Did you see last night’s episode of The Wire where cybercriminals hold the city of Baltimore hostage with a strain of ransomware stolen from the NSA?
Oh wait – that’s an actual report from The Baltimore Sun.
According to the report, a hacking tool developed by the US National Security Agency (NSA) is now being used to shut down the city of Baltimore. Cybercriminals are demanding 13 Bitcoin (about $113,000) to unencrypt infected government files, which Baltimore authorities have refused to pay.
As a result of the attempted extortion, the city of Baltimore is struggling to access thousands of frozen computers, restore employee emails, and resume core IT operations. The direct economic impact translates to frozen real estate sales, declined utility payments, and disrupted government services.
Doesn’t this sound like an evil plot by Mr. Freeze?
This was actually due to a strain of ransomware called EternalBlue. EternalBlue is from the same family as WannaCry, Petya, and NotPetya - capitalizing on a vulnerability in Microsoft Server Message Block using Windows 7, Windows Server 2008, Windows XP, or Windows 10 operating systems.
EternalBlue exploits a vulnerability in outdated versions of Microsoft Server Message Block.
So the only known mechanism to protect against EternalBlue is to download the latest Windows software update and install the patch.
Microsoft’s Support Forum has a full step-by-step guide to walk you through this process and ensure that your business is utilizing the latest version.
Additionally, you should ensure that the following safeguards are in place:
Global ransomware outbreaks are growing in quantity and are more sophisticated than ever. The Big 3 from the past couple years include WannaCry, NotPetya, and Spectre/Meltdown.
WannaCry and NotPetya are variants of EternalBlue. This “family” is particularly repugnant as they don’t rely on phishing emails for infection. They aren’t just viruses. They are worms. The EternalBlue “worm-viruses” can simply slip into your Windows PC or server through an unpatched gap in your Microsoft OS – bypassing the need for our favorite Nigerian Prince.
The “unpatched Windows exploit” was how WannaCry was able to affect over 200,000 computers across 150 countries in 2017. Damage estimates range from hundreds of millions to billions of dollars [1].
The Meltdown/Spectre attacks were potentially even more detrimental as they were able to exploit just about every computer chip manufactured in the last two decades [2]. The target vulnerability was at the hardware level, so the only direct solution was new computer chips. Anti-malware vendors have released new software patches that protect a computer’s OS, but it may only be a matter of time before Meltdown/Spectre resurfaces and infects more unpatched computers.
So once again – please take a moment to patch everything.
Also consider the following tactics to proactively prevent an attack from infiltrating your network:
What Should I Do? |
Why Should I Do It? |
Anti-virus |
Keep your corporate data sources up to date with the latest anti-malware software to filer known ransomware strains. |
Firewalls |
Deploy firewalls and block access to SMB ports over the network or internet to control access to your IT environment. |
Configure Webmail Server to Block Attachments |
Include extensions like .exe, .vbs, or .scr. After filtering, you can scan the files in an isolated environment to verify or destroy. |
User Training |
Train staff to stay alert for suspicious attachments and download links, such as double-checking a business domain or spot-checking links. |
File Versioning |
Automatically store multiple versions of files at a time. This enables flexible restores in a disaster recovery scenario. |
Upgrade OS and Applications |
I really hope this is clear by now. Strains like EternalBlue expose out-of-date Windows software as an entry point into your environment |
Do you know how anti-virus software works?
It’s pretty cool.
Essentially, your anti-virus provider has this massive database of known malware code. Then they scan your network and quarantine anything that looks familiar.
Sounds like Sherlock Holmes as an IT guy.
But what if the virus attacking your network isn’t in the anti-virus database?
And couldn’t cybercriminals alter the code to avoid detection?
In a word, yes.
This happens all the time.
That’s why the only real protection to thwart a ransomware attack is a secure offsite disaster recovery strategy with protected backup repositories.
So that fancy firewall is a fantastic first step. But for a comprehensive plan to fight back against ransomware, ensure that you have a disaster recovery plan that you can depend on.
Hackers will never stop developing new strains of ransomware.
So unfortunately, you can never stop preparing your IT resilience strategy for an attack.
But does it really have to be you?
What if your business doesn’t have the expertise or IT resources?
Or what if you’d rather focus on other pressing IT initiatives and entrust your ransomware contingency strategy to an industry specialist?
Great news – that logic summarizes the rational for a disaster recovery-as-a-service-model.
TechTarget defines DRaaS as the replication and hosting of physical or virtual servers by a third party to provide failover in the event of an outage [3]. In other words, a disaster recovery provider can leverage their cloud environment as a secondary site for replication to quickly spin up compromised systems or applications in the event of an outage. Many DRaaS provider will also have strong anti-virus capabilities to ensure that the uninfected versions of the compromised data are being restored from the off-site data center.
A comprehensive end-to-end DRaaS failover strategy will have the ability to replicate both production data and active VMs to redundant offsite datacenters using strong user authentication, anti-malware security, and continuous verification to isolate the backed up copies from the malware.
In other words, if your network falls victim to an attack, you can power down your infected systems and storage, and then safely failover your applications from the cloud for uninterrupted business functions.
But the key advantage to DRaaS is you don’t have to understand any of this. A dedicated DRaaS provider will specialize in offsiting disaster recovery operations to the cloud, allowing your IT department to focus on other pressing IT initiatives.
Additional benefits include:
As a disaster recovery expert by now, you were probably wondering, “what about keeping backed up copies on offline storage, varying my credentials for the backup repositories, and having more frequent restore points?”
Yes, yes, and yes. These are great considerations for a comprehensive enterprise-caliber ransomware protection strategy.
Let’s take a look at each:
Or if not, you are ready to find a DRaaS partner who can.
Take an in-depth look into ransomware protection with Data Protection, Disaster Recovery, and Ransomware Protection with DRaaS, our industry report sponsored by ITPro Today.
Enter your email below to be notified about new articles.