Tips to Safeguard against Ransomware
:: By Travis Smit, Tripwire ::
Ransomware has been increasingly leveraged by cyber criminals over the past few years to fund their criminal activities.
Historically, cyber criminals would have to steal their target’s data, as well as find an avenue to re-sell the data and/or use it in fraudulent ways to make cybercrime profitable. Each individual illegal activity increases the risk of getting caught by law enforcement, especially those that involve converting digital assets into hard currency. With ransomware, criminals can receive anonymous digital payments via Bitcoin almost immediately. The profit margins for each attack are somewhat reduced, but so is the risk of getting caught. This means that attackers using ransomware will have to rely on catching a lot of little fish, rather than one whale, to obtain a good return on their investment.
Previously ransomware code would infect specific file types. The typical infection path would come from a phishing attack that would entice a victim to open a malicious document. However, attackers are beginning to target websites in addition to end-users. Attacks against websites leverage vulnerabilities in the code hosting the website in order to gain access to the underlying operating system. The most common attack vector here is via remote command injection. An attacker will attempt to run arbitrary commands on the Web server with the end goal of downloading and executing their malicious code. The attack surface which could potentially allow for command injection is quite large. Attackers can get in via any combination of operating system vulnerabilities, Web server vulnerabilities, Web application vulnerabilities, or vulnerabilities in website plug-ins or extensions.
Once attackers are able to infect a machine, the ransomware will attempt to encrypt whatever it deems important for the intended target. For websites, this can include Web pages, images and scripts. Once encryption is complete, a message will be displayed to visitors of the Web page stating that the website has been infected with ransomware along with instructions for the Web administrator on how to purchase the decryption key and return the website to normal operation.
Protecting a Site & Its Users
The ransomware samples available publicly so far appear to be opportunistic in nature, meaning they take advantage of well-known vulnerabilities to exploit websites. To protect against such an attack, it’s advised that all code running on public-facing websites be patched as quickly as possible. It’s not uncommon for an exploit to be announced along with a “proof of concept” code to test if the vulnerability is present. Attackers can then weaponize the proof of concept code into an exploit in as little as a few hours.
The Needed Investments
Since not all security vulnerabilities will be patched, particularly in-house Web applications, website owners should invest in security testing of the public-facing website. This should include both vulnerability scanning as well penetration testing. Vulnerability scanning will test the website and well-known Web applications for known vulnerabilities. If any patches are missing or any configuration is known to be insecure, a vulnerability scan will prioritize what’s important to fix based off the potential impact to the system scanned. For custom applications, a Web application scanner with a non-transparent proxy that allows interaction with the security is ideal. This type of vulnerability scanner can interact with the website, manipulate fields, cookies and other session data to look for common vulnerabilities in web applications.
Penetration testing is different than vulnerability scanning. While it’s important to know if there are any vulnerabilities, a penetration test will answer the all-important question: What’s the impact of any vulnerabilities that exist? A penetration test will determine if a specific vulnerability is actually exploitable. If the vulnerability can be exploited, the penetration test will determine what the potential impact will be. For example, if a specific vulnerability is successfully exploited, an attacker might be able to access personally identifiable information for customers or employees. Penetration testing requires a human behind the keyboard to perform the testing. Automated scanning can complete a lot of legwork initially, but pen testing using real humans is required to provide in depth security testing.
The final component of protecting against ransomware is knowing what to do if an attacker is somehow able to bypass every security control in place and encrypts critical data. To avoid paying the ransom, recent backups are required. There aren’t any known examples of ransomware attempting to encrypt data residing within databases, so in the short term it’s important to start backing up critical website files; for example, everything within /var/www directory should be backed up frequently. Since ransomware will search the entire file system, and potentially network locations as well, website administrators should follow the 3-2-1 rule of backups. Keep three copies of the data, in two different formats, with one of the copies off-site. By keeping data in different locations, the chances of the ransomware encrypting all of the locations are significantly reduced. Storing the data on different media also reduces the risk that ransomware can infect and encrypt every copy of the backup. For example, backups to a CD-R (not CD-RW), will prevent any ransomware from encrypting backup data. Finally, having a backup copy off-site and off-line will completely eliminate the chance that ransomware will destroy all backup data.
Don’t Become a Victim
Ransomware is a real threat to many different types of organizations, and the successful business model pretty much guarantees that these types of attacks won’t slow down anytime soon. Fortunately, there are effective options to mitigate and remediate ransomware attacks. Make sure your business has these safeguards in place so you don’t become the next victim.
Travis Smith is a Senior Security Research Engineer at Tripwire. He has over 10 years’ experience in security, holds an MBA with a concentration in information security, and multiple certifications including CISSP, GIAC and GPEN. Travis specializes in integrating various technologies and processes, with a passion for forensics and security analytics with the goal of helping customers identify and mitigate real threats.