How to protect your firm from being infected by the ransomware epidemic
Tuesday, April 10, 2018
By Sharon D. Nelson and John W. Simek
Remember the good old days of ransomware? You would get an email saying you owed the IRS money and could pay it via a helpfully included link. Lots of people did this because it was only a couple hundred dollars. And who wants to duke it out with the IRS? The same dull-witted people fell for the email claiming that someone at your home had downloaded music or movies illegally (much more likely true than the first scenario) and you needed to pay a fine so no one would come after you (or your spouse/child) for a much greater sum. Again, the price was relatively small and many people paid.
The likelihood that a lawyer would fall for these primitive versions of ransomware was small. Fast forward to the days of Cryptolocker, which began in 2013. This ransomware Trojan attacked computers running Microsoft Windows, propagating itself by getting a user to click on an attachment or a link contained in an email. Click on the link or attachment and “Winner, Winner, Chicken Dinner” the malware invisibly downloaded and began to encrypt your files. The malware encrypted files stored locally on the computer system as well as on any mapped network drives, such as those files on your server, connected flash drives and other external USB drives.
You then got a message on your screen indicating that you would be given the decryption key to unlock your data for a reasonable sum of $300 to $500 – no checks or credit cards though – the payment of choice was and still is usually bitcoins. Curiously enough, there has been considerable honor amongst this brand of criminal who normally provide the decryption key once the ransom is paid. Not 100 percent but most victims report that they did get the decryption key, though it took them as much as a week to decrypt all their data. The bad news is that the ransoms have gone up. It is not uncommon to see ransoms in the $1,000 plus range now.
Before we understood Cryptolocker well, many backups (especially in solo and small firms) were engineered in such a way that they were too easily infected and encrypted. This immediately caused IT folks to re-engineer backups so that they were not vulnerable to attack by ransomware meaning that you could restore the encrypted files from your backup and not pay the ransom. But we still regularly see backups that have not been re-engineered thereby endangering all of the law firm’s files. The simple solution for most solo/small firm lawyers? Unplug the external USB hard disk after the backup job completes. Just make sure you have at least two USB hard disks and rotate them in case you are attacked while one disk is connected. Another solution is to use agent-based backup implementations. This is our customary solution.
After some period of time, standard enterprise level security suites began to get a handle on Cryptolocker (and its variants) and were able to detect and stop the malware from infecting machines. We began to see a lot less of Cryptolocker.
But along came Cryptolocker’s evil cousin, Cryptowall, and the fight to defeat Cryptowall – (and all its variants) has proven to be much harder. Frankly, it has had many IT consultants tearing their hair out. Criminals have gotten smarter too, often spoofing sender email addresses that make the recipient think they are receiving the email from a court or a reputable law firm. And the English and grammar are much better too!
Computer Business Review reported that in January 2016 ransomware accounted for 18 percent of all malware payloads delivered via spam and exploit kits globally. Ten months later ransomware increased to 66 percent of malware payloads. That’s a 267 percent increase in just 10 months.
This is consistent with the deluge of calls we have received over the last several years about data encrypted by ransomware. It is a scourge that shows no sign of abating. Standard enterprise security suites have been unable to slow the tsunami of variants, which seem to be multiplying like rabbits.
The news doesn’t get any better either. It is so easy to build your own ransomware or buy the service from someone else. On the Dark Web you can get a Ransomware as a Service for $39. Ransomware is a $1 billion-per-year business according to the FBI.
Proofpoint’s Adenike Cosgrove told Computer Business Review: “Ransomware has proven to be a successful business model with attackers collecting more than $209 million from victims during the first three months of 2016 alone, and the volume of attacks was ten times higher than all of 2015. Ransom amounts have tended to be relatively fixed at $300 to $1,000 per machine. As long as the return on investment remains high for attackers, it seems likely that ransomware will continue to be a significant threat.”
Herewith, some guidance on how to fight ransomware, particularly for solo and small firms who cannot afford the wallet-busting protections that large firm utilize.
As we say all the time, THERE IS NO SILVER BULLET THAT PROTECTS AGAINST ALL RANSOMWARE. Sadly, new variants are released every day.
Besides making sure that your backup is properly engineered as described above, you need a high quality enterprise security suite installed. We like Trend Micro, Kaspersky and Webroot, but there are many good suites to choose from — talk to your IT consultant.
Let’s suppose, in spite of all you do, that you do get hit by ransomware. Do you have a plan for proceeding? Do you have cybersecurity experts to call in? Do you know what your insurance will and will not cover? And remember that no plan survives first contact with the enemy, so be prepared to revise the plan on the fly.
You might check out CryptoPrevent, software which offers the ability to prevent (in large measure) Windows computer systems from infection by ransomware. This software is relatively inexpensive, costing $15 or less per computer depending on the number of licenses needed. The configuration of this software has to be customized for each client, depending on the applications that will need to be allowed to run on your systems — this requires input from you. It will take some amount of time and money as each computer is manually configured.
Another “no software cost” alternative is to configure Windows policies to achieve the same operational restrictions that CryptoPrevent provides. CryptoPrevent is automatically updated, whereas the “no software cost” solution is static. You see the trade-off.
At ABA TECHSHOW, we asked our very knowledgeable faculty colleague, IT consultant Ben Schorr, about CryptoPrevent and he noted that clients (understandably) don’t like the manual intervention required by CryptoPrevent to whitelist applications. He had especially run into problems where automated software updates were not permitted by CryptoPrevent, requiring more manual work. Ben shook his head and commiserated with us on the difficulty of advising solo and small firms on how best to defend themselves against this kind of ransomware while keeping costs down.
We became aware recently of four law firms that were successfully attacked by a Cryptowall variant in one month in Northern Virginia. Given that, we have begun recommending the installation of CryptoPrevent – or at least making clients aware that it exists so they can make the money/aggravation vs. risk decision. We warned firms that you may get “pushback” from employees who are accustomed to installing any software they want. CryptoPrevent has proven to be quite effective by disallowing the installation and execution of software unless it has been whitelisted. You must determine for yourself if the risk of infection is high enough that you believe this kind of precaution is warranted, even as we tell you that no solution has been 100 percent effective.
The most common way that law firms get ransomware? Employees click on an attachment or a malicious link in an email. This brings us to another important point: One of the most often-overlooked aspects of an organization’s security readiness is end-user training. It is just as important that your employees know what not to click on as it is to have security software installed to help prevent these types of malware outbreaks. Your best bet is to train your employees — every year — what NOT to click on and to educate them about the indicators that they might see which should cause them to question whether the email is suspect. And this is something law firms steadfastly refuse to do. Some firms cite the training cost (pretty minimal compared to the risk in our judgment) and others cite the loss of billable time. We have a slide in one of our PowerPoints that says simply, “Training, training, training – oh, have we mentioned training?” You can see where we come down on that issue. By the way, a single training session has been shown to reduce the risk of a successful phishing attack by 20 percent — not a bad return on your money.
We live in a world where half of the people think “the cloud” is impacted by weather and where National Park Service rangers report that one of the questions they are asked most frequently is “Why were so many Civil War battles fought in national parks?” Very basic security education can go a long way toward defeating ransomware and other security demons.
You can also augment your training with technical solutions. There are email scanning services such as Mimecast, which convert attachments into a “safe” form such as PDF. There’s also an option to scan URLs in messages and warn of any suspicious links.
To conclude — check out the possibility of installing CryptoPrevent along with making it a part of your overall business information security protection, which also should include your firewall, IDS/IPS device, physical security, securely engineered backup, and security awareness training.
Don’t think you can wish this problem away. The new breeds of ransomware are devilish adversaries!
The authors are the president and vice president of Sensei Enterprises Inc., a legal technology, information security and digital forensics firm based in Fairfax, VA. Call 703-359-0700 or visit www.senseient.com