Cyber Crucible helps clients protect themselves from ransomware attacks, and recover from ransomware attacks when they didn’t already have our prevention and automated response in place. We are constantly evolving our capabilities, from internal testing, threat intelligence feeds, and customer operations, to provide the best ransomware protection available.
Previously, we had discussed how risk management software is necessary, but also removes available resources from use for business applications. In this post, we’re going to briefly discuss why protecting these older machines is important for ransomware operations.
What is the big deal if some of the machines cannot run ransomware protection?
Every company has the problem. A lot of people do too, perhaps even you! Maybe you were embarrassed to tell your grandmother when you were helping her out. I’ve known multiple people who involved junior employees just starting out in their career, and even was ashamed to see it in the Army.
Old computers exist in every organization! They either stay in place, untouched, since they aren’t breaking anything, or they are pawned off on charities, family, far-afield remote offices, or even interns.
We have theories as to exactly why, but what we know is that old computers routinely carry a lot of importance during ransomware recovery operations. Let’s explore this a bit, starting with the least technical point.
Old Machines Usually Mean Vulnerabilities
More often than not, the machines that are older are also more vulnerable to attackers. They usually run older versions of their operating systems and other business software, which don’t have the latest security features or patches. Resource-hungry security tools are sometimes not running or installed, running without all features enabled, or running older versions.
Additionally, older equipment is seen with employees with less budget for cybersecurity education or less experience with cybersecurity. While training is not a panacea against attacks, there is a direct correlation between extensive cybersecurity training and user behaviors that make it more difficult for an attacker. I don’t have statistics handy readily available for the positive effects on users whom are used to being targets of cyber attacks like social engineering, but it is likely safe to assume users with a lot of experience being targets are better at defending.
Let’s be honest about user behavior for a second, though. Nobody thinks they can be tricked until they are, and the deck is stacked against busy users trying to do their jobs.
Key generation in ransomware operations
Let’s first do some *very* quick encryption lessons.
Symmetric encryption is good for quickly encrypting files and data, but a key needs to be shared. Think of a key here just like the key to your front door.
Asymmetric encryption is good for protecting small bits of data. It isn’t nearly as fast as symmetric encryption, isn’t good for lots of data, but you can pass around encrypted data without having to share the key. Asymmetric encryption is usually used to encrypt symmetric keys. The analogy isn’t really 100%, but imagine the asymmetric encryption is a metal safe big enough to hold a few door keys, and the symmetric encryption keys are kept secure inside the safe. You can’t really carry around a house inside of the safe, but you can carry around a few door keys!
For ransomware, the attacker has lots of data to encrypt, of various file sizes. Files are in cloud servers, remote storage, or laptops of varying sizes, ranging from tiny files to really big files. The attacker has to use symmetric encryption to encrypt the data, but wants to protect the keys so that they can force the victim to pay their ransom. This all has to be done automatically, as well.
The ransomware program is what generates the keys and encrypts files. In most circumstances, this means that keys are generated, and encryption is performed, on the machine running the ransomware, even when network file shares are involved. If 100 workstations are infected, it is possible to have keys from 100 different workstations on a file server.
Why It (Usually) Matters Where Keys Are Made
Where the ransomware is running is important for a couple reasons. First, ransomware attackers like to keep organization for which key is associated with which infection. A few types types of identifiers are used, but usually it is something associated with an exact victim’s hard drive or operating system installation. In our company, we refer to this as ransomware Digital Rights Management (DRM), because the net effect to the victim is the same as DRM for movies. By that, we mean that DRM is a technology to give rights to play a movie, but only to the computer assigned.
Likewise, the hardware and operating system identifiers in the ransomware protocols try to force a decryptor to run on the same machine that was initially infected. So, if Mary in sales’ laptop was the machine which encrypted the sales lead file server, then that laptop, and only that laptop, must be used to decrypt the file server. Our company designs decryptors which defeat this DRM during recovery engagements, but it takes advanced knowledge of ransomware protocols.r or account that paid for the movie.
Starting to Put All That Together: Attacker Behaviors
Ransomware attackers, in a perfect bad-guy world, would migrate to every one of the machines, from the lowliest (usually old) intern machine, all the way to the file server farm with all of the company’s most valuable data, then encrypt everything in the company simultaneously. Simultaneous, local encryption is the fastest, ensures files or shares are not missed, and gives defenders the least ability to react. Of course, new more powerful machines also are able to encrypt much more quickly than old slower machines that are already bogged down with business activities. Fortunately, the world isn’t perfect for criminals, any more than it is for us good folk.
Either due to increased vulnerabilities that are not any user or admin’s fault, user behavior, or something else not thought of, less powerful machines are many times used to encrypt large amounts of data via network shares. “Less powerful” can be a euphemism for, “old” in many cases. Sometimes that is an old laptop. Other times, it is that a server that simply hasn’t been replaced yet.
Post-attack, the environment is one in which some files are encrypted locally, and some are encrypted across the network.
The mix of of which files are encrypted by which machine are basically due to a mix of three variables:
- attacker behavior & expertise
- attacker available technical
- capabilities defender capabilities
Protecting the oldest, least powerful machines is important
Now we better understand that older machines are more likely to be pivotal to a ransomware defense and recovery effort. They more likely to be more vulnerable to attacker operations, are more likely to cause file corruption (also, see our blog post on the matter), and take longer for both recovery operations if you are not using Cyber Crucible’s Unlocked decryptor.
Just like you don’t want weak points in a castle’s defense, a strong defense across all machines is necessary to stop ransomware attacks without interrupting business operations. Unfortunately, even if you are protecting just “the crown jewels”, these weak points represent a major disruption to business operations. The attacker uses the older machines to gain foothold, and oftentimes are the source of continued attacks against the most important data and machines in your business. Additionally, since attacks are typically a combination of local encryption and encryption across network shares, the entire IT infrastructure suffers during an unmitigated attack.
Looking Forward for Part 3
I hope I have convinced you that defending these older machines is just as important, if not more so, as protecting the shiny new equipment. You have an interesting challenge, though, in protecting these older machines while being very careful not to remove necessary resources for business operations. In part 3, we’ll discuss some of the strategies to best protect these older machines from ransomware without affecting business operations efficiency, including a sneak peak into the Ransomware Rewind security engineering. We’ll even throw in a live example or two of attacks we’ve since learned lessons from. Unfortunately, our clients will also represent our best source of feedback and needed improvements, no matter how much internal testing we conduct.