The Silver Lining of a Ransomware Infection

Getting infected with ransomware may actually be a good thing for your enterprise. Ponder that statement for a moment. Yes, someone has written that ransomware, which has cost U.S. businesses and consumers approximately $18 million in the past year, may be a good thing for your environment.

In case you have been blissfully unaware of the aggressive ransomware campaigns launched by attackers in the past year, ransomware is malware designed to seek out specific file extensions, encrypt them and then request the end user to pay a fee to have the files decrypted. This fee is typically paid in bitcoin or another digital currency.

Ransomware has caused many headaches throughout the industry. According a recent IBM CISO assessment, 8 out of 10 security leaders surveyed reported they were concerned about ransomware.

Can Ransomware Be a Good Thing?

Let’s consider the capabilities of ransomware. Most variants will seek out file extensions on any mounted drives or network shares the user has access to (including the host and network drives), encrypt the files and ask for payment. It does not currently exfiltrate data from your network, cripple network resources, replicate on its own, allow attackers to traverse your network or contain most of the characteristics of well-known attacks.

To the benefit of corporations, ransomware isn’t environmentally aware and can’t tell the difference between the large corporation trying to recover key files worth significant money and a mom attempting to recover baby photos. The ransom is typically the same nominal amount, averaging $700, regardless of who is infected. In short, it’s bad but not that bad.

With this primer on ransomware, how can I say ransomware could be beneficial to your environment? The answer is simple: If you have become infected with ransomware, your organization has more than likely had a fundamental breakdown of basic and foundational security practices that has enabled the threat to propagate in its environment.

A ransomware infection inadvertently allows an organization the opportunity to identify neglected enterprise shortcomings before something really scary comes along, putting it on the front page of newspapers. If you need a silver lining, think of a ransomware event as a low-cost security assessment pointing out weaknesses in your environment.

Foundational Issues Lead to Security Threats

IBM X-Force Incident Response and Intelligence Services (IRIS) has had an influx of calls pertaining to ransomware as more organizations become infected with this nuisance. Almost every call has demonstrated that one or more of the following foundational issues have been sorely neglected within the customer’s enterprise.

1. User Awareness

Many security professionals believe that end users are the weakest link in the organization. If end users are not aware of safe computing practices, they may inadvertently bypass significant investments in information security just by clicking on harmful links or visiting insecure websites.

X-Force Incident Response Services has observed a lack of user awareness as a key shortcoming during several recent ransomware engagements. The end user typically enables the ransomware to enter the environment by clicking on a link or an attachment that they should have known not to click on in the first place. Ultimately, a well-trained workforce becomes a very cheap force multiplier for the organization’s security posture.

2. Not Backing Up Data

One of the first questions an incident responder asks our customers when they have a ransomware issue is, “Do you have backups of the encrypted files?” More often than not, the response is a slightly embarrassed “no.”

Not backing up data is akin to telling the world that the data isn’t worth saving. If the organization is panicking because certain files may be lost, it’s time to re-evaluate your backup methodology.

3. Poor Patching Procedures

During a recent engagement, an incident responder was asked to determine how ransomware entered the organization’s environment. It was discovered that, despite a high-severity software patch being issued by the developer with a recommendation that the patch be applied within 72 hours, the organization took eight months to apply the patch. A well-known infection vector of ransomware is to exploit poor patching practices and leverage known security vulnerabilities.

4. Enabling Broad User Permissions

Leveraging and enforcing the principle of least privilege (PoLP) within an organization is wise for a variety of reasons. Because ransomware also encrypts mounted network locations in addition to the host system, there is the potential for an event to cause damage far beyond patient zero. Enforcing the PoLP within the organization helps mitigate the damage caused by a ransomware event by containing the encryption process to a minimal set of files.

It’s not uncommon for X-Force Incident Response Services to receive a call where one user who became infected with ransomware ends up having multiple file shares encrypted that the user had no business need to access. Limiting user access via PoLP helps mitigate the damage caused by ransomware.

5. Lack of Defense-in-Depth

The defense-in-depth strategy encourages businesses to use a variety of security practices and technology to deter any one threat. Technologies or processes may be circumvented by attackers, and when they are circumvented, a lack of multiple layers enables ransomware to propagate should one defense layer fail.

Often, we will have clients that place too much faith in antivirus software but ignore patching. Securing your environment is a multifront campaign, and over-reliance on one strategy may lead to trouble.

6. Lessons-Learned Process

An essential part of the incident response life cycle is the lessons-learned process. A ransomware infection isn’t uncommon; many organizations have experienced one — or more. However, if the organization doesn’t take the time to evaluate how it was infected and take steps to shore up identified weaknesses, a new ransomware infection is likely not far around the corner.

Sadly, IBM X-Force Incident Response Services will occasionally receive calls from the same client because it did not take the time to examine and address shortcomings, which led to ransomware being in the environment during the first infection.

7. Not Testing Backups

Occasionally, when asked about the state of backups, the infected organization responds with, “We thought we had the data backed up, but it turns out it wasn’t backing up what we thought it was backing up.” Periodic testing to verify your processes are working as intended is key to leveraging those processes when the time comes.

No organization wants to be hit by ransomware; it causes nothing but headaches and represents a security failure. However, the occurrence of ransomware almost certainly represents a shortcoming. An organization can then address that so a major threat — such as an attacker attempting to steal your secret sauce or regulated data — is stymied by removing foundational security weaknesses.

Download the complete Ransomware Response Guide from IBM Security

Share this Article:
Robert Lelewski

Engagement Lead, IBM Security

Robert Lelewski has been in the incident response, computer forensics, e-discovery and computer security realm for 10 years. He is currently an Engagement Lead with IBM Emergency Response Services, leading a team that manages emergencies, develops strategies to mitigate risk in corporate environments and functions as security adviser to Fortune 500 companies.