By: Corey Tower, Information Security Consultant, CISM, CPPM

Malware is like fashion – almost everything you are dealing with today or what seems popular was likely “popular” only a short time ago. Humans have very short memories regarding malware much as they have short memories of fashion.

Ransomware is what Vogue or GQ would call “currently in style” or “Winter 2016’s Hot New Look!” Both old and new ransomware such as CryptoWall and .Locky are very dangerous malware that you absolutely do not want to deal with. What is interesting about most of these malware are that they are nothing more than a phishing attempt with a macro embedded malware. Talk about revolutionary stuff here, no? Yet most companies still struggle against these attacks.

Less than 10% of malware are detected by signature based defenses. Monitoring and awareness have become more and more critical to stopping criminals from being successful. But there is a psychological aspect you just can’t plan for.

 Jane from accounting is tired. Its 7:45 am, her newborn was up all night, coffee hasn’t kicked in, invoices are late and she really doesn’t want to be there in the first place. An email finally arrives with the invoice she has been expecting and – “wait – what’s going on? What’s encrypted??? Who’d this email come from? Oh no….”

Prepare a response and recovery plan.
Prepare a response and recovery plan.

The Clock Starts

A client of mine recently experienced something similar to Jane as well as many more people around the globe with the recent hit of the .Locky ransomware. Here is how we kept a bad day from turning catastrophic.

  1. Awareness. The individual who was hit with .Locky had the conscious to report it immediately. For anyone who isn’t familiar with .Locky it has the capability to spread through any authorized shared network drive, even if the drive is not mapped to a drive letter. The key word is any. A shared drive does not need to be mapped to the host for .Lockey to infect it. So if your defense is “ah, they don’t even know they have access!!” think twice.
  2. Containment. Because the incident was reported quickly, tech-ops was capable of containing the incident before it spread to five additional network drives. Five! Fixing a desktop of ransomware can usually be a small task, especially if the information is backed up. Losing five network drives that may not be backed up would be catastrophic.
  3. Communicate. It is critical to notify your workforce of a present, real attack on the company. It can be the difference between dealing with one case of .Locky or dealing with six or ten. Awareness is always your most affordable, practical, effective control for your weakest link: Humans.
  4. Ensure.  .Locky’s encryption spreads fast and is very intelligent. Once the malware is discovered and contained, search the network for further damage or any other sign of the malware. Depending on the situation, you may want a forensics expert to take a look to ensure no data loss, etc.
  5. Deescalate. Take yourself off Red Alert mode. Inform your team and outside audience that the situation is contained. Take a walk, enjoy a break, take lunch and most importantly tell those who deserve it “Good Job”.
  6. Lessons Learned. The next day, talk about how you got into the mess, how you got out, and how it could have been prevented in the first place. Establish policy and procedure to prevent it from happening again. People should be rewarded for preventing problems first, solving problems second. Again, malware is like fashion. Ensure the next time ransomware is popular that you made the proper adjustments to prevent another incident.


Questions to Ask Today

Are your shared network drives designed around least privileged?

Can anyone open a document with macros?

What non-signature based detections have you enabled?

Is your workforce aware to not open just any attachment?

Is your workforce aware that spoofing can occur posing as a legitimate source?

Would a workforce member know who to contact and feel safe reporting an incident?


Conducting Tabletop Exercises

If your team has not yet conducted an incident response tabletop exercise I highly suggest coordinating this activity. At Secure Digital Solutions we work with teams to kickstart these exercises from end-point scenario compromise to full data breach response activities. The amount of knowledge gain that team members take away can be astounding even new knowledge about how the business operates is often uncovered for certain individuals that are not always involved with various aspects of business processes. To learn more visit our table top exercise page at Incident Response Tabletop Exercise Services