ransomware

The importance of using backups to prepare for ransomware attacks

Image credit: David Rangel

Ransomware attacks are a growing threat to individuals and organizations alike. These attacks involve hackers encrypting a victim's data and demanding a ransom payment in exchange for the decryption key. In many cases, victims are left with no choice but to pay the ransom in order to regain access to their data. However, one effective way to protect against ransomware attacks is to use backups.

Backups are copies of data that can be used to restore a system in the event of data loss. By regularly backing up data, organizations and individuals can ensure that they have a copy of their data that is safe from ransomware attacks. This means that even if an attack occurs, the victim can simply restore their system from a backup and avoid having to pay the ransom.

In addition to providing protection against ransomware attacks, backups also offer other benefits. For example, they can be used to restore data in the event of other types of data loss, such as data corruption or hardware failure. This can save organizations and individuals a significant amount of time and money that would otherwise be spent trying to recover lost data.

Furthermore, backups can be stored in multiple locations, such as on a local device, on a remote server, or on a cloud-based service. This provides an additional layer of protection against data loss. For example, if a local backup is lost due to a hardware failure, the victim can still restore their data from a remote or cloud-based backup.

In conclusion, using backups is an important way to protect against ransomware attacks. By regularly backing up data, organizations and individuals can ensure that they have a copy of their data that is safe from ransomware attacks. This can save them from the potentially costly and time-consuming process of trying to recover lost data. In addition, storing backups in multiple locations provides an additional layer of protection against data loss.

(This article was written by ChatGPT, an Artificial Intelligence chat bot! Learn more about it here!)

DarkSide Pipeline Ransomware Attack

The Colonial Pipeline delivers 45% of the fuel supply used by the eastern coast of the United States. Hackers disrupted it in May 2021 using DarkSide RaaS (Ransomware as a Service).

The Colonial Pipeline delivers 45% of the fuel supply used by the eastern coast of the United States. Hackers disrupted it in May 2021 using DarkSide RaaS (Ransomware as a Service).

On May 11, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) published an article describing the DarkSide ransomware attack on the Colonial Pipeline. This pipeline delivers 45% of the fuel supply used by the eastern coast of the United States.

When Colonial learned of the cyber attack, “they proactively disconnected certain OT (operational technology) systems to ensure the systems’ safety” (CISA report). In other words, while only the company’s IT network was hacked, the OT systems were unaffected but still taken offline deliberately by Colonial as a precaution.

What is DarkSide and how did they hack the pipeline?

Social engineering is a common way for attackers to gain access to unauthorized systems.

Social engineering is a common way for attackers to gain access to unauthorized systems.

DarkSide is a hacking group with ties to Russia. They liken themselves to Robin Hood, claiming to steal money from large companies and redistribute it to smaller organizations through charitable donations. “This Robin Hood mentality is more of a PR stunt” according to Jon DiMaggio, chief security strategist for threat intelligence firm Analyst1, interviewed in an article by TechRepublic. "When they made the donations (two donations at $10,000 each), it was reported across cyber news organizations all over the world," DiMaggio said. "It was essentially a $20K marketing cost that got their name out there. All of these guys seem to have big egos, which is why they have press releases and will talk to the media and researchers. So this donation was likely an attempt to increase their visibility."

So how was the attack carried out? “According to open-source reporting, DarkSide actors have previously been observed gaining access through phishing and exploiting remotely accessible accounts and systems and Virtual Desktop Infrastructure (VDI)” (CISA report). A phishing attack is when an attacker pretends to be someone trustworthy and convinces the victim to share login credentials or other vital system information. A VDI is defined as “the hosting of desktop environments on a central server. It is a form of desktop virtualization, as the specific desktop images run within virtual machines (VMs) and are delivered to end clients over a network” (Citrix).

While the exact details of this attack are still under investigation, it is likely that social engineering and unauthorized VDI access were involved at some level.

How to mitigate ransomware attacks

The Colonial Pipeline attack triggered panic, causing long lines and gas shortages across the east coast.

The Colonial Pipeline attack triggered panic, causing long lines and gas shortages across the east coast.

The CISA report lists many steps to take to help prevent ransomware attacks at your organization. Here is an abbreviated version of some of the steps they describe (see the full article for more details):

  • Require multi-factor authentication

  • Enable strong spam filters

  • Implement a user training program

  • Filter network traffic to prohibit malicious IP addresses

  • Update software in a timely manner.

  • Limit access to resources over networks.

  • Set antivirus/antimalware programs to conduct regular scans

  • Implement unauthorized execution prevention by:

    • Disabling macro scripts from Microsoft Office files

    • Implementing application allowlisting

    • Monitor and/or block inbound connections from Tor

    • Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers

  • Implement and ensure robust network segmentation

  • Organize OT assets into logical zones

  • Identify OT and IT network inter-dependencies and develop workarounds or manual controls

  • Regularly test manual controls

  • Implement regular data backup procedures

    • Ensure that backups are regularly tested

    • Store your backups separately

    • Maintain regularly updated “gold images” of critical systems

    • Retain backup hardware

    • Store source code or executables

  • Ensure user and process account access rights are given based on the principles of least privilege and separation of duties.

For more information on how to defend against ransomware attacks, check out this webcast by John Strand, Owner and Security Analyst at Black Hills Information Security. He explains that there are many simple and free/inexpensive measures that companies can take to protect themselves. The content with John starts at the 29:15 mark and is definitely worth investigating.

Thanks for reading!

What is Ransomware and Crypto-Malware?

These types of malware could lock you out and cost you big money. (Photo credit: FLY:D)

These types of malware could lock you out and cost you big money. (Photo credit: FLY:D)

Ransomware is a type of malware designed to encrypt a computer, locking the user out of the computer or network completely. The attacker then demands a ransom to restore access to the system. These types of attacks have been carried out against individuals, companies, schools and even hospitals. In 2020, Cybersecurity company BlackFog estimated that “a business is attacked by a cybercriminal every 11 seconds” with a total estimated cost of $20 billion by 2021 (source).

Victims are often required to pay the bad guys in cryptocurrencies such as Bitcoin. “Once they have the Bitcoins, it’s simply a matter of ‘washing’ them via the Dark Web (a process which removes all traces of previous ownership and transactions) and the hackers can then convert the coins to cash” (Eurostaff).

Crypto-malware is similar to ransomware, with the main difference being that crypto-malware locks out the user from personal files but still leaves the operating system functional. The bad guys leave the OS running so that they can present a message to you demanding the ransom payment.

In either case, there are some steps you can take to help prevent these types of attacks:

  • Keep OS, software, and virus protection up to date on the latest version

  • Avoid opening emails or attachments from unknown senders

  • Avoid suspicious websites and links

  • Keep your data backed up routinely on an offline drive

These are just a few ways to keep you safe from ransomware and crypto-malware. It’s up to you to stay informed and stay vigilant!