WannaCry is the largest ransomware attack on record. If you are following the news, by now you might be aware that a security researcher known only as MalwareTech, activated a "Kill Switch" which apparently stopped the WannaCry ransomware from spreading further... at least initially, before a second strain was unleashed without the embedded kill switch. Unfortunately, the solution won't help fix systems already infected by the malware.
Competing theories exist as to why WannaCry’s perpetrators built in a kill switch. One possibility is that the functionality was put in place as an intentional kill switch, to avoid forensic analysis by security firms. MalwareTech even warned that this was only going to be a short-term fix since the attackers could easily rewrite the code and relaunch the cycle. Which they did.
MalwareTech clearly bought time for organisations running Windows to patch their systems and provide some long-term protection. However, regularly patching your systems is just a small part of a larger data protection strategy. The good news -- most of these steps are free and easy to implement.
There are three parts to a modern data protection strategy:
Building a wall
Recovering data encrypted by a ransomware attack is next to impossible, so prevention offers the better approach. So, you’ll need to build a wall – one that you’ll have to pay for – which protects your data and systems. It includes:
- Regular patching: When a patch or security update is released, install it immediately and close any backdoors.
- Update your AV signatures: Even if ransomware gets past your antivirus, chances are good that within a short period of time there will be an automatic antivirus update to protect your organisation.
- Offsite backups: Create secure backups of important data on a regular basis. However, simply backing up is not enough though, as physically disconnecting the storage device is required to avoid it being infected with ransomware as well.
- Anomaly detection: Anomaly Detection is an early warning system that enables companies to quickly isolate a ransomware infection and recover important data before the entire network is frozen. When we see anomalies in the number of changed files, you know when you were infected and can revert back to a clean backup.
- Endpoint protection: In most ransomware attacks, your endpoints are your weakest links in the security chain. That’s why it imperative to protect your user’s laptops and desktops (and even mobile devices), not just your servers, with AV protection, regular backups and Anomaly Detection.
- Email filtering: You need to actively block suspicious attachments and links since 99 per cent of ransomware attacks are delivered via phishing attacks.
Training your staff
While WannaCry exploits a Windows vulnerability via a worm, most ransomware variants rely on good old fashioned “spray-‘n’-pray” phishing attack, which involves spamming users with emails that carry a malicious attachment.
The attackers can also lure a victim to click on a URL where malware will be ready to crawl into your machine. To combat phishing attacks, it’s vital to share social engineering tips and train end users on how to spot phishing attacks and malicious websites. It’s also prudent to simulate (safe) phishing attacks and see who clicks the links. Report. Retrain. Repeat.
Mitigating the damage
Importantly, the primary damage caused by WannaCry is not the ransom paid, it’s the downtime caused by the ransomware. Most ransomware guidance speaks to the importance of having a regular backup process in place, so you can recover a clean, unencrypted version of your files when you get infected.
While this guidance is sound, especially for individual files and folders, it's a time-consuming option when you're trying to restore a critical business application, like a Microsoft SQL Server, MySQL, or an Oracle database. Businesses need a solution that can quickly restore databases and make them operational. This is where DRaaS shines.
Disaster Recovery as a Service (or DRaaS) is the replication and hosting of physical and virtual servers to a second location, either to a second appliance or the cloud, which is usually located in a distant second site. In the event of a man-made or natural catastrophe, those replicated systems and data can be booted and accessed. Fundamentally, DRaaS lets you “instantly” boot a protected server or your entire site and immediately get back to business, whether you’re booting from the appliance or from the cloud. Since DRaaS solutions combine software and the cloud, they don’t require the huge upfront costs (hardware and IT resources) to create, manage, and test a secondary site.
Simple backup procedures will let you restore your production database, but it will take significantly more time than a modern DRaaS solution. If a SQL database is encrypted, for example, it can take 4-5 hours to rebuild the server and corrupted files. With DRaaS, that time is shaved to just a few minutes.
If your database is part of a cluster, then you have more work ahead of you. For each machine connected to the cluster, you'll need to rebuild the database which includes replacing a new drive, installing a new OS, and re-installing the database software. You can expect that this process will take you about an hour per machine depending on how adept you are at building production databases from scratch.
Ultimately, with something as contagious as WannaCry it is often a matter of when, not if, your system becomes infected. While building a wall, training staff and keeping backups are something every business should be looking at, the ultimate kill switch for ransomware lies with DRaaS.
Dean Nicolls is Vice President of Marketing at Infrascale
Image Credit: WK1003Mike / Shutterstock