Storage Developer Conference - #162: Ransomware!!! – an Analysis of Practical Steps for Mitigation and Recovery
Episode Date: February 11, 2022...
Transcript
Discussion (0)
Hello, everybody. Mark Carlson here, SNEA Technical Council Co-Chair. Welcome to the
SDC Podcast. Every week, the SDC Podcast presents important technical topics to the storage
developer community. Each episode is hand-selected by the SNEA Technical Council from the presentations at our annual Storage
Developer Conference. The link to the slides is available in the show notes at snea.org
slash podcasts. You are listening to SDC Podcast, Episode 162.
Hello, everybody, and welcome to the Storage Developers Conference, and thank you for attending this session.
Today's session will be on ransomware, practical steps for mitigation and recovery.
So, if in fact you are unfortunately a victim of a ransomware attack, this is the type of screen that you would see. Hopefully you never see this type of screen, but if you are a victim, then you would see this kind of screen.
Obviously it would probably be my guess is that the amount that they're requesting is probably going to be larger than what you see on the sample screen. But hopefully that doesn't happen to you.
But in case, and hopefully we'll go through
some mitigation steps here to help you through that as well.
So at a high level, ransomware is obviously
a never-ending storm.
We're seeing constant threats.
It's actually growing tremendously, which we'll talk about in a little bitending storm. We're seeing constant threats. It's actually growing tremendously,
which we'll talk about in a little bit more detail. And it's really not just big organizations
that are being targeted. And that's one of the big takeaways here is just about everybody is
really a target for attack. And the other big takeaway is that paying ransom is really no
guarantee of recovery. So they might even, even if you pay the ransom, they give you a key, which is the encryption, the decryption key.
And in fact, that may not work. And if it does partially work, it might actually corrupt your data.
So interesting point. We see that quite a bit more than what you would expect.
And certainly now, especially in the U.S., there's some legislation that has been put in place that
if you are paying ransom, you may be put in jail, depending on if the bad actors, if you will,
of the ransomware attack are actually able to be identified. And if so, and they're part of a what is classified as a terrorist organization by the US government, then not only could you be fined, or you could be actually put in jail if in, you end up paying the ransom. So interesting to keep an eye
on what's going on from a legislation perspective. What we're also seeing quite a bit of nowadays is
ransomware as a service is really a huge one. We have some bad actors, but also some groups of bad actors that put together and actually develop
companies that do nothing more than a ransomware as a service and literally sell the code so that
you don't actually have to even be a developer or a software developer, you can actually just buy the code from these bad actor groups.
And they'll provide things like software developer kits to be able to easily make some changes if
need be. And we're seeing quite a bit of that as time goes on. So stop for a minute and just
introduce ourselves, are the two presenters
here, myself at the top here, Thomas Rivera. So I've been in the industry for a long time and
active within the Storage Networking Industry Association, otherwise known as SNIA, for quite
a long time and active co-chair of the Data Protection and Privacy Committee. Also involved with some
other standards-based organizations that are global in nature, places like IEEE and some of
the insights working with ISO. So that's a little bit about myself, and then I'll hand it over to Munir to let Munir introduce himself.
Munir?
Thank you, Thomas.
So this is Munir Enmosli.
I am a senior manager with Ernst & Young, and I've been fascinated with storage all my life.
I also sit with Thomas on the Data Protection Privacy Committee,
and I lead the data recovery and data protection within EY.
And it's a pleasure to be with you today, and I look forward to bringing some valuable information to the audiences.
Thomas, yours?
Great. Thank you, Munir.
And a quick abstract on what we're going to be covering today. Obviously,
hopefully you've already seen the abstract, which is probably why you're here today.
Talk about obviously ransomware and get a little bit into what we're seeing from a ransomware
perspective and also some preventative measures and some leading practices, some recovery measures to help along.
And then we'll, in terms of the agenda, this is what we're going to cover today.
And these are the sections that you'll see.
And we'll head right into it.
So first off, ransomware, what it is and why do we care?
So ransomware at a high level is really nothing more than software that
uses encryption to disable a target's access to a data. So basically data that you own, they
come in and they encrypt your data so that you can't access it anymore. Then they provide a
message to you to say, hey, you know, give me some money. And that ransom there then is requested for the payment
that then you want to pay them typically via Bitcoin or some other type of electronic means.
And then the idea is that they would provide a decryption key once the ransom is paid.
So that's what it is at a high level. Why would we care?
Well, we should care because certainly there is a really no safe haven per se from ransomware. So, you know,
the state of the industry is such that bad actors really can just,
you know, basically get into any organization
in any network that they care to get into with some amount of work without too much.
I don't think there would be too much of a concern of a disagreement on that fact of, you know, basically, if they want to get in,
there'll be a way to get in. May not be easy, but they're pretty much going to find a way to
get into your network. And then there's all different types of malware, which we won't get
in today. We're going to focus on ransomware today. But really, the other big takeaway here is
a lot of the recent high-profile victims had this mindset and sort of assumed that they were safe
because they, in some cases, heavily invested in some security and basically in their security
posture, which could be into the hundreds of thousands, if not millions of dollars.
So you certainly don't want to make that assumption because the landscape's changing
and the methods by which bad actors are entering your network are constantly changing,
including things like brand new zero-day attacks that we've never seen before.
So just keep that in mind. From a kill chain perspective, in the world of data security,
there's this concept of cyber kill chain, and often you'll see the acronym CKC.
And so the cyber kill chain, and this was originally developed by
Lockheed Martin, it's really a series of steps by which bad actors use to not just gain access to
your network, but also do the bad things that they want to do. In this case, we'll be talking about ransomware. So really, the ransomware
specific parts of the kill chain are in this red rectangle area that starts with step two.
Step one was always the case, you know, they're going to do some reconnaissance first,
harvest some information, and that information could be things like get data from mailing lists and check
how individuals within that organization are posting on social media, find out what open
ports are available on that organization's network, and potential vulnerabilities into
certain services and applications, and that's all part of the reconnaissance. And the next step is really the
weaponization. And the weaponization has to do with having some amount of code that is going
to be used to figure out what would, based on the information that we now have from the reconnaissance of what can we use to basically weaponize, if you will,
the information to be able to go after this particular organization that they're targeting.
So that was step two. So next step is delivery, step three. Delivery is really the sort of
formulating all the different ways that they want to deliver the malicious payload, beating, in other words, the bad code that they want to inject into your environment.
And that could be, you know, via email attachments, it could be putting it on a flash drive and
hoping that one of the employees within that organization sticks the flash drive in there and then it automatically downloads some bad code or malware, if you will.
So that's really the delivery stage. The next step is the exploitation.
And the exploitation phase is really, as the name implies, exploits the vulnerability on that target environment.
So the idea is they want to execute the malicious payload and then provide the attackers with
whatever the minimum required access is that they need to get into the environment.
Once they're in, that's the exploitation.
Then it goes into the installation. So in the next step or phase,
the installation phase, it's really now propagating this malware, this bad code or what we called
payload before, into the network and potentially into additional systems. And that could be through
multiple tools. And there's a couple of different methods through things like backdoors and
remote access trojans, which is referred to as RATS, is the acronym, and being able to use those
to then install the appropriate bad code on the network. And then this step six is really the command and
control. This is also known as CNC, or sometimes you'll hear it referred to as just C2.
And this command and control step is really delivering the commands to the malware remotely. So they will now have the ability, based on the code that
they already installed in your network, to literally remotely detonate the bad code that
they had already installed on your network. Now, what they do is various, various things. So they, they might actually do that.
And by the way, it might be timed. So they might have a timer on it to not do it immediately,
but it might be wait for five days and then do it, for example. But they might do it to then
exfiltrate data, basically steal some private information, for example. And they might, you know, and this
could be the start of basically the start of acting on their objectives, which is really the
last step. And the last step seven is actions on the objective. So at this point, they're really
going to now access and exfiltrate the private information, potentially
encrypt files, and that's really where the ransomware comes in. Once they encrypt the files,
they'll then send a message and say, hey, you know, we just encrypted your data. Please pay
this ransom. So that's the kill chain in a nutshell. So what we're seeing from the victim landscape perspective is
overall, we're certainly keep in mind, I think I mentioned this earlier, that everyone's really a
potential target of ransomware. And last year, we saw 84% of the US organizations have in fact
reported phishing or ransomware incidents. It's a pretty high number. So that's
literally over three quarters of the organizations that are around within the U.S. actually reported
a ransomware attack. And then the average payment last year was $312,000, and that's per ransomware incident. The first half of this year, it climbed to 570,000, again, average per ransomware incident.
So it's a pretty huge jump from last year to this year.
Also, this year, we're seeing every 11 seconds on average companies being hit with ransomware.
10 years from now,
they're making a bold statement,
prediction that it'll be every two seconds that ransomware attack will be taking place
versus 11 seconds as it is today.
And then on the right-hand side,
we show a graph here,
a couple of different colored circles. And the on the right-hand side, we show a graph here, a couple of different
colored circles. And the thing we're wanting to point out here is that from the previous years,
ransomware was approximately 13% of of all cyber attacks that took place.
So a huge spike in the ransomware attacks that we're seeing in general. Some of the whole high profile attacks that we're seeing are recently anywhere,
go all the way from healthcare to, we saw one recently in a supply chain and saw a very high
profile one that you probably remember just a few months ago in the energy supply market that had to do with the distribution of fuel on the East Coast.
So we're seeing some of the common motivations are certainly monetary gain.
But interestingly enough, it's not necessarily just monetary gain. And in some cases, they're not asking for necessarily for the reasons of money in and of itself.
Some are actually doing it to fight for some cause.
And that cause could be political or social or maybe a religious cause.
And by the way, those are typically referred to as hacktivism.
And then we're seeing a lot of the desire to really do disruption and instability.
So they're either doing this on behalf of someone else. It could be they're being paid to do this
either for a company or for their government or maybe for a group of people. And lastly, some do it just for
the ego. They're either trying to boost their own reputation or for marketing purposes and
things like that. So we're seeing all kinds of different reasons on the motivation side. From a overall global damage from ransomware, we're seeing,
as you can see in this slide, the last few years, how it's gone up in terms of overall global damage
from ransomware. Just this morning, I was reading an article that showed that, oh, by the way,
this current year, 2021, we're already up to $20 billion. By the way,
this number was just as of August of this year. Obviously, we're not done with the year 2021,
so we're going to see this obviously grow much higher. So just to give you an idea of how fast
it's growing globally from a ransomware damage perspective. I was just reading in this article this morning that there is an estimate
that this global damage within 10 years is going to be not in the $20 billion range.
It's going to be literally hundreds of billions of dollars.
I actually saw it was
somewhere in the order of half a trillion dollars in 10 years is the estimate. So interesting to
see how things are progressing and growing exponentially. So at this point, I'm going to
turn it over to Munir for first going into preventative measures and then a few other
sections. Thank you, Thomas. Do you mind moving forward? Sure. All right. So what are the potential
domains for preventive measures? The idea here is it's good to have a good preventive measures,
but don't assume that you're safe because, as we said earlier, this is a very
lucrative business that many, many, many nations and organizations are thinking of this as
a sort of revenue.
So basically, education is the best. So education and culture, you need to train your employees
on the potential risks of clicking on unidentified emails or clicking on any unknown links.
This is one of the major concerns. So phishing emails is a serious one. Your end user should stay clear from links or download attachments from unknown emails.
Don't assume that every email is safe.
You may want to consider that if it's internal to your organization, there's a good level of safety.
But again, don't assume that because if one of your teammates clicked on the wrong link, the bad actor might try it on his email.
And of course, try to use multi-factor authentication.
From an administrative perspective, this is the vulnerability management.
You need to make sure that you update your systems through patching and software upgrades as frequent as possible.
This is something that should not be delayed. There have been many uncovered
vulnerabilities in operating systems, especially if they are not
patched. So you need to make sure that you patch
your OS, your browser, your plugins as regularly as
possible. Patch all application software and make
sure you run the latest and the greatest software that you're running.
Use all necessary tools like antivirus software and make sure that those kind of antivirus software are always updated and up to the last release. And then finally, enforce immutable backup.
And we're going to discuss immutable backup later on.
If you have any concern, you can ask about that.
Use micro-segmentation to limit the potential damage
following an infection.
And refrain from using an unencrypted public connection.
So whenever possible, try to use your corporate VPN.
Can we move to the next slide?
All right.
So I just want to expand a little bit about micro-segmentation.
So what is micro-segmentation actually?
Micro-segmentation uses network virtualization technology to create granular secure zones in the data center and cloud deployment, which will eventually isolate each individual workload or host in its own domain and refrain from propagating the bad actors across.
Also, micro-segmentation assumes that every axis is a malicious axis, and by reducing
the blast radius by adopting macro and micro-segmentation to control vertical and lateral movement
of bad code.
We move forward.
So what about recovery measures?
All right.
The most proven recovery measure that we have been seeing so far is air
gapping your back.
And the idea here is the backup is the first target for the bad actor.
So if they find a way to reach to your backup, then it's a fair game.
It's gone. contents behind a controlled connection that is not easily accessible within even the organization.
So based on the assumption that every access is malicious, you would want to have your
air gap solution as isolated as you could potentially do to protect the data. In addition, in your backup air gap solution,
you should consider having some sort of, I wouldn't say some sort,
you should consider eliminating the ability to run any code into the isolated environment,
meaning if in the likely event you get infected,
if you try to run a binary code like an EXE or COM code,
which has been infected,
this will propagate everywhere in your isolated environment. So you would want to have no binary executables in your environment.
You can send as much data as you want, but don't assume it's safe.
If you want to test it, you have to take it outside your isolated environment to test it,
but don't have any binary executable in the isolated environment.
All right. So again, just just before we move from this slide, Tom,
is that it is ideal to have your backup contents in the isolated environment in an immutable format.
This will prevent the spreading of bad actors if it ever happens.
So use immutable backups in the environment where you can for the isolated or the air
gaps.
Can we move to the next slide? Another point that we keep hearing coming from end users is,
I do have snapshots, so I'm safe.
And I just want to clarify the myth around snapshots
is the fact that because snapshots are extremely efficient tool,
it builds on your original data set. So it's a
pointer to your original data set. This is not a full data set. So if you have a
good snapshot but you have a corrupted original data set, your snapshot is useless.
So just make sure that even if you decided to depend on snapshots,
that you have a safe copy or clone of your data somewhere that the snapshot can point to.
And finally, a ransomware attack is likely to prohibit users from accessing production data anyway.
So you might want to consider cloning your data to a separate environment and make it immutable just in case if something goes wrong.
And we move to the next slide.
And last point, which is encryption.
And again, I want to clarify the myth around encryption.
Encryption is not a protection against ransomware,
but encrypting your data can help preventing the data exploitation and exfiltration.
So if you don't have encryption in place and the bad actor have access to your data,
you don't want him to take this data and sell it on the dark web.
So encrypting the data might be a good precautionary measures for that. Again, this needs to be taken with a grain of salt
because encryption might end up
to be a serious problem later on.
So a good management for the key of encryption
is a very well required hygiene in this sense.
Can we move to the next slide?
So recommended actions from technology perspective.
Practice good cyber hygiene where possible.
As we said earlier, patch and update OS browsers and plugins and applications.
As regularly as you can possibly can.
Don't delay it to the next cycle or something.
I have seen customers do patching like monthly.
Even if you can do that, this is even a better action.
Enforce multi-factor authentication
so that the bad actor will have more than one way of challenge
to access your data.
Keep your antivirus software updated along with vendor signature
and disable micros and limit remote access to the organization network.
In addition to that, deploy deploy defense in-depth methodology
and the principle of
least privilege. So don't
give any end-user privilege
more than is required
because this could be
at the door to multiple
issues. Test ransomware
recovery capability routinely.
Consider deploying
artificial intelligence, IT operation, and
predictive analytics for your backups and your environment. Categorize and separate
data based on organizational value and participate in cybersecurity information sharing programs.
For example, MS-ISAC and InfraGard.
Can we move to the next slide?
So cyber protection.
Some customers said, I'm insured, so I don't really care.
And the fact is, cyber insurance is not a panacea for ransomware.
Ransomware payments are increasingly being excluded from cyber insurance.
So you might be on your own
if you think that the insurance is going to save you.
In many situations, the recovery cost is not covered
or not included in cyber insurance.
Attacks from nation states or non-terrorist groups may be excluded from
cyber insurance policy. And infected systems can be considered evidence. I've seen some customers
when they tried to rebuild their systems from scratch, they were told don't touch these systems
because they are considered evidence and you have to go and buy new hardware.
So this is something you might want to consider in the future.
Can we move to the next slide? All right, so make sure that you include security by design in every
piece of software you deploy or you develop. Make ransomware protection part of your design process
for emerging storage technologies. Traditional data
protection technologies fail short
protecting against ransomware, so you need to revise
and validate your data protection to see if they can recover you
or what other measures you have in place for that.
As we said earlier, backup is the most required target for bad actors.
And do not assume that you will be protected with emerging storage technology.
You need to do your due diligence and regularly revisit those capabilities.
So moving forward for recommended recovery steps following an inevitable.
So here, what we're trying to say is don't be a hero.
Don't try to fix something on their own.
Chances are the problems are much, much bigger than what you've seen on your desktop or your end user station.
So don't try to work on your own.
Immediately, if you see the screen that Thomas has advised, immediately notify your IT and
security team and avoid restarting your computer until further instruction is available.
So if you had this kind of a screenshot that Thomas has provided, and only if you received
an authorization to do, consider the points you're looking at. Quarantine the affected system.
Make a block-level clone of your infected device. Attempt disk
decryption with ransomware and decryption tools.
Restore infected systems from a clean version.
Restore data from a clean backup and
sanitize, remove. Now, this is not a license to go to do any of these
You need to make sure you receive instructions and approval to do that
Otherwise, the problem will grow bigger, bigger, and bigger
So, in summary
Threat landscape is changing rapidly.
Specific regulations may even complicate the recovery issue and prevent you from paying ransomware.
Start with security 101.
Prevention is the best defense, but it's not the ultimate defense.
I need to repeat that. Ransomware may be a reportable incident about data breach to your organization
that could potentially bring you to a lot of scrutiny.
Developers are equally targeted like everybody else,
but the bad news about developers is that the bad actor may write on a developed code to contaminate an environment.
So they might not be looking for a financial return by infecting a developer, but writing
on a developer code will open all the doors for potentially a lot of revenue moving forward.
So again, ensure that you have proper, appropriate security software installed,
running and up-to-date, and enforce immutable backup.
So for additional resources, please visit the links here and also the appendix to the environment.
And that concludes my portion of the deck.
Thank you so much for your time.
I'll move it back to Thomas.
Great. Thank you, Muneer.
Very nice job.
And thanks, everybody, for joining today's session.
Please do check out the other sessions that are related in the data security and privacy track,
as well as the data protection technologies track within the Storage Developers Conference.
And also, lastly, please do take a moment to rate this session so that we can continue to do a better and better job.
Again, thanks for joining us today.
We'll talk to you soon.
Thanks for listening.
If you have questions about the material presented in this podcast, be sure and join our developers mailing list by sending an email to developers-subscribe at sneha.org.
Here you can ask questions and discuss this topic further with your peers in the storage developer community.
For additional information about the Storage Developer Conference, visit www.storagedeveloper.org.