W H I T E PA P E R

AVOIDING THE
RANSOMWARE LOCKOUT
By Nick Cavalancia

w w w. z e r t o . c o m

:: W H I T E P A P E R

ts one of the hottest topics todayRansomware. What was once only a

threat to individuals with little real technical savvy, is now one of the most
common threats industry wide. With the increase in the number of variants,
the tactics used, various encryption methods, and results once youve paid
the ransom (remember, not every ransom-holder actually has the decryption
key!), its no surprise your IT organization is concerned (and it should be).

One of the reasons were seeing so many

ransomware. Today, that number is

occurrences of ransomware is the spring-

nearly double, at 38 percent.1

T
 he problem is on the riseIn the

ing up of true digital organized crime. Its

no longer a loner in a hoodie sitting in a

early months of 2016, the number of

dark room. Todays evil villain is a

ransomware instances in the U.S.

regular software companycomplete with

increased as high as 158 percent

salaries, paid vacation, company picnics,

month over month. 2

Its a favorite attack methodOf all

etc.with the difference that they are in

business to extract as much money as

the variants of malware, ransomware

they can from your organization.

is the #2 most common variant, just

behind command & control (C2). 3

So, just how bad is the ransomware

problem?

Its no wonder, the very business of

ransomware has evolved. Its shifted from

Lets begin with a few industry stats to

being custom made to, in essence,

paint a picture of the current state of

Ransomware-as-a-Service in many cases.

ransomware. But as they are presented,

Pay your monthly fee, make some modifi-

realize the intent isnt to create a sense of

cations to your instance of ransomware,

fear, uncertainty, and doubt (FUD), but to

and youre off to the races! What was once

actually represent whats going on in the

a simple piece of malware designed to run

world with respect to ransomware.

on a single machine, has evolved into a

self-sustaining, self-propagating opportu-

The number of companies impacted

nistic tool that can impact a large portion

is increasingIn 2014, only 20 percent

of your organization. And today, nearly

of organizations had experienced

anyone with the gumption to become a

KnowBe4, Ransomware Threat Concerns Survey (2016)

April 2016 was the Worst Month for Ransomware on Record in the US, Enigma Software, http://bit.ly/2aTf9jB

Verizon, Data Breach Investigations Report (2016)

[1]

:: W H I T E P A P E R

data-nabber and a credit card (even a stolen card) can hold your data for ransom!

Server DataWhy stop at the C: drive

when you can continue up the alphabet and jump onto the F:, G:, and L:
drives an endpoint is connected to.

Then, who and what is at risk?

Your file servers are equally at risk

THE RISK OF RANSOMWARE

in fact, some ransomware now even

IN PRACTICAL TERMS

looks for remnants of UNC paths to

OKyou already get what ransomware

connect to and attempts those. Its

isit finds some files and encrypts them,

really nasty stuff.

right? Sort of. To avoid being a victim, we

Individual filesThe business of

need to lay the foundation by digging

ransomware has evolved from one

just a bit deeper than that. While some

that thinks let me encrypt all 100 of

industries have been hit harder than

your files and ask for $100 and,

othersfor example, 54 percent of

instead now encrypts each one of the

manufacturing companies have been hit,

files separately and thinks let me ask

compared with, say, 28 percent in

for $5 a file and make even more!

banking no vertical is impervious.

Sounds like business thinking to me.

However, just becase youre not in

manufacturing you cant count your

Theres a fourth data type thats now

organization out. Because you have data,

coming out that well add to the mix

youre still a target and are at risk.

although youll quickly see why its not

just listed above.

And its not just an individual users

datathere are three key types of data
that are at risk:

Personal extortionnew kinds of

ransomware lurk on NSFW sites (you
know, the ones that have lots of skin

Endpoint Datathis is the obvious

showing) and now enables your

one. A user gets infected on their

camera and records whatever it sees.

workstation or laptop, and much of

Then it locks your machine threaten-

the machine gets encrypted, com-

ing to post the video online. You can

plete with a Youve been encrypted!

imagine what ransomware like this

Call this # to unlock screen. And

may capture.

the bad guys dont bother encrypt-

ing everythingthey know to focus

As you can see, theres a lot at risk to the

in on documents from Word, Excel,

organization. Part of that risk starts with

Acrobat, etc., as these represent the

the user who is either sufficiently duped

bulk of documents any users would

by a really well-executed spear phishing

use to be productive.

email, or the careless user (81 percent of

Ponemon, State of Endpoint Risk Report (2016)

[2]

:: W H I T E P A P E R

organizations see the negligent or

Organizations must keep in mind the odds

careless user as the biggest threat to

they are working against. You have to be

endpoint security).

right all the time to protect your system.

The hackers only need to be right ONCE

But the risk doesnt come from the begin-

to break into your network. When you

ning of the ransomware infection story. It

consider the usual paths malware of any

equally lies in how that story endsan

kind takes, the types of solutions you

inability to simply recover pre-ransomed

need in place become obvious:

files from backups puts your organization

even more at risk. Why more? Because

Patching / Vulnerability Scanning

organizations with an effective recovery

Attackers still use known vulnerabili-

strategy can, in essence, ignore ransom-

ties found in Java, Flash and browsers

ware as a threat and only see it as an

to find a way to infect a machine with

inconvenience.

ransomware. Having a solution that

YOU HAVE TO BE RIGHT ALL THE TIME TO PROTECT

YOUR SYSTEM. THE HACKERS ONLY NEED TO BE
RIGHT ONCE TO BREAK INTO YOUR NETWORK.
The risk ransomware poses is real and

both scans for and patches vulnera-

material. So, what should you do to keep

bilities is key.

ransomware from locking you out of

your data?

Endpoint Threat Protection

Ransomware, like any malware, is a
rogue process that shouldnt be

There are three steps to take that

running. Putting some level of black/

proactively and reactively help your

white listing in place (even if you

organization address ransomware. In some

started with Group Policy) would

cases, the actions taken will help keep

help keep ransomware from running

ransomware from ever infecting your

in the first place.

organization. But in others, its more about

what to do should it happen anyway.

Email SecurityEmail still represents

the easiest way to gain access to your
network. Having a solution in place

STEP 1: PREVENTION

that scans email links and attach-

The first step revolves around keeping

ments for badness will lessen the

ransomware from ever entering your

chance of infection.

organization. The goal here is to make it

User Awareness Training and

difficult for the bad guys to ever gain a

TestingHaving standard user

foothold over one of your endpoints.

training on what to look for when

[3]

:: W H I T E P A P E R

using email and the web would help

There are two preparation steps to take.

materially lessen the effectiveness of

One is around limiting the scope of a

email and web visits as vehicles for

ransomware attack, and the other is

delivering ransomware. Third party

about being prepared to recover the

training and testing of your users is

encrypted files.

available if you want to offload this

Implement Least Privilege

to an outside firm.

Least Privilege is normally thought of in

Some of the prevention steps can be

terms of limiting a users access to data,

done with native tools, but to have a true

applications, and systems. But since most

layered security approach to preventing

ransomware simply utilizes the access

ransomware, youll likely need to look at

given to a user, you need to extend the

third-party solutions.

exercise of limiting access in terms of

where ransomware can reach. Given that
ransomware can (and does) access

EVEN WITH ALL THE SOLUTIONS

IN PLACE, THERES STILL A REALLY
GOOD CHANCE SOMEONE INTHE
ORGANIZATION WILL FALL PREY
TO A DASTARDLY EMAIL ...

server-based files via mapped drives and

remnant UNC paths, it stands to reason
that as part of putting least privilege in
play, youll need to assess each users
need to access data and systems. This
should be done in an effort to limit the
extent of ransomwares reach, should it
take hold within your organization.
Identify Critical Data Sets & Users

The remaining two steps revolve around

Ransomware could also be considered

how to prepare for and how to respond

randomware in that it rarely targets a

to a ransomware infection.

specific individual within your company.

Its opportunistically taking away access

STEP 2: PREPARATION

to the files used by the user it infects. So,

Even with all the solutions in place, theres

the sting felt by ransomware isnt always

still a really good chance someone in the

the same. In cases where its a low level

organization will fall prey to a dastardly

role within the organization that has little

email or a malicious web page, so you

access to anything other than their own

need to take proactive steps to prepare for

computereh, you can do without those

the day you receive a call from a user say-

files. But, we all know there are users

ing Im not sure what I did, but Im locked

playing a far more critical role within the

out and theres this screen up saying I need

organization who have access to person-

to send someone some bitcoins

nel, intellectual property, credit card data,

[4]

:: W H I T E P A P E R

etc.a ransomware gold minewhere the

STEP 3: PROTECTION

pain may be felt by more than just the

Once a machine is infected with ransom-

individual infected.

ware, with countless files encrypted, your

role shifts from one who tries to prevent

Therefore, you need to identify those data

this from happening to one that needs to

sets the organization simply cannot be

best protect the organization from

without and plan for a ransomware disas-

further harm. That harm comes in a

ter recovery should it be necessary. Given

number of formslost productivity due

that most ransomware is encrypting select

to file inaccessibility, lost company

files, having a disaster recovery solution

money due to paying the ransom, and

with continuous replication of critical file

lost data should the files never be

server folders would be important. Treat

decrypted. You have a few options here:

this data set like any other used to recover

from a disaster, planning out the necessary

Do nothing & move onIn some cases,

recovery time objective (RTO) and recov-

the documents affected arent worth

ery point objective (RPO) to ensure you

the trouble. Its possible, but not likely.

can get the most recent versions of this

Pay the ransomThis isnt

data back up and into production in an

recommended for two reasons.

appropriate timeframe. The best way to

One, you have no idea whether the

meet recovery objectives is to have the

files will be decrypted or not once

tools and procedures for continuous

you pay. Second, in many cases, the

replication so you can be certain the

person or company responsible for

objectives can be met.

the ransomware doesnt even have

the decryption key!

Disaster Recovery (DR) is rarely thought

Restore and IgnoreThis should be

of as part of your organizations security

your default option. Think about itif

strategymostly because data exfiltra-

you have continuous real-time data

tion is the normal threat action. But with

replication, then if any given file

the rise of ransomware, it is becoming

becomes encrypted by ransomware,

necessary to include DR as part of your

you can quickly recover it. So you

incident response plan should a ransom-

can both safely ignore the ransom-

ware infection occur.

ware and simply re-image the

infected endpoint.

Preparation signifies an acknowledgement of both the possibility that ransom-

To make the last option a reality, your

ware can hit, and the potential impact it

work in step two around identifying the

can have on your organization. The last

critical sets and establishing the appropri-

step is about how to protect the organi-

ate recovery objectives is criticalif you

zation should ransomware actually hit.

dont have a disaster recovery solution

with continuous replication, the recovered

[5]

:: W H I T E P A P E R

BUT EVEN WITH LAYERS OF SECURITY, THERES NO

GUARANTEE RANSOMWARE WONT GET THROUGH.
version of an encrypted file may be last

solution with continuous replication in

week or last month, potentially making it

place, will give you the ultimate out

as useless as its up-to-date-but-encrypted

should ransomware hit. By restoring files

counterpart.

that have become encrypted, the we

have your files, you cant get to them

AVOIDING THE LOCKOUT

now! threat that ransomware poses

If it hasnt happened to your organization

(insert diabolical laugh here) dissipates

yet, you should prepare for ransomware

to a non-event, requiring little more

as if its only one email away from holding

than a quick restore from replicated files

your most precious data hostage. Putting

and swapping out the endpoint for a

safeguards (and, in many cases, third-

new one.

party solutions) in place help to prevent it

from ever rearing its ugly head. But even

Nick Cavalancia is founder & chief

with layers of security, theres no guaran-

techvangelist at Techvangelism. Nick has

tee ransomware wont get through.

20 years of enterprise IT experience, and

is an accomplished consultant, speaker,

Having a plan for when ransomware hits

trainer, writer, and columnist. He has

is important, positioning disaster

several certifications including MCSE,

recovery as a key tenet in your incident

MCT, Master CNE and Master CNI. He has

response. Proactively defining what files

authored, co-authored and contributed

your organization simply cannot do

to over a dozen books on Microsoft

without and putting a disaster recovery

technologies.

[6]