Marquez: How does ransomware work? Tips for prevention, restoration

We have all heard about it. Many of us have seen its disastrous results or been affected by it personally. There are many security tools dedicated to combatting it. But do you know how a ransomware attack really works? The method is used to get into your firm’s network and impedes your ability to produce for several hours, if not longer.

As you probably know, ransomware is a category of malware that encrypts your files and then demands a ransom, usually in the form of bitcoin, for a key so that you can decrypt the files. There are a few philosophies on what one should do if they are hit with ransomware, but at the end of the day your options are basically pay or do not pay the ransom. If you choose to pay the ransom, there is no guarantee the bad actors will ever give you the key. After all, you’re not necessarily dealing with trustworthy people in this situation. Some cybersecurity experts believe that if you were to choose to pay the ransom, your firm will now be on a list of successful targets, likely opening yourself up to future attacks.

But those were the good ole days. Now it is more likely that the bad actors not only encrypt your files once they gain access to your network, but they also take copies of the data. When this is done, the ransom is for the key to unencrypt your files and to not release your files on the internet or dark web. Again, same situation: You’re not dealing with trustworthy people here, so there are no guarantees once you pay the ransom that a.) they give you the key to decrypt your files, or b.) they hold true to their word and not release copies of your files into the wild. What makes this one extra scary is that if you’re a smaller law firm, you may not have the necessary infrastructure or tools in place to even determine if your data was uploaded to some nefarious location in the cloud.

When ransomware strikes

Against all efforts, ransomware has hit your files. None of the firm’s shared mapped drives were spared in the attack, locking the entire firm out of the ability to work on just about anything of importance. The IT department assures you that it maintains backups, but based on how much data was compromised, it could take several hours to several days to restore the files. Depending on your setup, there may not be a way to prioritize what is restored.

How did this happen? The main ways ransomware makes it into a network are through emails and compromised websites. Both techniques rely on tricking the target into downloading and installing the ransomware. Once it is installed, the attack begins and will encrypt all your important files on your workstation, such as documents, pictures, videos, etc. Then it will do the same to every mapped drive the target user has read/write permissions to. During this process, depending on the specific ransomware, files are also uploaded to a site the bad actors have designated.

Users typically will notice after the damage has been done, as they are no longer able to open their files from their recent lists, and sometimes file extensions have changed — for example, AcmePleading.doc changes to AcmePleading.encrypted. There may also be a text file placed in the folder explaining what has happened and where to make the ransom payment. How long does the process take? It depends on several factors including the specs of the workstation that was compromised and the number of shared drives and files.

Mitigation of an attack

Assessing the damage usually doesn’t take long. It is important to attempt to identify under which user the attack happened so the user’s workstation can be isolated as soon as possible. If your IT department suspects the attack is in process, it may cut off access to the server shares to try and minimize the damage. At this point, it is not difficult to identify how many folders have fallen victim to the attack. Once IT has identified which server shares were affected, they will begin the file-restore process.

The IT department will ask the user questions to try and determine how the attack got in. Usually, the user may not know what email or website could have been the source of the attack. After all, these things are very well disguised to improve their success rates. In my travels, the main way I have seen these attacks happen is that the user was tricked into releasing a malicious email from email quarantine because it appeared to be from someone trusted, which is usually a compromised mailbox sending these emails of destruction.

Recommended safeguards

It is likely your firm is already doing the proper things to protect the files. Many law firms have already invested in a document management system either on premise or in the cloud. This will hopefully minimize the attack of ransomware on your network. Here are suggestions for other safeguards you should consider employing if you haven’t already.

1. Endpoint detection and response (EDR)

This is another layer of security that works in tandem with your antivirus. While your antivirus security will typically watch for malicious files, an EDR solution is tuned to analyze your workstation’s events and watch for suspicious activity. Some EDR solutions even include a feature to cut off the compromised workstation from the network. When an attack is detected, it can isolate the workstation immediately to minimize the damage to the network done by the attack.

2. Backup workstations

No matter if there is a document management system in place or an explicit policy stating that work product must be saved in the proper shared drives, users will often save important files to their Documents and Desktop locations on their workstations. Many times workstations are not backed up, and in the event of a ransomware attack, restoring the files is not likely.

3. DNS protection

An additional layer of protection, especially for laptops, DNS protection products can protect your firm against compromised domains and block categories of websites that are typical potential threats.

4. Restrict access to shared drives

Your firm’s IT department should periodically review shared folder access and restrict access by department and need. Do not use the Everyone group to grant permissions to shared drives and folders. Best practices are to use group memberships, then deny explicitly individuals that may need to be restricted from a folder.

5. Restrict access geographically

This one is crucial for any firm that continues to use a virtual private network to access the internal network. There are many firewalls that come with security service add-ons that allow IT departments to restrict access to the firewall by country. The firewall will review the source and destination IP addresses to see if the IP address is in a block assigned to a country on your block list. If you have no one in the firm traveling abroad — let’s say, a vacation down in Argentina — does the firewall really need to be allowing any communications to IP addresses assigned to that country? You can usually ease restrictions when attorneys travel and enforce them again once they are back stateside.

6. End-user training

It can never be stressed enough that there is no amount of security tools that IT can implement that will protect users from themselves. It is important that end users in your firm are routinely updated and/or retrained on common best practices when it comes to analyzing suspicious emails and websites.

That is the basics of ransomware. The threat is unending and constantly evolving to make it past spam filters and other security tools. The tools mentioned in this article are just a few additional safeguards a firm can implement to further protect itself from the plague of ransomware. If you’re a small firm and your technology budget is limited, I would advise that end-user training and awareness is the best investment of your funds.•

__________

Tino Marquez ([email protected]) is a co-owner of the Indianapolis-based legal technology company Modern Information Solutions LLC. Areas of service include traditional IT services, software training, and litigation support including trial presentation services. Opinions expressed are those of the authors.