Ransomware and Response Done Right
Recently we have been seeing a lot more on ransomware. In October, the FBI issued an alert on the topic, available here, warning of ransomware using phishing attacks, RDP (remote desktop protocol, a proprietary Microsoft protocol for remote administration and application, in some ways similar to VNC) exploits, and various vulnerabilities including weak user credentials on Webroot and Kaseya remote management tools (now fixed) at MSPs.
An interesting recent example comes to us via the State of Louisiana where they faced another ransomware attack in early November. The second attack against state infrastructure in Louisiana this year, this attack did not catch the state flat footed.
While about 130 servers were directly impacted, the state took quick steps to stop the spread. Part of the reason their response was as quick and effective as it was is Governor John Bel Edwards set up the Louisiana Cybersecurity Commission with Executive Order 17-31.
The order ensured that the Louisiana OTS (Office of Technology Services) was able to quickly respond to the attack.
Some offices, including 79 Office of Motor Vehicles, were shut down for a couple days and a number of state websites saw some downtime, but services were quickly restored and the ransom was not paid.
Like many breaches, this one can be traced to a human error, in this case an unauthorized download. Unlike many breaches, severity and impact were well contained due to a well thought out incident response plan and well planned and tested backup systems. Indeed, referring back to the FBI alert, the top recommendation is to “regularly back up data and verify its integrity.”
This point cannot be stressed enough. Indeed, it is very common for organizations to run backups – everyone does, but the ability to restore from backup is all too frequently not tested or not tested well enough to ensure the ability to effectively recover from backup. Remember, backups are nothing without restores.
So the State of Louisiana played all their cards right. They knew that it was not a matter of if, but rather a matter of when with regards to being breached. Knowing that, they had working, testing back and restore capabilities in place. They also had a crew knowledgeable about security helping to provide direction and had a response team ready to go with a recovery plan quickly implemented.
One thing to always keep in mind is that security is a journey and not a destination. You need to actively stay on top of things. Part of that is having a better understanding of what is going on with the bad guys, and this presentation by Phil Trainor at Tech Field Day 20 provides useful insight into the latest from the world of malware, ransomware and mining. Shout out to Steve Foskett's team at #TFD and in particular the Packet Pushers guys Greg Ferro and Ethan Banks.
By the way, while you probably knew that bad guys are increasingly using encryption to hide attacks and exfiltration, did you know that they are now doing so over TOR? This an other Fun Facts in Phil’s presentation.
Build a team, have a plan, make sure your backups restore and stay safe.
Thanks for reading.
By the way, we all know that threat hunting can be a bit like looking for needles in a haystack. With ThreatARMOR, your haystack just got a whole lot smaller.