can take to protect yourself against ransomware.
Our recommendation for all customers is to do this using a cloud-based solution such as Microsoft Azure, where we can run a storage solution encrypted using customers own keys, on a platform that is completely up-to-date with patches, with great physical and data security. Typically, we would stand up a geo-replicated data store for a customer so that we are doubling down on security and providing an additional redundancy, just in case of any evolving threat.
We would recommend this approach (radically) for customers that are both on-premise and using Office 365.
There are no current known threats that can penetrate Office 365 and interfere with the data stored in the tenancy, BUT this is the logical evolution for ransomware, as more and more customers adopt cloud-based productivity platforms.
So, under the banner of ‘future proofing’, we recommend that all customers stand up a backup solution for Office 365 as well. There are a number of great solutions on the marketplace and again, they are very low cost, much less than building your own DR or backup solution on-premise.
This way, a cyberattack may compromise one platform, but you have an up-to-date duplicate of your data in a separate platform that you can use to stand up a new platform with minimal delay.
Office 365 does some distributed data backups within the platform natively but restoring the data in the event of an incident is not quick, and there are no SLAs around either the backup or the restoration. A dedicated solution will give you those SLAs and a defined return to operations time.
Office 365 Advanced Threat Protection
For customers that are in Office 365, leveraging Advanced Threat Protection is a great way of tackling a range of cyber threats, including ransomware attacks, that are delivered over email.
Advanced Threat Protection, or ATP, uses the cumulative data that Microsoft collects in its Security Graph from the billions of data transactions it manages globally to help identify and quarantine threats. Known threats are siphoned off before they get to the user, with a notification sent to the organisations admin to advise that a cyber threat has been identified and diverted.
But ATP also has great protection for new, unknown threats. ATP includes an email attachment scanning solution which will explore anything that looks suspicious in email traffic, quarantining it and executing code in a secure detonation chamber before deciding whether it is safe to send to the user. This way it can be effective against zero-day threats as well as known issues.
Finally, ATP also includes a solution called ‘safelinks’, which completes similar pre-checks in web links to make sure you aren’t being directed to any websites that might contain threats. All hyperlinks in emails are replaced with a Microsoft-based link to a staging ground on their infrastructure, where users will be able to get the full website content from the original hyperlink if it is safe and allowable.
These features together help to provide a layer of protection to the organisation and users and in action they are very effective at shielding the majority of email-based threats.
Updates and patches
Ransomware attacks typically exploit known vulnerabilities in PC operating systems. WannaCry exploited a weakness in a protocol in older versions of Windows, which Microsoft had actually issued a patch for (for all SUPPORTED platforms), in February 2017 just after WannaCrypt had been spotted in the wild.
People that were compromised by WannaCrypt were almost exclusively either not up-to -date with patching, or using an older, unsupported version of Windows that didn’t get a patch issued to it (Windows 8 and XP predominantly).
There are two learnings to take on board here:
- Make sure that you are on a supported version of Windows, which for enterprise would currently be either Windows 7 (SP1), Windows 8.1 or Windows 10 (build 1703 or later). If you aren’t on one of these platforms, you won’t be getting any general security patches and there are likely to be a number of vulnerabilities on your devices that could be exploited by a cyber-criminal.
- Make sure that you are up-to-date with all current patches on these platforms. Microsoft launch patches for these platforms every other Tuesday, so make sure you are getting them and deploying them in a fast and consistent manner.
Security patching is a little like immunisations; they are most effective when the herd is fully immunised. Any devices in the estate that aren’t up to date with patches represent an open door into your environment and gaining access via one single compromised device could give a cyber threat actor access to everything across your estate.
Teach your users about cyber threats
One other massive step forward is to make sure you help your users understand the potential for cyber threats, how to spot them and what to do if they are infected.
This is a reality of modern life, so it makes sense to support people to protect both your organisation’s data, but also help your users protect the machines and data they use in their private lives. So many of us now use a PC for family communications, paying bills, storing photos etc., to the point where having a ransomware attack at home is likely to have a profound effect on your employees’ wellbeing.
Preparing and running some simple cyber security training courses and reminder campaigns is a great way of helping to combat potential cyber threats, although it should be noted that a lot of these attacks are getting very clever in how they present to users. Also, remember that your users are not all IT experts and are busy doing whatever role you employed them for, so they might not be 100% focussed on looking for cyber threats every minute of the day.
Giving them training is better than doing nothing, but this is the least effective way of protecting your business in this list.
The true cost of ransomware
All of the potential mitigations for ransomware have a cost associated to them, so its worth focussing on what the true cost is of a ransomware attack to your organization. In the broadest financial terms, if the cost of remediation is higher than the cost impact of the issue, it’s probably not worth remediating.
However, the cost of a ransomware attack is not limited to the ransom itself.
The ransom
$300 is the per user cost of releasing data encrypted on the device, so if you have 100 users that’s $30,000 to get your data released. If you have 1,000 users, you are looking at $300,000. These cyber threat actors are compromising millions of machines, so they are unlikely to negotiate a bulk discount.
User downtime
Probably the actual largest cost factor of ransomware is user down time. As a rough calculation, if the average user salary in your organisation is £30,000 per annum, then that equates back to an hourly cost of £14.42 per employee based on a 40-hour working week.
WannaCrypt locked thousands of users out of their data for over a week – circa £577 per employee in downtime. If you have 1,000 employees that’s over £0.5m.
Even if you pay the ransom, I am willing to bet that there is at least a 24-hour lead time before files are released. For 1,000 employees, that’s £100,000.
The risk of non release or re-ransom
Let’s not forget that the people that issue the ransomware are criminals, so there is no guarantee that they will release your files after you have paid or that they won’t re-encrypt your data again next week and ask you for more money. This doesn’t have a fixed price per se, but it does drive onto the next point…
Device remediation
Once you have had the infected device unlocked, you are going to want to remediate it to make sure you aren’t re-infected. As a minimum, this should be a complete wipe and rebuild which will probably cost you £50 in resources per machine. It would be advisable to replace the HDD and the RAM of the device just to be sure that there are no remnants of the infection left on the device, which would drive the cost up to about £150 per machine on average. For your 1,000 employee organisation, that’s £150,000.
My personal approach would be to destroy the equipment and start with a new machine just to be sure, and I know a lot of security specialists that would only support this as a way forward, where you are probably looking at £600 per machine on average.
Then, Core recommends you look at updating the operating system to a fully patched version to protect yourself from future attacks.
For a 1,000 employee company, the cost of not proactively remediating is likely to be at least £500,000 - more expensive for your business than protecting yourself in advance.
That’s without calculating the lost revenue and goodwill that your business may have suffered because of the downtime caused by the platform wide outage.
Taking proactive steps makes sense on every level.
Core can help your enterprise protect itself from ransomware attacks. We can help you upgrade your desktops to the latest version of Windows 10, migrate you into Office 365 and configure all of the right security features. We can also set up a backup and recovery solution for your data, and we can help you train your users.
If you would like to discuss how Core can help your organisation take any of these steps, please contact us and we will put you in touch with your industry specialist.