I’m going to take an unconventional approach to the typical ransomware talk today. I want to talk about how ransomware has been a good thing for our industry. I realize that by now you’re probably calling me a charlatan, but just stick with me for a few minutes. Lets talk about the good things ransomware has done for Information Technology.
Ransomware has driven backup awareness in a big way.
Think back to a not-so-distant past, when backups were managed by tape and BackupExec. Remember skipping a few days, or seeing the jobs fail, and not feeling an immediate sense of dread? How long would that fly today? Ransomware has one 100% effective recovery and response mechanism: restoring from a known-good backup. Sure, you can pay the ransom, but as we’ve seen recently, even that does not guarantee a decryption key. So as a result, systems admins have become very good at backups — and going a step beyond that, so have users.
We have been preaching backups to end users for years. This was often either written off immediately, or taken seriously for a few weeks and then forgotten – with the USB hard disk stuffed in a drawer somewhere, less useful with each passing day. But today I see a change in attitude. People who have been hit and paid the ransom (or know of those who have) are very good about backing things up. The sting of $300+ in bitcoin is not one quickly forgotten – and it shows.
But lets move away from the user for a moment, and focus back on the sysadmins. I’ve seen a change away from traditional nightly/weekly/monthly backup schemes, and to quick online backups with hourly snapshots, backing up offsite to a second location. The focus has been placed on fast, recent restores. This has always been best-practice, but suddenly we have the funding and managerial support to put it in place. Even organizations that have not been directly affected are reaping the rewards.
Ransomware has forced organizations to test their backups.
A backup is not a backup unless it’s been tested. This is a concept often preached, but rarely practiced – because it takes time that administrators do not have, to verify what they assume worked fine (hey, no errors in the log, its fine.). These assumptions have resulted in many heartaches and “resume generating events.” Testing your backups takes time, and time is a commodity many do not have. But being able to prove to management that, in the event of a crisis, data can quickly be restored and production downtime will be minimized forces the process to be built into your standard practice.
Ransomware has driven sysadmin initiatives.
What would a discussion about globally removing local admin rights have looked like five years ago? Being a multi-time veteran of this conversation, I’ve always seen it go a few ways:
- Management flat-out says no, because of a fear of lost productivity.
- Management agrees, but excludes certain users due to the fear of key-personnel being unable to do their jobs. (And, at the risk of sounding cynical, these users are quite often the ones who are most susceptible to infection anyway.)
- Management agrees, but due to the initial backlash from users, quickly backpedals and gives local admin rights back.
In the past, systems administrators wanted to get rid of administrative rights for two main reasons: end-users were installing unapproved software, or were becoming infected with malware. Removing admin rights solves both issues and allows for greater control of your environment. But now, with ransomware so prevalent, we’re removing admin rights to prevent it from doing much damage – and as a side effect, also reaping the other benefits along with it. Looking historically at virus and malware infections, I can see (at least for my own organization) a severe drop in infections since admin rights were pulled. (This policy, of course, was only approved after we were hit with the first generation of Cryptolocker.)
Lets also look at phishing. More and more companies are looking at phishing services and education, training their users to spot obviously fake emails and to be weary of opening attachments. According to a June 2016 article by CSO Online, 93% of phishing emails are now just ransomware. If we can get users to stop clicking links and opening attachments in emails they aren’t expecting, from people they don’t know, the threat surface is greatly reduced. This is good practice anyway – from disclosing sensitive information to whaling, scrutinizing everything that hits your inbox is a skill all users should be familiar with.
Tangentially related to phishing awareness was the move from outdated versions of Office to a modern version, which are able to block macros at the group policy level. Even before ransomware, macro viruses were circulating throughout the internet (though perhaps not as widely as they once were). Blocking the most common infection vector likely also prevented many other attacks.
Ransomware tends to also go beyond the infected system, and encrypt anything on a mapped drive or mounted smb share. This forced administrators to take a long, hard look at how they were issuing read/write privileges across their enterprise, and lock down access by groups using the principle of least privilege. Ask anyone working front-line IT, and they’ll tell you horror stories of a receptionist with a little too much access bringing down entire engineering, accounting, and manufacturing departments because of lax permissions. Gone (for the most part) are the days of “just give Bob access to everything, we’re not quite sure what he’ll need to look at yet.” And this is a major win.
Ransomware has made IT processes more streamlined.
After ransomware started affecting companies en masse, IT departments began seeing an opportunity for quicker disk imaging of infected machines. They began to see that implementing centralized antivirus and web filtering would help reign in some of the known-bad threats and stop them before they could activate. They began to develop processes to quickly triage and contain infections, rather than sitting in a panic while files encrypted over shared systems. By streamlining these processes, the side effects are a slightly more efficient helpdesk. Building out a quick disk imaging solution for wiping infected machines also means you can turn around laptops more quickly, or recover from failed hardware. Centralized antivirus not only helps push out new updates, but gives you central reporting on devices. Installing automated patching services like WSUS lets you go home at 5pm on Patch Tuesday, rather than digging through a list of who has and hasn’t yet received auto updates and rebooted. This is all a net positive to the IT department.
So, you love ransomware eh?
Of course not. This post wasn’t intended to sympathize with the ransomware industry. Quite the opposite — ransomware is a time killing, productivity killing, extortionary practice that should be condemned. The point is, there is a silver lining to how quickly it has ramped up and become an everyday occurrence in our lives. That silver lining is helping IT departments mature quickly, and forcing management give the buy in and budget needed to implement best practice. The only real solution to the ransomware problem is to simply stop paying the ransoms — without profit, criminals will stop pushing this stuff out. But until then, take advantage of what it offers — a killer excuse to get your infrastructure cleaned up and in order.