Ransomware and its nasty companion “extortion” attacks are still on the rise. Criminals try to break into companies, universities and government bodies in order to demand money from the victims. Attackers have started going big nowadays. On the decline are the attacks à la “WannaCry” against single home user PCs; welcome instead large-scale attacks against the victim’s entire IT infrastructure! Active Directory, file stores, databases – everything. And regardless of whether or not the victim pays, with ransomware comes the risk of losing it all…
Ransomware is not that new. It started with malware infecting individual user PCs, encrypting all local documents, photos and files, and then asking for a little payment – the ransom – of maybe 300 dollars to get the decryption key. Recently, however, attackers “upgraded” to the aforementioned “extortion” attacks, where data was not only encrypted but also shipped offshore, with the attacker threatening to publish all the data, private photos, personal documents and confidential files if no money was paid to them. But the revenue was not that large and, with their expertise and skills improving, criminals turned their attention to the big fish: companies and their IT infrastructure, with ransom demands in the millions of dollars. Their attacks, however, start slowly. Infiltrating a company takes time, and doing it clandestinely is of the utmost importance in order to avoid getting caught. Reconnaissance, identification of juicy assets and primary targets, deployment of malware – the process can take months.
There is also a market for the sale of corporate credentials and access to company networks. Often, ransomware gangs don’t bother with the initial commitment involved in getting a foothold inside the company; they just buy that from other crimeware gangs. Once their nefarious work is in place and they have exfiltrated all the sensitive data, they pull the trigger and data gets encrypted in a coordinated manner on all corporate assets in parallel. The trigger is often at the worst possible time (during a public holiday, on a Friday evening, etc.). They operate slowly, beneath the radar, but are determined and thorough. Once everything is accomplished, it’s show time for the criminals and the company faces the risk of losing it all.
The three mantras of handling a ransomware attack are (1) don’t get it, (2) don’t pay, and (3) have disaster-recovery means in place. While (1) is particularly difficult (but still mandatory and essential) given the heterogeneous infrastructure of large companies, and (2) is debatable, particularly in view of what’s at stake, (3) is the ultimate silver bullet and the last resort, in particular once the attack has already hit hard: have a proper disaster-recovery plan in place and be ready to reinstantiate your infrastructure from scratch – whether or not you pay the ransom. The million-dollar questions for you as a CERN service manager, data taker, control system expert, trigger master, software custodian or document librarian are: Do you have the appropriate back-up means in place? Do you have proper back-ups of your crown jewels? Are those back-ups unaltered by and safe from attack?
Of course, it is essential, firstly, to have a back-up at all. And to have tested whether the back-up is integral and complete and can be played back. Back-up frequency might matter, depending on how much loss you can tolerate in the event that you need to reinstantiate your service from scratch from the last valid back-up. The higher the frequency, the smaller the loss. Usually, however, this frequency and the number of back-ups kept in the pipeline strongly depend on how much back-up space you have available. Storage is not infinite. A high back-up frequency with a limited pipeline depth might also be problematic because of the risk that encrypted files pollute the back-up (playback and testing might detect this).
Hence, secondly, can you be sure that your back-up has not been tampered with? Given that the attackers work clandestinely over months, encrypted files – in particular if they are rarely accessed, like contracts, personal files, transaction logs and measurements – might creep into all copies of your back-up. Ideally, back-ups should be offline (using external USB disks for individual users or tapes for big bulk back-up). Instead of full back-ups, incremental back-ups triggered only when a file changes can counter this particular attack vector (at least until the attackers encrypt a file multiple times). On the other hand, the malicious encryption of data files that change frequently and are regularly read back (like configuration and calibration parameters, templates, documents being worked on) should be easily spotted as accesses fail to work and functionality becomes void. Propagation to the back-up of such encrypted files is unlikely, as the back-up period is much longer than the time before incident detection.
In the end, there are three kinds of people: (1) those who don't back up (and regret it later), (2) those who back up but don't check their back-ups (and definitely regret it later), and (3) those who back up and check their back-ups. So, the time to check has come. For individuals, CERNBox is the best choice. And as a CERN service manager, data taker, control system expert, trigger master, software custodian or document librarian, check your crown jewels! Protect your configuration, data records, calibration parameters, software libraries, documents and data! Actually, protect CERN’s data and documents! Talk to your IT service providers. Figure it out. And make disaster recovery a priority. Otherwise, you risk to lose it all… And you might not be in a position to assume that risk for all of CERN.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.