I want to spend a few minutes talking about ransomware from an inside perspective. Recently, a company I’m involved with was hit with a massive outage from RYKU ransomware.  No one knows exactly how and when it started but there are theories.  First let me just say that you should NEVER pay the ransom, why? Well because you’re only encouraging them to do it again and secondly, you don’t know if you do pay you’re actually going to get the decryption key.

What ransomware does, is it takes all your files, regardless of what they are and encrypts them making them unusable. There’s no fix and there’s no way to undo the damage. Think of it like this. You left you house in the morning to go to work. You come back in the afternoon and someone has changed all the locks and put walls around your home so you can’t get in and the only way to access you house is to pay someone to take down the walls and open the locks. You can take the time to break down the walls, call a lock smith or rebuild you home but the time and money to do that is crazy. That’s an extreme example but you get the point.

Probably what happened, and I do not know this to be fact so let just say I’m guessing, someone probably working from home, again not a fact a theory, was either surfing the net or received an email with either an attachment or a link and opened it.  This set off a chain of events.  Now again this is theory not fact, the user either didn’t realize what they did or just simply ignored it.

First things first… If the user didn’t realize what he or she did then the network security team fail miserably. Now yes as an administrator you can only put so many things in place to try to prevent these things but the bottom line is that is up to the user to understand and be educated about these things.  Most companies have orientation for new users and this should be part of that.  Someone from IT should take the time to speak with new users about these things.  You can put up as many red flags on emails as you wish but the fact remains when users don’t comprehend what they are doing, they just go and this leads to total infection and total loss of data.  In my opinion as a network administrator, users no matter who they are, should never be allow to access their personal data on a company laptop or desktop.  There’s no reason for any user to have access to personal email, open internet, such as shopping sites, real estate, Facebook, twitter, etc.  UNLESS their job description has to do with it. For example, a marking person, needs access to things like Facebook, Twitter etc. where as a department supervisor, or director does not. A real estate agent needs access to real estate listings but not personal email.

Here’s what I do know, virus protection while ok is only as good as that moment allows. It will not stop ransomware because ransomware varies so much the virus protection can’t keep up.  Virus scan is only as good as the update it has.  Does that mean you shouldn’t use it…NO.  But keep in mind regardless if you are a personal user or a business user you MUST use your head and take the time to really look at what you are doing. So many times, I’ve heard the excuse, “I have so many emails I don’t have time to really look at them all” Well, this could be the result of that.

Again, being involved in this, it’s a total loss of any locally saved data including backups because if they are not off site or on tape, they are vulnerable too.

Most companies, if not all are NOT proactive, they are reactive.  Why?  Money, but I offer this.  How much is your data worth and what can you do to protect that data?  In my case there were so many things put in place, virus protection, scanning, firewalls, encryption of hard drive etc.  All failed due to user error.

Currently, because of Covid-19 many, many people are working from home.  Most companies offer VPN.  Well some of them have what’s known as split tunnel – a computer networking concept which allows a user to access dissimilar security domains like a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same or different network connections)  In my opinion this is a NO NO!  A disadvantage is that when split tunneling is enabled, users bypass gateway level security that might be in place within the company infrastructure. For example, if web or content filtering is in place, this is something usually controlled at a gateway level, not the client PC.

ISPs that implement DNS hijacking break name resolution of private addresses with a split tunnel.

Why do I think this is a bad idea, well, if a user is in your network via VPN then that’s all he or she needs, there’s no reason to have access to a public network while connected to a VPN.  Perhaps in this case, the user was checking their personal email on a company laptop while connected to the VPN with split tunnel or perhaps that user was surfing the net and came upon something an opened it up?  I don’t know. 

Bottom line.  How much is your data worth?  You need to do everything you can to protect that data and that starts with backups.  And those backups must be complete.  Yes, it’s expensive but again how much is your data worth and what can you live without?  You must, must have a way to take your backups off site or keep that data totally separate from everything after it’s backed up.   

The pain of having to literally reconstruct and entire network is incredible and what’s worse, is everything must be completely wiped out and reinstalled.  You can’t do that over the network so you have to do it with either USB drives, or CDs.  That takes so much time.  But it must be done because if one machine is missed, your entire network is infected again.

Network teams, and again this is reactive, shut down the administrative shares not allowing an administrator to do what’s known as a C$ share to stop ransomware from spreading after the fact, however, this setups and entirely set of new problems for the techs because it stops them from delivering software, and that means they have to go to each an ever machine regardless if it’s remotely or physically to install software.  No more things like bat files and PS Exec to install software and if you have a big company with lots of machines this becomes extremely time consuming for the techs. Also, a user should never had administrative privileges to install software on their company machines either and lots of places to that for convenience In my opinion bad for security because that gives the user a free pass to install anything they please.

I truly believe that you can prepare for these things however you need to hire someone with enough experience and knowledge to prevent this.  You can’t rely on out sourcing for this.  You need to have protections in place, regardless if it’s routing to stop the spread of infection, hollow root domains, or simply not allowing open internet access regardless of what the CEO demands.  It needs to be explained that if this happens the cost of rebuilding is much worse than simply not being allow to access personal mail or surf the internet.

So what’s you data worth?