EchoLeaf™ Archiving As Key Component of Comprehensive “Ransomware” Strategy
“Ransomware” has recently emerged as a pernicious malware variant, now effecting not only individual PC owners but larger organizations. Most likely created and promoted by “Eastern European Mafia” groups, there has been an escalating war of “virus / counter-measures / enhanced-viruses” where large investments are being made by the “bad guys” to keep ransomware ahead of recent strategies to defeat it.
Experts predict the war will continue to escalate.
“Within the year, we will see fully-automated ransomware targeting all machines on a company’s network, using multiple methods of attack and delivering multiple types of payloads,” comments noted security expert Stu Sjouwerman in a recent post on DarkReading.com.
Despite this crush of a spiraling malware threat, the primary vectors for these viruses continue to be users unwittingly clicking on infected attachments or following unknown URL’s that launch malicious code.
Below is a recent article from DarkReading.com about various steps enterprises can take to limit the likelihood of a ransomware attack. Not surprisingly, these recommendations mirror many past recommendations for avoiding enterprise virus attacks: scan email for malicious attachments; train users; lock down your network; etc.
However, take note of the comments under “Backup” – an obvious part of an overall strategy against viruses. The first recommendation is to use “No Overwrite Media”. Why? And what does that mean? The “why” is that ransomware works by encrypting your known files. If you pay the ransom, you get the keys to decrypt them. For example, if a ‘good” file is written to a backup, you don’t want a “bad” file (an encrypted one) of the same name overwriting it. This deterrence CAN be accomplished in software by, for example, creating “shadow copies” of disk files. However recent variants of the most popular ransomware actually seek out and destroy shadow copies of encrypted files. “No Overwrite” MEDIA actually IS tape media, and the character of “no overwrites” is how tape works. Tape is by nature an “Append Only Media” – it is literally impossible to overwrite a file on tape except by reformatting the tape, and EchoLeaf™, using the Linear Tape File System (LTFS), also adds some nuance to this requirement.
When Tape is used with an LTFS format, every file ever written to the tape, even if it is changed, can be retrieved using various LTFS utilities that can in fact “roll back” a current index, allowing LTFS to find and retrieve older versions of files. This feature is native to LTFS.
EchoLeaf™ can be deployed as part of a comprehensive backup strategy and will work in conjunction with other backup and restore mechanisms. But as long as your last line of defense is ultimately tape (e.g. EchoLeaf™) you can always retrieve files that may have been otherwise corrupted or encrypted on your network by ransomware.
One caution about backups is that any drives exposed on the network, even NAS-type drives like the EchoLeaf Virtual Drive™, may themselves be targets of malicious attack. As a primary protection, files written to the EchoLeaf Virtual Drive™ are all moved to tape as their final destination. As an added layer of protection, filtering protocols can be put into place to assure that no files sent to tape are encrypted.
Finally, a secondary EchoLeaf™ system can be created, whose credentials are only known by the first EchoLeaf™ system (and sysadmins, of course), where the secondary system acts as a tertiary backup to an EchoLeaf Virtual Drive™ whose access can be highly restricted. Data on the first EchoLeaf™ system and tertiary EchoLeaf™ system will be identical, except for the fact that access credentials to the second EchoLeaf™ system can be unknown to the general user (and machine) population.
The combination of:
EchoLeaf™ file filtering, tape as a no-append medium, LTFS index-roll-back features, and a full tertiary EchoLeaf™ system can provide an environment highly resistant to ransomware, at a cost far less expensive than cloud storage.
From DarkReading.com
How To Lock Down So Ransomware Doesn't Lock You Out
Ransomware has mutated into many different forms - and it's not always easy to catch them all, but here are some things you can do.
Profile of Author Sean Martin
CISSP | President, imsmartin
Sean Martin is an information security veteran of nearly 25 years and a four-term CISSP with articles published globally covering security management, cloud computing, enterprise mobility, governance, risk, and compliance—with a focus on specialized industries such as government, finance, healthcare, insurance, legal, and the supply chain
- Securing The Network
Although they won’t protect against all threats, firewalls and other security tools designed to fortify the network perimeter play a critical role when protecting employees working from corporate-provisioned desktops sitting in the office behind the corporate firewall.
“Make sure your web gateway employs next-gen and frequently updated security layers,” suggests Stu Sjouwerman, founder and CEO of KnowBe4, adding, “make sure your firewall configuration is set to ensure no criminal network traffic is allowed out.”
“Continually watch for outbound command-and-control traffic destined for known bad hosts,” says Chris Whidden, Solution Engineer at eSentire. He recommends also setting rules to prevent "unknown binaries from being downloaded from the Internet.”
- Email & Browser Protection
Email clients and web browsers top the list of applications used to trigger the ransomware payload. Getting a handle on that type of traffic to protect against phishing, spear-phishing, and malicious (or hacked) websites is paramount when dealing with this daunting threat.
“Scan ALL attachments — particularly zip files and documents — for the latest malware variants,” recommends eSentire's Whidden.
“If you have no secure email gateway, get one now and make sure it provides URL filtering,” Sjouwerman says. “Do more than open it up and install it - make sure it is tuned correctly to handle this threat.”
- Endpoints: Block & Tackle
As with any malware, effective defense against ransomware requires up-to-date, real-time malware detection/prevention tools coupled with fast-acting remediation capabilities. Don’t ditch your anti-virus software just yet — but don’t rely on virus-scanners as your sole means of protection, either.
“As a starting point, make sure all of your endpoints are patched religiously — including the operating system and your third-party apps,” Sjouwerman says.
“Look for anomalous behavior on the endpoint, such as spikes in file access and CPU utilization,” eSentire's Whidden notes. “These could be signs of the encryption process in action.”
Behavioral analytics and anomaly detection can help in cases where multiple systems may be infected. They can detect things such as unauthorized processes and abnormally high disk writes or file changes, for instance, says Igor Baikalov, chief scientist at Securonix. “If you can identify the so-called exploit kits — aka, the delivery vehicles for ransom-, ad-, and other kinds of malware — then you can prevent a whole lot of malware being delivered to your computer, including ransomware,” he says.
If a machine does become infected, Sjouwerman recommends that companies “wipe the machine and re-image from bare metal.”
- User Awareness Training
Since phishing has risen to the #1 malware infection vector and attacks seem to find their way through existing (or missing) filters all too often, it’s a must to provide employees and other users with effective security awareness training — and that training which include simulated phishing attacks. Do it until they “get it.”
“Now’s the time to deploy new-school security awareness training, which includes social engineering via multiple channels, not just email," Sjouwerman says.
“Train your users to be suspicious of all attachments and links in external and internal emails by encouraging the simple practice of hovering over a link [prior to clicking it] to confirm whether its actual destination is legitimate,” adds Whidden.
- Data Backups
Thus far, criminals are primarily using ransomware to hold the data ransom and do not appear to be stealing the data for their own use, nor are they expanding ransomware beyond desktop/notebook computers and servers.
This could change down the road, however (imagine having to pay a ransom to unlock your Tesla). For now, organizations need to focus on backing up their critical business data so they can quickly and fully recover from a ransomware attack without having to pay a ransom.
“Data integrity and availability are two of the tenets of information security and, like malware protection, don’t need any special treatment for the ransomware, Baikalov says. He suggests the following:
- Schedule backups to no-overwrite media
- Make sure backups are located on segregated network storage, preferably offsite
- Have dedicated backup operator credentials – don’t share or otherwise reuse those credentials for other purposes, and surely don’t reuse the passwords with other accounts
- Audit the integrity of those backups regularly
- Maintain proper access management for these backups
“Create, maintain, and regularly test a cyber-incident response plan that includes ransomware scenarios,” Whidden says.
- Business Processes and Policy
Sometimes the weaknesses in our defense have nothing to do with the people or the technology – it could just be how business processes are defined and how risk is mitigated (or ignored), especially when it comes to senior executives.
“Identify users that handle critical business information and enforce some form of higher-trust authentication, such as two-factor authentication,” KnowBe4's Sjouwerman suggests. “Review your internal security policies and procedures, specifically related to financial transactions, as a means to prevent CEO fraud.”
Fred Bonner
CTO EchoLeaf Systems Inc.™
2018