We have had customers who were attacked by ransomware recently, so I am writing this blog article to share some facts and tips regarding ransomware attacks with you.
The Ugly Truth
Fact #1 – Ransomware encrypts files much faster than you think
Encryption is usually a topic in data security. File encryption is used to make the file cryptographically secure. This type of encryption must happen to the entire file and can be slow. The encryption ransomware does is for another purpose – it is designed to block users' access to their data, and it happens lightning fast.
Almost all file kinds save metadata in their headers, and most of the files cannot be decoded correctly if the header is damaged. For ransomware, encryption only needs to happen to the header part of each file, which is enough to damage this file's structure to prevent user access.
In media and entertainment companies, the average file size is much larger than in other industries. Ransomware can easily cause a more significant damage level by encrypting the headers of the same number of files.
Fact #2 – Paying the ransom ≠ Rescuing the data
A common type of ransomware encryption is:
- All data (file headers) are encrypted with the AES symmetric encryption algorithm
- The AES encryption key is then encrypted with the RSA asymmetric encryption algorithm
- The attacker is the only person who holds the RSA private key which can decrypt the encrypted AES key, and they ask for money in exchange
|Victim's journey||Attacker's journey|
|I'd better pay the ransom 😥||Received the money 😎|
|Get RSA private key from attacker 😐||I don't care… 😎|
|Decrypt the AES encryption key 😐||I don't care… 😎|
|Get the AES key 😐||I don't care… 😎|
|Decrypt the data 😐||I don't care… 😎|
Remember: an attacker's goal is only to get the money, not to help the victims to rescue their data.
Fact #3 – Ransomware is very hard to prevent
A single type of worm is easier to detect and prevent, but ransomware is a category of attacks that follows a similar attack pattern. The structure of ransomware is:
Trojan Horse + Worm + Encrypting Function
- Trojan horse to invade victim's computers, to carry out worm and encryption functions, waiting to be triggered
- Worm to self-copy and spread across to more computers after being activated
- Encrypting function to encrypt the victim's data
In this combination, trojan horses and worms are purely transportation tools, and they can be anything as long as it works. An encrypting function usually uses Windows encryption API or something that is completely valid. This makes the prevention of ransomware attack very difficult.
The famous WannaCry ransomware used the EternalBlue exploit, and every anti-virus software can eventually prevent this type of exploit after the attack was carried out, which is a very passive approach. Anti-virus utilities only prevent known types of attack. New ransomware can use any unknown tool to transport a piece of valid code onto potentially any computer.
Tip #1 – Back up your data, regularly
This is the ultimate solution to ransomware attacks. Backing up and snapshotting data more frequently can minimise the impact of a ransomware attack.
We have a customer who was lucky enough to lose only a minimum amount of an ongoing render job after being attacked by ransomware. This is because of the auto-snapshot policies configured in their storage cluster.
Having suitable policies for snapshotting, back up, and archive protects your data from incidents such as accidental deletion, data corruption, hardware failures, and even catastrophic disasters.
Tip #2 – Don't think anti-virus software is useless
Anti-virus software might not be able to prevent unknown types of attacks, especially 0-day exploits. But massive attacks are being carried out every day that can be detected by anti-virus software. Anti-virus software companies are always the first responders to new attack types. If someone can act the soonest to protect your systems against a new exploit, that's the anti-virus companies that you are paying.
Tip#3 – Network is the digital vessel
Company A has 100 computers under the same network with no firewall in place. Company B has an equal number of 100 machines segmented and segregated based on department functions and has a proper firewall at the corporate edge with comprehensive traffic rules. When both companies are under the same attack:
|Attack Phase||Company A||Company B|
|Intrusion||😦||More likely to be able to prevent the intrusion|
|Spreading||😲||Smaller affecting scope|
|Attacking||😖||Can isolate affected machines more easily|
I am getting back to the attack pattern of a typical malware attack: Trojan Horse (intrusion) + Worm (spreading) + Encrypting Function (attacking). Better network architecture and anti-virus software can best protect you during each phase of the attack. Even all prevention fails, a regular data backup plan can decrease your loss to a minimum degree.
Digistor provides consultancy, design and solution packages for storage systems, corporate networks and managed workstations. Come and talk to us if this article has raised any issues or concerns for you.