Tuesday, September 10, 2019

A simple cure for Ransomware?

We've seen a rash of ransomware attacks against small towns.  This is malware that encrypts all the files on the computer and demands a ransom for a key to decrypt them.  Most recently we saw a bunch of towns in Texas succumbing to the attack.  But not all towns submit:
The City of New Bedford, in Massachusetts, has found a way to deal with ransomware without paying: shoring up defenses, restoring from backups, and rebuilding systems.

The attack on the American city's systems was identified on July 5, after employees noticed unusual network activity upon returning from the July 4th holiday, Mayor Jon Mitchell explained in a press conference on Wednesday.

"We haven't seen any interruption in municipal services at all," said Mitchell.

The city's Management Information Systems (MIS) staff identified the presence of the file-scrambling RYUK nasty, a sophisticated form of ransomware, and through prompt action managed to limit its impact.

...

Unwilling to pay $5.3m, Mitchel said he made a counter-offer of $400,000, based on cyber-insurance proceeds available to the city. The cyber-crim declined and the city continued negotiating, buying the IT staff the time needed to bolster defenses and restore files from backups, to the extent possible.
Good on them.  A good data backup strategy cures a multitude of security sins.  You can find ASM826's and my recommendations here.

5 comments:

Old NFO said...

It's always attention to detail, and keeping up with the threats, which few do... sigh

SiGraybeard said...

How do you ensure that your backup doesn't reinfect your system?

It seems the ransomware creators would put the infection on your system and let it hide itself for a while before springing the trap. When you restore your backups, you restore the malware with it.

Eagle said...

It may hurt your employees' feelings, but the first step is to disable the internal network from directly accessing the outside world. How many employees really need to use YouTube or Facebook Messenger on their business systems? If they want to do that, they should use their personal phones - not company or government equipment.

Next step: every system that needs outside access goes thru a proxy server. Services are limited to email and limited browsing, with the proxy "blacklist" disallowing access to malware transport mechanisms (such as Snapchat and other services).

Every email is scanned before becoming available to the user. Yes, that means that some email attachments won't get through. Sorry. If it's that important, set up a relay system: the file is deposited on a system in the DMZ, checked for viruses/malware, and then the user copies it from the DMZ to a local system after the file has been okayed.

Next: use multi-factor login protection. Some kind of physical token and a password. You DON'T GET IN without BOTH - which means that network logins are completely disabled.

Lastly, for network-facing services, the system facing the network sits outside the DMZ. It communicates to a system inside the DMZ which checks the request and any payload, and verifies it's ok. If the request is ok, it is passed from the DMZ into the network itself.

If you want to protect yourself, these are only the first steps. There are more... but you get the idea.

GOOD security isn't easy to implement, but it will pay off in the long run.

Borepatch said...

Graybeard, there's no reason to back up executable files, as long as you have an easy way to reinstall (say, recovery partition or Linux distro).

McChuck said...

This is where good virtual systems really come in handy.