Reach For The Sky And Give Me My Ransom

The cyber world has been under attack for more than 30 years. Ransomware, that vile cyber crime known for blocking access to a computer or system until a ransom is paid, has impacted businesses, governments, and individuals alike and dominated the world’s headlines. It is so pervasive that ransomware is a threat to any person, business, organization or government, using a computer today. The real question is how can we, as IT professionals, best safeguard our business data from this very real threat?

Ransomware attacks are the product of an evil operation being run as a business. This business exists solely to collect money from the unsuspecting and unprepared through nefarious and aggressive means. After deploying its malicious software that first gains then blocks access to a victim’s system, a ransomware attacker will demand some amount of money to relinquish keys that will unlock its encryption and allow the victim to regain control. The majority of attackers prefer a credit card for payment as this is a gift that keeps on giving: the credit card information may be sold on the dark web, or the attacker may use the card to buy items themselves.

Ransomware as a threat predates today’s internet by more than 30 years and was deployed and infecting systems via the distribution of floppy disks. The first ransomware attack was named AIDS (Aids Info Disk) and was also called PC Cyborg Trojan. This program was a Trojan horse that replaced the AUTOEXEC.BAT file. The AIDS program would hide directories and then encrypt the names of all files on drive C: (rendering the system unusable). Today’s ransomware attacks pose a more serious threat beyond their ability to be remotely deployed: they now include 30+ years of evolution and sophistication.

A ransomware attack creates an intense emergency for both a business and its IT department as “…we must get back online immediately.” This is a terrible situation to be faced with unless the organization has prepared for this eventuality. Preparedness comes in the form of firewalls, perimeters, user awareness, and all of the other essential security measures. Despite having all of these activities superbly executed, however, an organization may still be ransomized. Unless the organization has also had the foresight to implement a well thought out back-up schedule, they may be forced to pay the ransom.

Backing Up the Right Way

What is a well thought out back-up schedule? It’s one that includes testing restores as a part of the schedule. Backing up without tested restores may be worse than not having done backups at all. I’ll give you a personal example. While working at a large security firm I pushed to have backups performed and, subsequently, a well known backup system was put in place and the backups began. I also pushed to have tested restores implemented as part of the schedule but only later learned, to our company’s detriment, that our operations team had never tested a single restore.

When a tragedy occurred where our Oracle database became corrupted, the operations team dutifully did a restore on top of the corrupted Oracle database. That’s when the real trouble began. Our backup system had been installed incorrectly. Every backup that had been performed was corrupt, but this was unknown because the backups had never been restored and tested. This was not a ransomware attack, of course, but the effect was similar because the entirety of the company’s data was within that Oracle database.

The result of this failure to test was quite expensive. We had to bring in a world class expert in Oracle databases and lost several weeks to the correction. The company limped along the entire time. The moral to the story is taking backups and testing them will prove invaluable should an organization be ransomized.

Implement at Disaster Recovery and Business Continuance Plan

In addition to a well thought out back-up schedule, an organization should have a Disaster Recovery (DR) and Business Continuance Plan (BCP) in place. As with backups, the DR and BCP should be run and tested regularly to ensure that the organization’s team knows what to do should a ransomware attack occur.

The DR plan will have multiple steps and sub-steps.  Below are a few of the DR plan components:

  • Emergency phone list
  • List of who must be informed
  • List of applications prioritized by the sequence in which they should be recovered
  • Locations of applications and files
  • Plans for alternate power, or location, or communications

Years ago, the BCP evolved from the DR.  Some of the components of the BCP may seem to be the same, except that they are designed for a company-wide recovery.  Below is a sample of BCP components:

  • Emergency Leadership team definition and contact information
  • Communications plan
    • Internal
    • External (media and the public)
  • Notification to all departments of where to go and what to do
  • Emergency contact list of all employees
  • Process to notify all employees when everything has returned to normal

Again, these bullet points were randomly selected from both the DR and BCP to provide a sense of what is included in each plan.

An Attack Has Occurred - Now What?

Should an organization be the victim of a ransomware attack, the highest priority is to isolate the affected portions of their system(s) so that the infection will not spread. One result of doing this is that the organization will be aware of the essence and severity of the attack. Knowing what systems and data have been compromised will allow the business/IT team to develop a prioritized recovery schedule. 

If the type of ransomware can be determined, an analyst should be assigned to determine if a package to address decrypting is available. A decrypting package may be helpful in determining how to best contain the attack and what other clean up activities are necessary to get the system back up and running.

The DR plan should continue to be followed at this point until everything is normalized. Once it’s all over, a forensics evaluation will be important to identify and understand what was the vulnerability of which the attacker took advantage. Obviously changes should be implemented immediately to mitigate the vulnerability(s). And lest it be forgotten in the heat of the moment, change any / all passwords.

Ransomware appears to be here to stay and as IT professionals, all we can do is protect and prepare. If our best protections fail, then we can fall back on our preparations to restore systems as quickly as possible. 

Dean Lane is Chief Information Officer for Cyber Intelligence at The Institute of World Politics. Dean brings a wealth of knowledge to his role at IWP.  He has founded his own company, taught courses at Universities in California, was the Chief Information Officer for multiple companies, worked for a Big Four Consulting firm, and spent his time in the military with the Special Forces.  Dean has a Bachelor of Arts from UCLA and a Master’s degree in Business Administration from National University.  He is the author of three #1 best-selling books related to information technology.