InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
Few threats are as widespread and damaging as ransomware attacks. From municipalities to large retail organizations and cloud providers, everyone is a target. While the micro planning regarding the types of
systems impacted by ransomware is important, the macro conversation should go beyond systems to the business services that would be affected and, most importantly, their relative priority as defined by the organization.
This piece details common ransomware scenarios and the critical systems impacted to help focus your ransomware prevention and recovery strategies.
When it comes to ransomware, the targeted operating system is overwhelmingly Windows. The most common flavors of ransomware to date include:
File share encryption: This started in the 2014 timeframe and is what many consider “Ransomware 1.0.” The attacker encrypts all share drives, rendering them unusable, meaning the victim organization must either pay for the decryption key or
restore from backups. In this scenario, the file share OS does not have to be Windows; instead, the Windows desktops connecting to the file share are impacted, and users need only have modify rights to the files. Unfortunately, after an attack like
this, many organizations find their backups are not functioning as designed (or at all).
Local file encryption: In this scenario, ransomware encrypts the drives of Windows desktops, usually in alphabetical order (e.g., C:, D:, E:, etc.). While mapped drives to enterprise shares are impacted, so are user files on local drives. However, encrypted
user files on local drives have much less of an impact than encrypted file shares because most organizations do not permit (either via technical controls or policy) storage of business files locally. Recovery often involves rebuilding or replacing
the local Windows computer because local drives are not typically backed up.
Removable media encryption: As noted, user files on local drives are usually encrypted in alphabetical order. Therefore, any attached removable media would be encrypted, just as a local drive or network share would. This impact is equivalent to local
File wipers: While not common, some ransomware variants implement a file wiping functionality. This arose when some groups decided to alter the initial goal of ransomware (generating revenue) and began using it solely for destructive purposes. When file
wipers are used, recovery via restores and rebuilds are the only options.
Master boot record (MBR) encryption: The destructive file wiping approach escalated into wormable variants, such as Petya and NotPetya, which encrypt the MBR of Windows machines, preventing the systems from completing the boot process. Due to various
complications and trust levels of the data, organizations hit with this type of ransomware must resort to complete system rebuilds along with data restores.
Full Windows endpoints: Starting around 2018, “Ransomware 2.0” appeared. It evolved from encrypting Windows drives to encrypting the device itself. With this version, no applications can be accessed by the user population, creating widespread
productivity outages. The impact escalates from data restores to the requirement to rebuild or replace every impacted device within the compromised domain. It is this level of operational outage that enabled attackers to drastically increase their
ransom demands—into the millions of dollars.
IaaS cloud environments: While SaaS and PaaS platforms provide protections from direct ransomware infections, IaaS does not. IaaS is often simply an extension of an organization’s environment, much like an off-site or co-location data center. As
a result, Windows-joined servers in an IaaS environment should be treated no differently than if they were on premises.
DOWNLOAD: Ransomware Prep Toolkit
Today’s ransomware is not likely to evolve quickly, because it’s currently producing the revenue and impact desired by attacker groups. Organizations preparing for potential ransomware infections, then, should focus on true business impact,
with recovery of functionality prioritized accordingly. Most ransomware issues begin at a technical level, but they quickly escalate. They require proper planning and business decisions, in the same manner as disaster recovery/business continuity
(DR/BC) planning initiatives. Key technical operations to consider and prioritize in ransomware planning include:
Authentication servers: An often-overlooked impact of a widespread Windows domain ransomware infection is the likely loss of authentication capabilities for all related services because domain controllers are impacted. Depending on the organization’s
reliance on AD outside of Windows applications, this could be an Achilles’ heel for the enterprise. Without authentication, no access is possible. Therefore, authentication services should be addressed first to ensure applicable access across
Backup/restore servers: A primary objective of ransomware groups is to locate and destroy all backups. Without good backups to restore from, the business case to pay the ransom becomes much
more attractive. However, even if the backups themselves are available, backup servers that are encrypted impact the ability to restore data in a timely manner. For large-scale ransomware infections, backup servers should be rebuilt as soon as authentication
services are available.
Database servers: Most ransomware variants do not focus on databases, but this trend is beginning to change. McAfee provides a good overview of applicable database protection steps.
When measuring the impact of a database being encrypted by ransomware, you must consider the larger picture. In many instances, numerous systems outside the database (e.g., web servers, interface servers, data feeds, etc.) are involved in the delivery
of the application functionality. Operational recovery should include the entire grouping of associated systems based on priority level.
Print servers: While not as impactful as other key services, some organizations rely heavily on printed data. Because print servers are typically transient, their restoration should be simple once authentication services and backup servers are functional.
Virtual desktops: Many organizations have migrated desktop functionality to a centralized virtualized environment. While the hypervisor for enterprise virtualization is not Windows-based, any Windows OS housed is susceptible. The impact would be similar
to local desktops being encrypted. However, because everything is centralized, recovery is often less complex. In addition, many organizations use virtualized desktops as a temporary working model for users until physical desktops can be rebuilt/restored.
Windows-based voice-over-IP (VoIP) servers: Until a widespread ransomware infection occurs, many organizations do not realize which ancillary services would be impacted, and these often include VoIP. VoIP server protection and recovery should be a high
priority for call centers. In addition to the underlying platform, the use of soft phones relying on a Windows desktop should be considered.
Access control systems: While access control is a “simple” service, it can become crucial when access to offices and data centers is required to perform recovery operations.
CCTV camera systems: Many CCTV systems are Windows-based and/or susceptible to ransomware attacks. Organizations should consider the risks of not having this capability and the potential liability of existing recordings being destroyed.
Programmable logic controllers (PLCs): Many times, the backbone of a utility or manufacturing organization is its PLCs and associated controllers, because these act as the bridge from the virtual to the real world. If these devices are hit by ransomware,
it could stop a production line or introduce health and safety risks to the public. With the critical nature of these devices, prevention should be paramount above recovery. Special care should be given to proper logical and physical segmentation
from the rest of the network, along with stringent access controls for authentication.
Overall, ransomware has evolved from a nuisance to the most devastating cyberattack most of us have experienced. As we continue to improve our defenses, ransomware groups continue to escalate the
impact (cost) of their attacks. As complex as ransomware infections are, there are, essentially, only two options: restore operations or pay the ransom. To ensure you are prepared:
Proper understanding and preparation for post-ransomware restoration is a valuable exercise and should mimic the same business approach taken for designing DR/BC processes. Whether a natural disaster, power outage or ransomware, similar business operational
issues still exist.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
December 6, 2022
By IANS Research
Improve your attack surface management plan using 9 steps to mitigate risk and strengthen enterprise security posture.
December 1, 2022
By IANS Faculty
Improve your vendor management program using six focus areas to benchmark program maturity and identify key pitfalls to avoid.
November 29, 2022
Learn how to integrate IT, OT and physical security programs to reduce risk, improve efficiency and streamline processes across the organization.