A friend at Stroz Friedberg (a part of Aon) let me know a few months ago that they are seeing a particular uptick in ransomware affecting law practices, but really it's a problem across all industries. As noted from the news out of Wyoming earlier today, ransomware is a particularly big problem in the healthcare industry.
I thought I'd post through what my friend sent, with her permission. But I'd also like to point out the "big 4" words of advice to prevent ransomware or minimize its impact.
1. Patch software regularly. Most malware exploits a vulnerability that has been reported and for which a patch is available. You can't always patch immediately, but do so on a regular basis.
2. Practice good backup management. Having a perfect backup is the golden ticket for defeating ransomware: simply remove the encrypted content and replace with the backup. Modern ransomware variants typically seek-and-encrypt backup files, as well as data files. If your backup files are accessible on the same system, you could lose them too. Multiple serial backup versions, stored offsite, will speed recovery and save you the ransom payment.
3. Map your systems and remove unnecessary connectivity. It's better if an isolated portion of your computing environment is encrypted and not the whole thing. And you need to be able to find how the incident started to clean it up effectively.
4. Train and test your staff to recognize phishing attempts. The phishing attempt that isn't opened is the ransomware event you don't have and don't have to fix.
Anyway, here's the Aon report:
Ransomware
Everywhere
Over
the past two weeks we have seen a significant uptick in ransomware attacks across
all industries involving the Ryuk ransomware. The initial foothold is typically
flagged as Emotet malware, and is usually delivered through a phishing email. The
Emotet attacker then sells its deployment/footholds to a group using the
Trickbot banking trojan. The "trick" refers to the various modules
the malware can dynamically load to augment its abilities. It uses common
vulnerabilities, such as EternalBlue, to spread rapidly throughout the victim’s
environment. The Trickbot group then sells its wide access to a ransomware
group, currently Ryuk (we have also observed Trickbot working with Bitpaymer).
Once the Ryuk group gains access, they interactively move through the environment,
spreading ransomware to encrypt files. They typically also go after backups in
order to block recovery efforts, forcing the victim to pay the often sizeable ransom
in order to restore mission-critical files and systems.
Mitigating Business Interruption
Clients
should pay close attention to any anti-virus alerts from their endpoints, with
particular sensitivity to alerts for Emotet/Trickbot since Ryuk or a similar
ransomware is typically a fast follow to these.
In order to minimize the business impact of a ransomware infection, we
recommend the following preventative measures:
§ Notify
employees to be aware of suspicious emails.
§ Secure
email platform account access - MFA, continual log review, etc.
§ Activate
malware detection capabilities within mail gateways.
§ Remove
the users’ ability to enable document macros.
§ Ensure
AV is deployed to every machine and all alerts are being collected.
§ Follow-up
on AV alerts.
§ Verify
that network logs are being aggregated and reviewed for suspicious connections;
Trickbot downloads its payload as a ".png" file.
§ Limit
access and closely monitor admin and domain admin account usage.
§ Do
not use shared local admin accounts and passwords across machines -- this is an
easy way for Trickbot to spread.
§ Have
a robust backup process for business critical servers and files such that
back-ups occur regularly, are tested for efficacy, and are stored offline.
Getting Back to Business: Response and Recovery
§ Do
not power down or reimage infected systems.
DO disconnect them from the network.
§ Preserve
machines/logs and contact an IR provider.
§ Ensure
the AV solution does not delete the accompanying "ransom notes"
(usually .txt or .hta files) as these are typically used to store a unique code
that is necessary to decrypt the files if payment is made.
§ Be
on the lookout for other malicious software and persistence mechanisms as the
Ryuk group may install their own malicious backdoors into the environment as
their approach evolves.
§ Make
a copy of online backups and store offline.
Alternatively, segregate online backups to prevent them from becoming
encrypted or deleted by the attacker.
§ Do
not discuss the ability or appetite to pay the ransom via email.
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template