The recent WannaCry and NotPetya ransomware attacks have been all over media headlines for a large part of 2017 as cyber-crime has evolved from something which causes a headache for organisations, to an unstoppable force which can shut down healthcare facilities and even whole countries, in the case of Ukraine.
Whilst the media focus is on causation and prevention, the fact of the matter is – these new kinds of ransomware are hugely intelligent and, sadly, someone will always be a victim.
So, in the light that organisations affected by NotPetya are still not fully recovered, Richard Stiennon, Chief Strategy Officer at Blancco Technology Group and Washington Post Best-Selling Author of There Will Be Cyberwar would like to put out advice to organisations, public and private, on how to actually recover from these attacks.
Richard Stiennon, Chief Strategy Officer at Blancco Technology Group:
Ransomware only requires one victim to open an attachment or click on a link to download the malware which could be unique to the target, thus bi-passing most endpoint protection. Recent strains of Ransomware, like WannaCry, used worm-like capabilities to spread from machine to machine within an organisation, thus causing even more havoc than a single infection.
Sometimes, researchers do discover and publish the keys to decrypt infected and encrypted hard drives. Usually, not. In either case the target organisation is left with the task of recovering the usability of those machines. If backups do exist it is not advisable to just reload the data, or even re-image the machine and then reload. Sophisticated malware can leave behind elements that can start a new infection, download new payloads, and cause even more damage. This has been termed “persistence”.
To ensure machines are completely clean before re-installing the OS, apps, and data, each machine should undergo complete data sanitisation. This consists of…
– Software overwrites of all storage media with at least three passes
– A statistical check of storage sectors to ensure the overwrite was successful (beware, the existence of bad sectors or un-writeable sectors could indicate a persistent infection
– A certified record of erasure for audit purposes
Only then can the machine be safely restored to its a usable state.
In theory, Ransomware is similar to “destructware” and only differs in that the attacker is trying to generate revenue from the ransoms. However, recent cases of Ransomware in Ukraine appear to be destructware posing as ransomware. The attackers had no intention of providing decryption keys. There have been several massive destructive attacks in the past – for example, South Korea and Saudi Arabia both had attacks that made the storage media on tens of thousands of computers unusable. In the case of Saudi Aramco, a Saudi oil company targeted, we know that they purchased 50,000 hard drives to replace infected drives as the quickest way to get back in operation. Using data sanitisation tools they could have saved the expense of such a large purchase and gotten back to work faster and just as safely.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.