After ransomware attack, focus turns to backup and prevention services
search

After ransomware attack, focus turns to backup and prevention services

Cybersecurity experts say the best way to counter an infection is to be prepared and have backup systems in place

Ricky Ben-David is a senior news editor at The Times of Israel.

Illustrative: Staff monitoring the spread of ransomware cyberattacks at the Korea Internet and Security Agency (KISA) in Seoul, May 15, 2017. (AFP/ YONHAP)
Illustrative: Staff monitoring the spread of ransomware cyberattacks at the Korea Internet and Security Agency (KISA) in Seoul, May 15, 2017. (AFP/ YONHAP)

How many of you have been on the dark web?

The tech specialist posing the question couldn’t hide his disappointment when only a few hands went up. He was addressing a conference in New Orleans last week on data protection and recovery services where he delved into the dark web, also known as the deep web — a sort of parallel universe to the online world we know, where users are anonymous and largely untraceable. It’s most widely known as a place one can order or trade in illicit products and services, like hacking attacks and malware, with just a few clicks.

The question came just over a week after a worldwide extortionate cyberattack wreaked havoc on over 10,000 organizations and 200,000 computers in over 150 countries. The malware, specifically a ransomware attack known as WannaCry and WannaCrypt, spread quickly starting on Friday, May 12, and for much of the weekend. The worm took advantage of vulnerabilities in older versions of Microsoft Windows that were identified and stockpiled by the National Security Agency, and later stolen by hackers and published on the internet. The attackers encrypted files and held them for “ransom,” demanding between $300 and $600 worth of the crypto-currency bitcoin to unscramble the data and restore access.

To understand just how important it is to protect yourself against this cybersecurity threat, you have to know what you’re up against, the specialist said during a panel discussion on ransomware, urging more people to access the dark web and see for themselves how this marketplace worked.

“Malware is a multi-billion dollar industry, and it is very sophisticated,” warned Rustam Kovhaev, a Vancouver-based tech support engineer, during the discussion, a small session that was part of a larger conference hosted in New Orleans, Louisiana, by his employer Veeam, a fast-growing, leading tech company that develops backup, storage and data recovery services for businesses and organizations and provides software across multiple platforms.

Screenshot of a ransomware exploit (Courtesy)
Screenshot of a ransomware exploit (Courtesy)

The three-day conference’s two sessions on ransomware proved to be among the more popular panels amid increased awareness of the threat following the cyberattack and its aftermath earlier this month.

“Cybercriminals are now selling ransomware as a service,” said panel leader Ben Milligan, the director of customer support for Veeam software in the Americas. “A few years ago, it was the work of skilled hackers. Now anyone can go [on the dark web] and just buy it” or be guided on how to unleash it.

Milligan also suggested some obvious ways online users can prevent infection: don’t click on links or open attachments to emails from people you do not know, don’t plug in a USB you find in the street, don’t visit unverified sites like torrent sites, stay updated on your software — and the perhaps less obvious one of exercising caution when receiving links on Skype or other messenger services, including from trusted contacts that may have been compromised.

It’s an effective pitch for the company’s services: present the problem, lay out the threat, warn of potential impending disaster and propose, if not a solution, then a contingency plan — in this case Veeam as your backup and recovery provider.

But even the company conceded that in the face of the ever-evolving threat of ransomware, of which there are several variants, it may not always have all the answers.

One panelist warned that some of the “meanest” hacks he’d seen while at Veeam had involved infections not just of clients’ original data but of the backup files as well.

Map locates top 20 countries affected in the first hours of the global ransomware cyberattack in May 2017. (AP)
Map locates top 20 countries affected in the first hours of the global ransomware cyberattack in May 2017. (AP)

Anti-viruses and anti-malware do not provide full protection, said Milligan, and some of the ransomware that is commanded manually by attackers is very effective and can even prevent restoration attempts.

One of the best ways to protect against the threat, he said, is to be informed about it and adopt a 3-2-1 rule: have 3 copies of your data on 2 different media including one that is off-site, like on a cloud service.

Having your data air-gapped, a tech-y way of saying it should be on a backup system that is detached from the main system and thus inaccessible during an attack, “is the single most effective method to protect yourself from ransomware,” he said.

Also, if you are hit with ransomware, a third panelist on the team advised, “don’t pay the ransom, it only encourages [those behind it] and gives them an incentive to continue doing it.”

It appears to be advice that most of the targets hit with the WannaCry ransom attack followed. Given the scope of the assault, few have paid, with the hosts receiving just 296 payments totaling just over $99,000 worth of bitcoin as of Monday, according to a Twitter account (@actual_ransom) that is tracking the three bitcoin wallets associated with WannaCry.

But security firms and cyber experts observing the attack have warned that while large in scope, it was not particularly sophisticated, with some elements of it even appearing amateurish, and that attackers will adapt.

Salim Neino, CEO of the Los Angeles-based security firm Kryptos Logic, told the Associated Press last week that the WannaCry worm was “poorly designed” — patched together and consisting of a “sum of different parts” with an unsophisticated payment system.

A window announcing the encryption of data including a requirement to pay appears on an electronic timetable display at the railway station in Chemnitz, eastern Germany, on May 12, 2017. (AFP PHOTO / dpa / P. GOETZELT)
A window announcing the encryption of data including a requirement to pay appears on an electronic timetable display at the railway station in Chemnitz, eastern Germany, on May 12, 2017. (AFP PHOTO / dpa / P. GOETZELT)

Microsoft, which has partnered with Veeam, as have other companies like Dell, Lenovo, IBM and Amazon Web Services, warned that the attack should serve as a “wake-up call” to governments, organizations and consumers.

Omri Moyal, co-founder of the Israel-based cybersecurity startup Minerva Labs, says he thinks money was not the objective. “They were probably looking to make a statement of some sort,” he told The Times of Israel, adding that the attack was “too unsophisticated” to generate real revenue.

“They did some real damage to the production system, it was less about the encryption. Also, ransomware is about reputation, and they did not have a good reputation for giving back the files,” he said.

Moyal, who is also VP of research at Minerva Labs, warned however that as attacks grow more sophisticated and dangerous, what’s most important is having the tools and resources for prevention and protection, not necessarily having a backup system. He said that a more effective variant of the ransomware, using the same NSA exploit, was already observed online.

Following the recent outbreak, Minerva Labs developed a “vaccine” against against WannaCry, the WannaCry Vaccinator, which tricks the malware into thinking the system has already been infected, thus neutralizing the attack. Moyal said it was released for free on May 14, two days after the attack.

The best counter-action, he said, was awareness, education and proactiveness against such threats.

A screenshot of the Tor Project welcome page as seen on a Google browser.
A screenshot of the Tor Project welcome page as seen on a Google browser.

As for the urgent advice to pay a visit to the dark web, Moyal said it’s really not for everyone.

First, you have to use a proxy, like Tor, the network developed by privacy activists to allow for anonymous use of the internet.

“Use a proxy or be prepared to say hello to the FBI,” joked one website that provided instructions on how to access the network.

Second, Moyal warned, “there are places you don’t want to go and things you don’t want to see.”

Accessing the dark web is a bit “like walking through a dark neighborhood” without direction, he said. “It can be safe, but there is risk.”

read more:
comments