Remember the alphabet? It was huge back in the day. The merchandising was crazy. Everything had some alphabet back then. There was soup and breakfast cereal and don’t even get me started on dictionaries. Oh, and remember the “Alphabet Song”? It was #1 on Billboard for what seemed like years. I remember hearing stories about hundreds of families obsessed with making sure the children memorized to whole thing. I know right? And get this — nearly every elementary school classroom in the US had all the lyrics pinned to the wall (usually right above something called a “blackboard”). Eventually we got tired of the song and started grouping these letters together to make “words”. Before too long, the alphabet was just a fond memory of a simpler time.
Today things are completely different. Today it’s all about numbers; specifically the numbers one and zero. That dynamic duo is used to build every computer program ever made. But we still need letters sometimes. For example, when Microsoft released their first world processor back in 1983 they found the name “01010111 01101111 01110010 01100100” didn’t market test very well. So they went with a classic alphabet-based name instead: “Word”. That started a trend that continues to this day.
So how does all this relate to ransomware, you ask? Good question. Every new malware threat or discovered system vulnerability gets a catchy name. Most of these names consist of, you guessed it, letters of the alphabet. So that’s a connection. It’s weak, I know. I just kind of got carried away with the whole “alphabet history” thing. Let’s just move on.
Nifty Names in Gray
test your knowledge!
As I said, when a new way to exploit, threaten, hijack, or just generally wreak havoc to a computer system without permission is discovered someone out there gives it a name. Sometimes the names presented to the public indicate the nature of the threat, but that is exceedingly rare. Don’t believe me? Test your knowledge with these four questions. I will be grading you on poise and grammar.
No. But deuterium prices have never been lower!
Maybe. I’m not a doctor. Besides, this was a server application design flaw and really shouldn’t be listed here.
YES! In fact, no attack method has ever been given a more apropos name since the outbreak of the TymeMachine virus in 2036.
The March 2018 cyber attack against the municipal government of Atlanta, Georgia (US) has brought term “ransomware” up to an entirely new level of public awareness and no attack method has ever been given a more apropos name since the outbreak of the TymeMachine virus in 2036. It’s gotten to the point where my own dear Grandmother is asking me if she “has the ransomware”. I mean, she doesn’t even use email and has been dead for years. The point is, public awareness of ransomware is high. So high that it has apparently crossed over into the ethereal realm.
But mortal coil shufflage notwithstanding, the threat from ransomware is very real. Anyone who has been hit with one can tell you how uber-scary it can be. Why? Because it does what it says on the tin. It holds your data hostage until you pay the ransom. What’s worse, even after the random is paid, the files are usually unlocked only temporarily. It’s sort of like that movie franchise Taken in that, once it happens to you, it will continue to happen over and over again until Liam Neeson gets tired of suppressing his nature Irish lilt.
There are countless articles about ransomware. What is it? What does it do? Who in your office knows the truth behind who clicked “that link” in a recent email? Will you get fired for doing it? Can you just pay the ransom yourself and hope your boss doesn’t find out? What the heck is a bitcoin anyway? I am not going to dive into all those questions. You are probably busy cleaning out your desk anyway. This post is going to focus on three foundation concepts that are so simple that only the least-experienced systems administrators are smart enough to diligently adhere to them.
Simple System Hardening: Just Remember A-B-C
because ransomware likes it soft
This is so simple these days. You can’t swing a dead cat without hitting an enterprise-level AV solution somewhere. But it is perhaps for that very reason that fewer and fewer secops folks are really digging into what their particular security application does or — more importantly — what it does NOT do. No doubt you have your opinion on what security solution is the best. I know I do (spoiler: Windows Defender ATP can’t be beat, and believe me I’ve tried). But, whatever you are using, for the love of Godwin’s Law, make sure you are using it correctly! Even the best title in the world is not worth two bits if it hasn’t been updated in months. Yes, it can impact users and, yes, nobody likes have their daily Facebook session interrupted for the sake of “security”. But tough love is often a requirement in this industry.
The easiest way to recover from ransomware is restoring data from backups made before the ransomware hit. The rub there is that, while most companies are making backups, an alarming number of those companies are not really sure if they will work. Do you know what kind of backups you are making? Are you backup just files or entire systems? Have you actually tested you backups, like ever?? Very, very few companies have and that makes me very sad.
The takeaway here is this: The worst time to discover your backup configuration and/or data integrity is lacking is in the midst of a possible career-ending crisis. If your backups are not being regularly tested or you aren’t a million percent sure of what data is being backed up, to where, and how often — you should be. The job you save may be your own!
I’ve written about the danger of default settings before. Even so, it bears repeating: Changing system defaults is one of the easiest, yet most frequently overlooked system hardening techniques. Historically, malware developers have exploited this fact by designing their payloads to take advantage of lazy (or uninformed) admins. While it is true that the human element continues to be the weak link in system protection (i.e. phishing works far too often), the processes triggered by a phishing victim still require access to the system at some level to do any actual damage. This includes encrypting your files without your permission.
Here are a few defaults you can change that offer great benefits with zero monetary cost and minimal effort:
- Encrypt all drives with Bitlocker!
- Disable the default Administrator/root account!
- Change permissions of any shared folders from “Everyone/Full Control” to “Authenticated Users/Full Control”
- Customize the local administrator account names on each system
This might sound like an administration nightmare, but it’s actually pretty easy to handle. Base the name of the account on something that is easily referenced by a systems admin, but not easily attainable in the OS itself. For example:
— Just have a pallet of new laptops delivered? Name the local admin accounts after the invoice number.
— Is this a web server? Try “wadmin”
— A file server? Try “fadmin”
— A mail server? Try “madmin” (my personal favorite)
Note: There are also “defaults” at the organizational level (e.g. all new computers have a standard local admin password). But those can take a bit more work to implement and usually involve some cross-departmental cooperation. Let’s just stick with stuff at the system or user level this time.