Sollensys the Definitive Guide to Surviving a Ransomware Attack

THE DEFINITIVE GUIDE TO SURVIVING A RANSOMWARE ATTACK.

_____

www.sollensys.com

TABLE OF CONTENTS The Anatomy of a Ransomware Attack ……..……………….……………………………………………………………………………………….. 03 How Businesses Become Victims …………………………………………………………..………….……………………….…………. 03 Progression of a Ransomware Attack …………………………………………………………….……….……………………..………. 03 How to Mitigate Ransomware Disruption ……………………………………..……………………….……………………..………. 03

How to Spot the Phishing Lure …………………………………………………………………………………………………..………………………...... 03 What Phishing Attempts Look Like ……………………..…..……………………………………….……………………….……………. 03 Things you can do to Help Avoid Falling for a Phishing Attack ……….…………….…………………………………... 03

Industry Insights ……..……………………………………………………………………………………………………………………………………………… 03 Industrial ………………………………..………………………………………………….…………………………………………….………….……… 03 Retail …………………………………………….………………………………………………………………………..…………………………………….04 Healthcare ……………………………………………………………………………………………………..…………………….……………………. 05

www.sollensys.com PG | 2

THE ANATOMY OF A RANSOMWARE ATTACK. in today’s threat landscape, with $20.5 Ransomware is the most common form of malware Billion over 184 million attacks causing 205,000 businesses to lose access to their data in 2019. Large companies aren’t the only target-- small businesses account for 20% of $11.5 $8 Billion ransomware attacks. This is largely a result of the mass proliferation of hacking Billion tools available on the “dark web”-- an untraceable corner of the internet that can only be accessed with a specialized browser which features unusual domain names such as .onion, rather than the more common .com, .org, and .net.

2018 2019 2018

Part of the problem is self-inflicted, as a number of sophisticated network penetration tools and exploits targeting Microsoft, Juniper, and Cisco technologies were leaked right out of the NSA’s offensive cyberwarfare toolkit. Now, ransomware is a cottage industry, and the appearance of ransomware-as-a-service (RaaS) has allowed attackers with significantly less technical acumen to pose a persistent and pervasive threat to organizations across the globe. Over the past decade, the world has been accosted by a litany of nasty strains, with some of the most damaging being:

Strain Years active Est. Victims Est. Damages

CryptoLocker 2013 - 2014 250,000 $3,000,000 - $27,000,000

CryptoWall 2014 - 2016 992 $18,000,000 - $325,000,000

WannaCry 2017 53 $1,000,000,000 - $4,000,000,000

NotPetya 2017 200 $1,200,000,000 - $10,000,000,000

Ryuk 2018 - present 132 $150,000,000 reported and counting

The cost of ransomware is far beyond the cost of the ransom itself. The estimated damages above include the time cost of disruption which is upwards of 15 days on average and clean-up that can take months, leading to a lot of lost revenue. In the worst cases, these attacks affect global supply chain companies, international banks, and large-scale industrial operations where this downtime is a cost that compounds exponentially.

Recent attacks have become more targeted, with fewer attempts and much higher ransom demands. For example, a particularly troublesome strain of Ransomware, known as Ryuk, typically demands between $100,000 and $500,000 and only targets high value enterprise environments. This is in stark contrast to earlier strains that employed a spray-and-pray strategy with demands in the few hundreds of dollars.

www.sollensys.com PG | 3

HOW BUSINESSES BECOME VICTIMS

Some attacks are purely automated and are easily thwarted, while more sophisticated attacks are human operated. In either case, the general stages of a ransomware attack follow a relatively standardized set of objectives:

Steps of a Ransomware Attack

The Initial Breach Human-operated attacks draw from a set of common tactics to breach enterprise networks, the two most common being: • Direct credential theft via phishing campaigns targeted to employees and company leadership. • Penetration through “Remote Desktop Protocol” (RDP) agents typically running in enterprise networks that have ports exposed to the internet.

• Targeted phishing campaigns: Emails and other communication, disguised as official business, often result in an employee accidentally opening an infected attachment, clicking through to a malicious site, or entering their credentials on a fake site. Depending on which source is referenced, phishing attempts are one of the most common entry points for between 25% to more than 60% of all ransomware attacks. • Internet facing RDP servers: Misconfigured servers, weak credentials, lack of multi-factor authentication, and other weaknesses allow attackers to identify open RDP ports and use brute force tools to gain access to a machine to mount their attack. To add insult to injury, RDP credentials to a long and growing list of enterprise IP addresses can be purchased for as little as $20 on the dark web. • System Reconnaissance: Ideally, this is when a security solution should pick up on unusual activity. However, most cybersecurity suites ultimately rely on advanced border security to keep out threats and are less adept at picking up threats when that border has been compromised through phishing or RDP exploits. Worse, once attackers are inside the network, they hang out and make themselves at home, often spending weeks and in some cases months inside. What are they up to? • Lateral Migration & Privilege Escalation: Cyber-criminals learn how to disable security and build in backdoors. They watch how the network is used. They can see file systems, shared folders and files, who’s sharing what with whom. They use these activities to identify the stores of data an organization relies on for day-to-day operational success and identify admin accounts to target for further credential theft as well as identify the network locations of any backups.

www.sollensys.com PG | 4

The endgame for all this activity is to compromise the full admin credentials for the enterprise network which grants them root access to any workstation or server-- meaning they can install, edit, delete, and move things anywhere on the corporate network with impunity. Attackers use a variety of tools to this end:

• Mimikatz & LaZagne: tools for retrieving credentials stored in memory and other software • PowerSploit: a collection of PowerShell scripts that subvert security measures and ensures attacker persistence on the network • Bloodhound & AdFind: tools to query and visualize the domain Active Directory, complete with devices, users logged in, resources, and permissions • PsExec: allows attackers to execute processes remotely Even in cases where organizations have implemented endpoint detection and sensors, there are often holes in the form of unpatched and unprotected workstations, predictable logins, too many admin accounts, and misconfigured servers. These are exploited to gain escalated privileges on the network. With these expanded credentials and scripting tools, ransomware payloads and other malware are quietly spread unabated to other machines on the corporate network in preparation for detonation. ______

Backup Deletion and/or Encryption In the latter stages of the attack, backups are targeted for deletion or encryption. This is typically the penultimate stage of a ransomware attack when attackers have the highest levels of access to the corporate network and the most intel on critical systems and data. By this point, attackers have already killed the processes and security constraints that may have been able to stop backup deletion or encryption.

Launch Attack The attackers decide to finally detonate the ransomware payload, oftentimes during a time they figure the IT staff will be less available-- holidays, Friday nights, etc. The ransomware encrypts everything it touches, leaving a condescending ransom note. Sometimes, such as in the recent UHS medical hack, workstations will not only have their data locked but also simply just turn off. While the ransom demand itself can be expensive, downtime is one of the most dangerous effects of attacks, often taking days to weeks to just get over the initial attack. That’s why it’s so important to have a robust backup strategy and business continuity plan to mitigate the worst effects of an attack.

HOW TO MITIGATE RANSOMWARE DISRUPTION 1. Companywide education on how to spot phishing attempts - security is only as good as the weakest link, and invariably in cybersecurity that weak link is people. 2. Proper network configuration -- many successful ransomware attacks exploit common sys-admin configurations. Things like multi-factor authentication for certain admin functions, cloud loggers, strong passwords, segmented networks, and others can help protect the network. 3. 3-2-1 backup rule -- on a long enough time horizon compromise is inevitable, so it’s important to have enough backups handy. A common prescription is the 3-2-1 backup rule: 3 different copies on 2 different media plus 1 offsite copy.

www.sollensys.com PG | 5

WHAT PHISHING ATTEMPTS LOOK LIKE

Phishing scams are communications--emails, texts, social media messages that pretend to be something they are not in order to get the recipient to click a malicious link or download an attachment. This guide is written for the broad spectrum of employees in a company, particularly the less technical, to identify and avoid the common phishing tactics used by attackers to gain access to company networks.

According to Verizon’s Data Breach Investigation report, 70% of breaches featured phishing campaigns that used social engineering tactics. These phishing operations are the gateway to some serious business continuity challenges. Employee phishing often results in credential theft which allows attackers access to some part of your network.

From there, sophisticated attackers shift to quiet reconnaissance over days, weeks, and in some cases months, finding ever-more clever ways of escalating their privileges to root/admin level. They identify critical databases, the network location of backups, and create backdoors into the system in case they’re discovered. At some point, they delete backups, and deploy the ransomware payload that encrypts all the critical data systems and demands payment for the unlock key.

While organizations use a variety of technologies to minimize how many malicious attempts can get through-- email filters, link checking, attachment scanning, endpoint protection-- the reality is that these methods sometimes fail. They are not robust enough to deter the persistent lone wolf attackers, sophisticated organizations, and sometimes nation-states bent on getting to employees of businesses of all kinds.

Today, even mom and pop businesses are targeted constantly while larger companies may experience thousands of attempts on their networks daily. The last line of the protection is always the user, and security is only as strong as the weakest link. That said, security is a team sport, requiring everyone in the company to be on board and understand their role in the overall security profile of the organization.

One of the most important aspects of cybersecurity is for employees to understand how to spot phishing attempts.

From an employee perspective, falling for phishing attempts can be a threat to their very career. Some organizations institute a 3-strike policy where the first two strikes lead to mandatory infosec training with the third strike leading to termination. Others adopt a more positive reinforcement approach, using reward systems for reporting suspicious communications. Either way, it’s best that everyone in a company be aware of and can spot phishing tactics.

While there is a myriad of lures on the phishing menu, the general idea of a phishing attempt is to instill panic. Attackers take advantage of the ancient fight-or-flight response to incite panic just long enough to motivate an action-- click a link, enter credentials, download a file, or install something-- that under normal circumstances the target would never do.

www.sollensys.com PG | 6

If there’s one thing to remember, it would be that if you get an unexpected communication that triggers a fear/panic response, STOP. Assess. Be immediately suspicious of any unexpected communication driving you to take action. These attempts come through the usual communication channels, including:

• An Email • A Phone Call • A Text Message • A Social Media Message

Before diving into specific examples, a few high-level details:

1. When in doubt, stop. Assess. You have time. Remember that phishing relies on scaring you into doing something right now while you’re afraid and may not have all your wits about you. 2. Don’t click anything in a suspicious email -- sometimes the email body text is actually one big image that links to a malware site. 3. Never preview unsolicited attachments -- that might be enough to run the malware 4. Hover over the ‘from’ field to see the actual “from” email address (rather than just the sender name which is easy to fake) -- oftentimes this is an easy way to see an email is obviously bogus. 5. Quickly verify with the supposed sender of the message if needed; via a non-email route, for example a text, slack message, or phone call. 6. Check for poor grammar, typos, sentence structure -- turns out, lots of these attackers are from other countries and may not have the best handle on English. 7. Forward any suspicious communications to your IT manager. Contrary to what you might think, IT folks would much rather have you bother them about stuff like this now rather than have their weekends vaporized for the next few months while they clean up after a breach.

______THE MANY FACES OF PHISHING Claim There’s A Problem with an Account

Companies with which you have accounts know your name, so check the salutation. Also, notice in the real email, they provide the last 4 digits and expiration date on the card on which payment was attempted. The fake email doesn’t address you directly and doesn’t provide any info on the payment method that was tried. When in doubt, DO NOT CLICK ON ANYTHING IN THE EMAIL. Login to the service directly if you’re concerned-- any billing problems will certainly be made front and center in the form of notifications or screen take-overs.

www.sollensys.com PG | 7

Include an Unexpected Attachment Never download an unsolicited attachment, no matter how threatening or urgent a communication may appear. Forward any suspicious, unsolicited emails to your IT manager. If you’re concerned for an actual client, verify any communication or attachment via another channel-- such as a text or phone call.

______

Request Gift Card Purchase An email that looks like it’s from on high in your company urgently demanding gift cards for clients or employees. Easiest thing to do here is verify with the supposed sender through a different media-- Slack message, text, or phone call. Or, better yet, disregard the email because your CEO probably wouldn’t be sending you this message anyway. Forward any suspicious communications like this to your IT manager as it may indicate a compromised email account in your C-suite as well as provide a warning to other employees likely receiving similar messages.

______

Confirm Account Ownership No provider will ever send you an email to ‘re-validate’ or ‘verify’ details. If you get something like this, never click on anything in the email. If you're concerned something is actually going on with your account, just go directly to the main website of the service and log in from there. If there is a problem, there will be a notification or message in your account. If you do happen to click on something like this, it will often take you to a mostly legitimate looking webpage; however, there will be lots of tells, for example a non-corporate URL. A convenient way to avoid these kinds of scams is to have auto-complete for credentials enabled in your browser. This way the browser won’t auto- complete credentials like it would if you were on the official login page.

www.sollensys.com PG | 8

Send a Shutdown Notification This kind of message will never be sent by a legitimate company. You can disregard it outright, but if you have a lingering concern, login to your email provider directly, check the dashboard for any notifications or messages, and for good measure contact support online or by phone from the provider’s service dashboard.

______

Request to Review Suspicious Activity Don’t let the web address in the “From” field fool you: it’s possible for phishing attempts to spoof email addresses to make them look legitimate at first glance. Best thing to do in this scenario is to not click anything in the email, disregard and delete. Login to your account directly if you have any actual concern-- any official communication will show up as a notification or message in the service dashboard.

______

Invite People to a Virtual Meeting This has been a very popular attack in 2020, especially as COVID has led to a dramatic rise in work-from-home employment arrangements. Best thing to do in this scenario is to not click on anything, disregard and delete the email, verify with your boss on a different (non-email) channel-- i.e. a text, slack message, or phone call.

______

www.sollensys.com PG | 9

Report a Mailbox Issue With a Link to Fix It If any communication comes your way claiming something like this, disregard the email and delete. There’s a lot wrong here. The sender is definitely not from the user’s host; also, your host wouldn’t know that your mailbox is almost full anyway. If you have an actual concern, login to the service directly.

______

Claim You’re Eligible for a Government Refund Don’t click on anything in the email and don’t download any attachment. The IRS makes it very clear that they “do not initiate contact with taxpayers by email to request personal or financial information." This is the same for all government agencies. Most official communication from government agencies will come in the form of certified mail.

______

Offer a Coupon from a Popular Company Two things could happen if you click on one of these scams. You could be taken to a bogus website that asks you to fill in personal information to “redeem your coupon” or, worst case scenario, you could be taken to a bogus website that begins quietly installing malware on your computer. This malware can be anything from keyloggers that will help an attacker capture login credentials to ransomware software that locks computers on your network and demands payment.

______

www.sollensys.com PG | 10

Send Fake Text Messages Lots of text message scams have been going around recently as well, especially about packages that you never ordered with tracking numbers that are obviously bogus complete with shady links that you most certainly won’t recognize. If you’re bored, feel free to use a URL link checker like VirusTotal, but BEWARE: new malware sites come online all the time and may not yet be listed in the malware domain database, so if a link looks suspicious, it probably is not worth clicking.

Again, when in doubt, or when a communication you receive elicits a panic response: 1. Stop. Slow down. Nothing via email would be that urgent. 2. Don’t click on anything in the email/communication 3. Forward any suspicious communication to your IT manager 4. Before opening attachments, test them with a service that checks for viruses. Be sure not to preview open the file as that may trigger any malware living inside • https://www.joesandbox.com/#windows 5. Test links with URL checkers that cross-reference with known phishing sites: • https://www.virustotal.com/gui/home/url • https://vms.drweb.com/online/ • https://urlscan.io/ • Beware: New phishing sites come online constantly and may not yet be registered as a malware domain. When in doubt, see #1

THINGS YOU CAN DO 1. Companywide education on how to avoid phishing scams 2. Auto-fill password management reduces risk in case a keylogger has been installed 3. Verify any suspicious communication with senders on a different channel 4. Report any suspicious communication to your IT manager 5. Back up all data!