Once a nuisance that only affected consumers, ransomware has grown into a huge problem for businesses of all sizes. Over the last few months, ransomware attacks have damaged businesses and government organizations across the world.
WannaCry was headline news for weeks, and caused havoc for thousands of organizations, including hospitals. Its place in the media was rapidly superseded by what was originally thought to be the Petya ransomware, but which was later discovered to be unrelated and renamed NotPetya, PetyaWrapper, or ExPetr. NotPetya is a peculiar example of ransomware because it appears not to have a serious financial motive and might more properly be called a wiper. Regardless, the potential for damage is huge.
But colocation data center customers don’t have to sit and wait until their data is taken from them. It’s not particularly challenging to implement policies that protect a company from most ransomware: backups and updates.
At a high level, a typical ransomware application can be divided into a couple of components: a worm and an encryption system. A worm’s job is to spread the ransomware to new victims and they employ a variety of more or less sophisticated techniques to do so. The job of the encryption system is to encrypt the victim’s data so that it can no longer be accessed and, hopefully, decrypt it when the victim pays the ransom.
The worm component may use keylogging or brute force attacks to move between machines, but the servers of most ransomware victims are compromised via existing vulnerabilities in their software. Both WannaCry and NotPetya use the EternalBlue exploit, which originated with the NSA and was leaked by the ShadowBrokers. The EternalBlue vulnerability was patched in March — up-to-date Windows systems aren’t vulnerable to that particular problem.
Running a recent version of your server’s’ operating system will significantly reduce the likelihood of a successful ransomware infiltration. Your servers won’t be immune, and there are other factors at play, but implementing a policy of proactive updates to server software is an essential first step.
If the worm is successful, the encryption component will encrypt the data on any drives it finds, corrupt the MBR in the case of NotPetya, and demand a ransom.
The solution is obvious: if your organization’s data is backed up to a secure offsite location, it’s straightforward to recover. A comprehensive up-to-date backup is an essential part of any organization’s disaster recovery plan and will provide a bastion against many infrastructure and security problems that would otherwise prove catastrophic.
The companies who have been hit hard simply haven’t taken the time to implement these two fairly basic security policies, both of which are part of standard security best practices. If your organization is at all worried about ransomware — and it should be — its first steps should be the implementation of sensible backup and update policies.