Protecting Media Production Companies against Ransomware
Rob Gonsalves Avid Technology, Inc. Burlington Massachusetts [email protected]
Abstract - Ransomware, a type of malicious software designed to block access to digital assets until a sum of money is paid, represents a growing threat for media production companies, as digital media assets are a valued target for hackers. To protect their media assets and mitigate the risk of these types of attacks, companies can implement a set of security policies, procedures and systems. Deploying and operating Disaster Recovery (DR) systems with specific safeguards against ransomware will help companies retrieve valuable files without having to pay FIGURE 1 - INITIAL RANSOMWARE ATTACK cyber-criminals. This paper will discuss the growing threat of ransomware to media companies and cover the key The initial attack often comes when a user inadvertently concepts for understanding and building security and DR downloads and installs malware from a website. After systems with specific safeguards against ransomware. installation, the ransomware quietly searches for and Using these techniques, critical business functions can encrypts files. Its goal is to stay below the radar until it can continue in the event of an attack. find and encrypt all of the files that could be of value to the user. By the time the company is presented with the RANSOMWARE malware’s message with the ransom demand, the damage has already been done [2]. Ransomware is a form of malware that encrypts data files and holds these files for ransom. After the initial infection, the malware begins encrypting files on local drives, shared storage, and potentially other computers on the network. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key [1]. The ransom fee is typically $300 to $10,000 and to be paid via Bitcoin, or other form of anonymous payment system [2].
Ransomware can lead to temporary or permanent loss FIGURE 2 - CLEANUP AND PAYMENT of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and The malware can be removed from the systems, but if files, and potential harm to an organization’s reputation [3]. enough important files have been encrypted, the company Ransomware is a growing threat. On average, more may decide to pay the ransom. If so, money is deposited in than 4,000 ransomware attacks have occurred daily since the cyber-criminal’s Bitcoin account. January 1, 2016. This is a 300-percent increase over the approximately 1,000 attacks per day seen in 2015 [3]. I. A Ransomware Attack The following sequence of illustrations shows what happens in a typical ransomware attack.
FIGURE 3 - RANSOM PAYMENT AND DECRYPTION Note that the ransomware renames the files after The cyber-criminal sends the private key, which is used encryption, using extensions like .crypted or .locky. to unlock the encrypted documents. II. Ransomware Families PREVENTION MEASURES Cyber-criminals use variants of base malware software to There are several strategies that companies can use to perpetrate their crime. These base packages are grouped into mitigate the threat of ransomware. The first and foremost is families of ransomware. prevention – don’t allow malware to infect the systems in The following chart shows the most common the first place. Prevention steps include user training, patch ransomware families that were active in 2016. management, managing file permissions, deploying endpoint security software, and the use of shadow copies on client computers.
Others I. User Training 10% Most ransomware spreads through phishing and scam Locky 7% emails. User training plays an important factor in preventing security breaches [5]. Employees need to know the policies and practices they Tescrypt are expected to follow regarding Internet safety, and what to Brolo 9% 42% do if a breach occurs [6]. II. Patch Management One of the most common methods for ransomware is to Fakebsod exploit security flaws in commonly used software, like web 15% browsers. The best defense against malware infections is to Crowti ensure that your software and operating system are up to 17% date with security patches. The use of automatic updates ensures that you are using the latest versions of software,
FIGURE 4 – TOP RANSOMWARE FAMILIES FOR 2016 which often contain security fixes [2].
You can see that the top three families, Tescrypt, III. File Permissions Crowti, and Fakebsod account for nearly 75% of all attacks Another step to mitigate ransomware is to manage the use last year [4]. More information about the specifics of these of privileged accounts. No users should be assigned ransomware families is available at Microsoft’s Malware administrative access unless absolutely needed, and only Prevention Center. use administrator accounts when necessary. Configure access controls, including file, directory, and III. Targeted Files network share permissions appropriately. If users only need The ransomware software doesn’t try to encrypt every file read-specific information, they don’t need write-access to on the infected system. It looks for specific file types to those files or directories [1]. encrypt that are likely to contain high value content. Over 300 file extensions are targeted [4]. Table 1 shows IV. Endpoint Security Software some of the common file extensions grouped by areas of Endpoint security systems are a good defense against usage. ransomware. Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans File Usage File Extensions [1]. Consider using a managed endpoint security solution Archive .7z .gz .tar .zip that allows IT to centralize security for the entire organization and take full control of these measures. Doing Development .asp .bat .c .class .cpp .cs .h .hpp .jar so will drastically decrease the threats from computer .java .js .m .sql .vb .xml viruses and malware, including ransomware [7].
General Use .doc .docx .pdf .ppt .pptx .txt .xls .xlsx V. Shadow Copies Client computers can be set up to make recovery points at Media Assets .jpeg .jpg .m4a .mov .mp3 .mp4 .mpeg regular intervals. These backups are called shadow copies. .mpg .png .psd .raw .svg .tif .tiff .wav If this service is enabled and if the ransomware does not .wma .wmv interfere with this feature, it may be possible to recover TABLE 1 – TARGETED FILE TYPES some files using this method [2]. However, newer families of ransomware try to delete all the shadow copies, so this encrypting the green file, and spreads to encrypt all may not help in all cases [5]. remaining files on Thursday. Without being tuned to handle ransomware attacks, the VI. STIGs system blindly copies new and changed files every night. A Security Technical Implementation Guide (STIG) is a By Friday, all files on both the primary and backup system cybersecurity methodology for standardizing security are encrypted. protocols within networks, servers, computers, and logical designs that enhance overall security. These guides, when II. Deferred Deletes implemented, enhance security for software, hardware, Because the ransomware renames files after encryption, physical and logical architectures to further reduce each affected file will look like a deleted file replaced with a vulnerabilities [8]. new file to the DR script. For example, if a file named The US National Institute of Standards and Technology BusinessPlan.docx is encrypted by ransomware and keeps a database of security checklists for various operating renamed to BusinessPlan.docx.crypted, the script will think systems and applications [9]. that the original BusinessPlan.docx file was deleted and BusinessPlan.docx.crypted is a new file. PROTECTING ASSETS WITH DR SYSTEMS One way to prevent the spread of the ransomware attack is to use scripts that defer deletion of files on the A key component to prepare for a ransomware attack is backup system by some period of time, say seven days. This developing a robust backup strategy and making regular will allow for time to recover files after an attack. backups. In the event that your system is attacked and files are encrypted, your only viable option is to restore the backup. Your other options are to pay the ransom or lose the data [7]. Making backups is always a good idea, even without the threat of ransomware. Backups are an essential part of disaster recovery (DR) plans, which all businesses should have [2]. To learn about deploying a DR system for media production companies, see the technical brief, “Avid MediaCentral Platform Disaster Recovery Systems” [10]. DR systems can be configured to address the specific FIGURE 6 – DR SYSTEM WITH DEFERRED DELETES threats of ransomware, using techniques like deferred deletes, threshold triggering, and multiple copy backups. With deferred deletes, the DR system will keep a copy These techniques are described in general in the following of both the original file and the encrypted file on the backup sections. You can find example scripts that show an system. These files will remain on the backup system until implementation of these techniques in the Appendix. the next scheduled run of the script that deletes files. I. Basic Disaster Recovery III. Threshold Triggering A common DR practice is to have two systems running, a With ransomware attacks, there might not be a demand for primary system where daily work is done, and a backup payment immediately. So it is important that the activity be system which is used to keep a safe copy of the work. A noticed quickly. DR scripts can be configured to report script runs nightly, making a mirror copy of the files on the storage anomalies, which can help identify that an attack primary system to the backup system. has occurred and is underway [11]. To achieve this, the DR script can be configured to have thresholds for new and deleted files for a workday. If a threshold is breached, the DR script does not run, protecting the assets. The script can be configured to send an alert to system administrators, as part of an early detection system.
FIGURE 5 – BASIC DR SYSTEM
Figure 5 shows how the basic system works. In this example, a green file is created on Monday, a blue file is created on Tuesday, and a purple file is created on Wednesday. A ransomware attack hits on Wednesday, FIGURE 7 – THRESHOLD TRIGGERING
In the example above, you can see that the initial can be adapted to run on Linux or Mac using rsync instead ransomware attack on Wednesday goes undetected because of robocopy. it only encrypted one file. But when all the files are The following scripts are provided without warranty of encrypted on Thursday, the backup script does not run, and any kind. Use at your own risk. Avid and the author are not a warning email goes out to the system administrator. responsible for lost data or content, or any other loss or damages. Be sure to test the scripts thoroughly on a IV. Multiple Copy Backups noncritical staging system before deploying them to your A more robust way to perform backups is to create multiple, production system. independent copies of files. If you have enough storage capacity on the backup system, you can configure the DR I. Script for Basic Disaster Recovery script to copy files to multiple backup folders. For example, Listing 1 shows a basic DR script. It uses robocopy to you could have folders named Mon, Tue, Wed, etc. on the mirror the contents from the media folder on the primary backup server. The scripts would then choose which folder system to the backup system. to use on the backup system based on the day of the week. @rem mirror the contents from the primary to @rem the backup server robocopy \\primary\media \\backup\media /purge /e
LISTING 1 – SCRIPT FOR BASIC DISASTER RECOVERY
The /purge option causes robocopy to delete files that are on the backup server but are not present on the primary server. The /e option is to handle all files in nested subfolders. II. Scripts for Deferred Deletes FIGURE 8 – MULTIPLE COPY BACKUPS In order to defer deletes on the backup server, two In the example, when the ransomware attack hits on scheduled scripts are run, a copy script and a purge script. Wednesday and Thursday, all files can be safely retrieved Listing 2 shows the copy script that runs nightly, copying the contents from the primary to the backup server. because of the multiple daily backups.
V. Combining Techniques @rem Copy the contents from the primary to the Note that the three DR techniques described above are not @rem backup server mutually exclusive. It is possible to combine two or more, if robocopy \\primary\media \\backup\media /e needed. For example threshold triggering could be added to LISTING 2 – SCRIPT FOR NIGHTLY COPIES the multiple copy backup system. If on any given day the number of files to be copied or deleted on the backup server Without the /purge option the copy script will copy new exceeds the threshold, the DR script would be suspended or changed files from the primary to the backup server, but and an email would be sent to the system administrator. it will not delete files. Listing 3 shows the purge script that runs weekly, i.e. Conclusions Saturday morning, and deletes files that exist on the backup server that are not present on the primary server. Ransomware is a growing threat to businesses today. Using prevention measures like user training, patch management, @rem Delete the contents on the backup server setting file permissions, deploying endpoint security @rem that do not exist on the primary server software, and the use of shadow copies reduces the risk of robocopy \\primary\media \\backup\media ^ attacks. The use of a Security Technical Implementation /e /purge /nocopy Guide will ensure uniform compliance to security practices LISTING 3 – SCRIPT FOR WEEKLY PURGES across companies. Disaster recovery systems configured to address the The /purge /nocopy options makes robocopy perform threat of ransomware will offer a means to recover valuable only deletes, not copies. data in the event of an attack. III. Script for Threshold Triggering APPENDIX – DISASTER RECOVERY SCRIPTS Listing 4 shows a script for threshold triggering, written in Windows PowerShell. It defines thresholds for files to be The following scripts show how to implement the DR copied and files to be deleted as a percentage of the number techniques described in this paper. Although these batch and of all the files on the primary server. PowerShell scripts run only on Windows, the techniques
#define the paths for primary and backup $primary = "\\primary\media" The script will copy new or changed files from the $backup = "\\backup\media" primary server to multiple daily folders on the backup server. The files will be copied to folders named Sun, Mon, #set the thresholds $copyThresholdPct = 30.0 Tue, etc. on the backup system. $deleteThresholdPct = 15.0 The “/purge” flag causes the deletion of files and directories that no longer exist on the primary system. #run the preflight with robocopy and log the output robocopy $primary $backup /l /e /purge /njh ` /log:log.txt EFERENCES R #read log.txt to get the file count stats [1] FBI, “Incidents of Ransomware on the Rise”, April 2016, $fileCounts = Get-Content log.txt | ` https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the- Select-String -pattern "Files :" rise $counts = $fileCounts.Line.Split(" ", ` [System.StringSplitOptions]::RemoveEmptyEntries) [2] Savage, K., Coogan, P., Lau H., “The evolution of ransomware”, $total=$counts[2] August 2015, $numCopy=$counts[3] http://www.symantec.com/content/en/us/enterprise/media/security_re $numDelete=$counts[7] sponse/whitepapers/the-evolution-of-ransomware.pdf #if we have some files to copy or delete [3] US Department of Justice Cybersecurity Unit , “How to Protect Your if ($total -gt 0 -and ($numCopy -gt 0 -or ` Networks from Ransomware”, June 2016, $numDelete -gt 0)) https://www.justice.gov/criminal-ccips/file/872771/download { #calculate the percentages [4] Microsoft, “Ransomware Facts”, January 2017, $PctnumCopy = 100 * $numCopy / $total https://www.microsoft.com/en- $PctnumDelete = 100 * $numDelete / $total us/security/portal/mmpc/shared/ransomware.aspx
#if either threshold is exceeded, send an email [5] Mehmood, S., “Enterprise Survival Guide for Ransomware Attacks”. if ($PctnumCopy -gt $copyThresholdPct -or ` SANS Information Security Training | Cyber Certifications | $PctnumDelete -gt $deleteThresholdPct) Research, May 2016, https://www.sans.org/reading- { room/whitepapers/incident/enterprise-survival-guide-ransomware- $body = "Total files: {0}, to be copied: ` {1}, to be deleted: {2}" ` attacks-36962 -f $total, $numCopy, $numDelete [6] National Cyber Security Alliance, “Train Your Employees”, Send-MailMessage -From "
https://web.nvd.nist.gov/view/ncp/repository The script runs robocopy in a “preflight mode” first to see how many files would be copied and deleted. If the [10] Avid, “Avid MediaCentral Platform Disaster Recovery Systems”, October 2015, number is under the threshold, then robocopy is run a http://resources.avid.com/SupportFiles/attach/Interplay_Central/Avid second time to copy/delete the files on the backup server. If _MediaCentral_Disaster_Recovery_Tech_Brief.pdf either number is over the thresholds, then robocopy is not [11] Rhame, R., Witty, R. J., “Use These Five Backup and Recovery Best run a second time. Instead, an email is sent to the system Practices to Protect Against Ransomware”, June 2016, administrator with a warning and the statistics of the http://go.druva.com/gartner-report-2016-ransomware-sem.html operation.
IV. Script for Multiple Copy Backup Listing 5 shows a script for making multiple copy backups using folders named for the days of the week.
@rem Mirror the contents from the primary to the @rem backup server, using folders for each day @rem of the week @set day=%DATE:~0,3% robocopy \\primary\media \\backup\%day%\media ^ /e /purge
LISTING 5 – SCRIPT FOR MULTIPLE COPY BACKUP