Guest post by: Jim Guarnieri
With the new year come new challenges- and not just the legal kind. The holidays are a fertile time for hacking attacks. As firms close for the holidays and computer and security staff leave for break, computer systems, networks, and servers are left unattended. Such is the perfect time for an attack that takes time to effectuate, but is devastating for the target. This is the M.O. of the “ransomware” attack.
“Ransomware” is a special kind of malware (software designed to do damage to or control a computer system). Ransomware is particularly designed to find critical files and to encrypt them so that they cannot be read or used without a code to make them accessible again. The ransomware intentionally leaves system-critical files functional so that the user can still access the computer to discover that their files have been encoded, and to allow the target to decode the files. (To do otherwise would be like kidnapping someone from their home, leaving a ransom note at the home, then burning the house down with the ransom note in it.) Holidays are often chosen because it can take time to encode files-especially a large number of files- and the program that encodes them is more likely to go unnoticed when use of the system is at a minimum.
Recently law firms have been “hacked” with a ransomware attack called Cerber, including over the winter holiday. At least one of the hacks was accomplished using a known vulnerability of Windows Remote Desktop Connection (RDC– a program used by many to access their office files remotely). Other targets have been infected via email attachments opened by unsuspecting staff. (The emails are often made to look as if they came from a trusted source and can hide inside seemingly innocuous files such as “.doc” Word files.) Typical to its class of ransomware, Cerber ignores Windows operating system files and encodes documents and images critical to the practice instead. It leaves a signature file giving the victim instructions on how to go about getting the files back. This typically involves the victim buying Bitcoin (an untraceable, digital currency) and paying some anonymous overseas account for the code needed to unlock the files, on the hopes that the bargain is honored and the unlock code is actually sent. (Cerber is sold to criminals on underground Russian forums and is designed to ignore targets in many Eastern European countries.) The cost for the code to unlock the files can vary from a few hundred dollars to thousands or even tens of thousands of dollars. Depending how well the target backed up its files, this ransom must often be paid to avoid catastrophic loss.
Having a backup may or may not protect the target. One of the infected firms had a backup, but the backup drive was on-site and attached to the target computer. Because of that, the hack extended not just to the server files but to all of the backup files that firm had connected to its server. Additionally, some online tech forum posts have indicated that this particular ransomware has the ability to extend out from the infected computer to a mounted FTP server (your “tech guy” will know what this is, but suffice it to say this is what you might consider off-site “cloud storage”) and to encode backup files even outside the targeted system.
The effects of such an attack can be devastating. All files that were digital-only are left completely inaccessible. Any files for which a hardcopy still remains will be available in that paper backup only. Case management software database files could be entirely encoded, eliminating years of contacts, client files, notes and all other data within that software. It is no wonder that firms will pay thousands for the chance of decoding those files. However, careful and proper backups with a knowledge of how these attacks work can avoid thousands of dollars of ransoms paid and fees disbursed to computer experts.
**Nerd alert– tech language ahead** (if unsure, show this to your “computer guy”):
The first layer of protection from these cryptolockers is a knowledge that it can only encrypt what it sees. If the drives that contain backup images are only mounted to effectuate the backup and then unmounted once the backup process is completed, the cryptolocker software will (ideally) not see the backup files and won’t be able to encrypt them. This will require some scripting by a computer expert to effectuate but, once coded, it will be automatic from then forward.
A second (and more unorthodox) method of protection may lie in a vulnerability/feature within the cryptolocker itself. By design, the malware will ignore system-critical folders such as “/system32” (and all subfolders). Encrypting the files in those folders would cause the computer to crash and the victim would never see the note left by the “kidnapper” (remember burning down the house with the ransom note left in it?). By setting the destination folder for the backup images as “/system32” (or another protected folder) it may insulate the local backup from the encryption process. You could also draft a script that creates a copy of the backup image within that folder.
Neither of these methods alone, however, should be seen as enough to let the diligent administrator sleep over a holiday weekend. The best sysadmin will not rely on the belt-and-suspenders approach. The best sysadmin will add a final layer of protection. No cryptolocker software will ever be able to encrypt an air-gapped drive. As a final measure, a removable drive brought off-site locally on some regular basis (weekly? monthly? how much volume does your firm have?) is the last, sure-fire way to ensure that you have a quickly recoverable copy of all or most of your data. No one wants to wait 6 days to download your 3TB backup image from Carbonite before you can see your files again.
The bottom line is “firms beware-this software is out there and ready to paralyze your practice.” Prepare, or be ready to pay.