The recent spread of WannaCry and NotPetya are rewriting the rules of ransomware, and it's turning into something far more sinister. If these last couple of strains are an indication of things to come, we'll be longing for the old days where ransomware had customer service helplines to help you set up your bitcoin payments and you could plead for amnesty over the phone. This new trend indicates a much darker shift, and seems to violate the very honour code that made ransomware so successful in the first place - if you pay, you get your files back.
While being infected was a major inconvenience and security experts advised against ever paying the ransom, it was, at its core, a simple transaction, and one that only worked because the trust was in place. With the latest two iterations, that trust has been violated - either payments were unable to be made, leaving victims unable to ever recover their files, or the payment was made, but the decryption key never arrived, leaving users out of pocket with nothing to show for it.
This begs the question, if ransomware isn't being used to make money, then why bother? Chaos, for chaos' sake. Who exactly is behind the most recent attack is still unknown, however it's becoming increasingly clear that the motive was much more anarchistic than was previously thought. What does this mean for attacks in the future?
First, if a ransom is not truly expected to be paid, then "ransomware" is probably the wrong terminology for this, so expect another catchy name to distinguish these attacks from others (or maybe we'll just revert back to the good ol' "malware" phrasing). Second, the goal will be most likely be widespread system failure, so viruses that can spread quickly from machine to machine within a network will be favoured (as NotPetya does by harvesting admin credentials).
Companies will begin to see more strategic targets rather than the previous numbers game which was played by the old ransomware. Finally, the new version will adapt and become smarter. What used to be rudimentary but effective will now become much more insidious and clever as it adapts to safeguards put in place. The future of ransomware is unclear, but what is clear is that now more than ever adequate security checks, employee training, and appropriate software is put in place to protect your environment.
So what can you do to keep your environment safe? Best practice is that for a reason, so abide by it whenever possible. The below are some basic starting points for helping to secure your environment:
- Limit the administrator access on your environment; no one should be working from administrator-enabled accounts for their day-to-day tasks. They should only be used for administrative tasks, and access should be granted sparingly; access should be revoked whenever there is not a clear-cut need for it.
- Lock it down. Any ports not in use should have outside access blocked, and your computers should only have the required software on them. The more programmes you have installed, the greater the possibility for a vulnerability or hacked update file.
- Update, update, update. Install patches as soon as possible. Once the patch is made public, that means the vulnerability is public as well, so the clock is ticking for someone to find a way to exploit it.
- Backup, backup, backup. Losing your files can be devastating for a company. Review your backup procedures and make sure you have something viable to roll back to if something does happen to your files. Having a backup doesn't help anything if it's six months' old. Also, make sure you have a regular backup testing regime and ensure you have off-site, air-gapped backups.
- Educate your users. Make sure they know how to keep themselves safe, and make sure you have software (antivirus, Cisco Umbrella, etc.) that will support them. Accidents do happen, but the more layers of protection you have, the better.
Getting infected can be catastrophic for businesses, but we're here to mitigate the risks and get you up and running again as soon as possible in the case of infection. We'd be happy to have a chat about your current environment and how we could help - just drop us a line.