How to Stop Ransomware

TOM: Welcome, everybody. Everyone. That’s my Southern accent, my poor pronunciation and bad grammar coming through. I’m working on it. But I am a Southerner. You know, I have never lived anywhere but the South – even though when I was really young I lived outside of Washington, D.C. in Virginia. That’s still the South. How are you doing, Kindsey?

KINDSEY: I’m good. How are you, Tom?

TOM: I’m good. Do we have everyone that we expected today?

KINDSEY: We have most of them, yes.

TOM: All right. Today we’re doing yet another one of our Deeper Dives. This is where sometimes we take things from the main webinar; other times it’s things that are current; other times it’s just things that we think may be of interest to you. Today we’re going to talk about how to stop – and it says “and recover from,” but let’s change that a little bit. How to stop and, if necessary, recover from a ransomware attack. Because we don’t want to have to recover from one if we do things properly.

Wait, I’ve got a slide that we’re going to do first. Obviously you can tell we didn’t do a run-through on this. This is very casual. If anyone wants to interrupt or use the chat box if you want to speak and ask a question, just let someone know and Kindsey can open up your microphone. These Deeper Dives are getting more and more casual. We want your participation.

In fact, furthermore, we want to know what you’re curious about when it comes to cybersecurity and having a real good defensive posture. You heard about something on the news – this stuff’s always on the news. If you’d like to know something more about a specific attack or maybe a security warning that we’ve sent out or you’ve read somewhere, just let us know about those things, because ultimately this is for you guys. This is not for us. This is for you guys.

I beat this into the ground on just about every webinar I do. The 3 core things you need to do is have continuous cybersecurity awareness training, which includes phishing simulations – these are emails that are designed to fool people inside your organization and test if they’re likely to fall for a phishing scam, which is by far the most common way to distribute a ransomware attack.

If you don’t even have continuous cybersecurity awareness training, you have to remember you never want to get – you get an email from a vendor that says, “Your account’s been suspended. We’re withholding shipments till you pay these outstanding invoices” or “Click on this link and go to your account now, immediately” – anything that has a sense of urgency to it, be suspicious.

Now, the obvious ones are poor grammar, misspelled words. It’s not as common these days as it was just as recently as a couple of eyras ago. It doesn’t matter if the attack is Chinese nationals or Iranian nationals or North Korean nationals; their grammar and spelling and punctuation and everything has increased dramatically. Very often, even we get fooled. We get fooled on our own phishing simulations, which is the same thing that our clients use.

But at any rate, that’s a red flag. If it is saying “Your account’s been cut off” and you know you’ve paid the bill – or maybe you haven’t even purchased anything from them in a while. That happens to us. You go, “Wait a minute. I don’t need to get in a hurry here. I’m not going to click on what’s in their deal. I’ll go where I normally go to check the account, or I’ll pick the phone up and call the number I normally do to see what this is about.” At the very least, those are good practices.

Cybersecurity awareness training does dramatically decrease the likelihood that your employees are going to fall for a phishing scam. What is it, Kindsey, 91% will fall for a scam, and then with training it goes to 51%? Is that right?

KINDSEY: Yes.

TOM: So without any training, even without getting the last 2 or 3 tips that I just told you, 91% chance that an employee’s going to fall for a phishing scam. With cybersecurity awareness training, it drops dramatically down to 51%. You’ve just taken out a lot of chances of a ransomware attack. And other things too, but ransomware is the thing that we concentrate on first.

The other stuff gets into things that we have more time to react, generally speaking. I’m talking 50,000-foot view here. Trojans and keyloggers and backdoors, with the different layers of defense that we put in place, some of those are practically “Who cares?” I’ve gotten notices that my Facebook – well, not Facebook. My PayPal credentials may have been compromised – and this is a few years ago. I don’t even know if it was PayPal. Anyway, it was like a finance site, but not something they could get immediate access to funds. I didn’t really lose any sleep and get all bent out of shape about it because I knew I had turned on multi-factor authentication.

Any website that has – they call it 2FA or MFA – you want to turn that on. Follow the instructions on the screen and turn that on. That way, if those credentials are stolen, they won’t do the criminal any good unless he’s got that third factor of authentication, that randomly generated 6-digit or 8-digit number. For example, I use that on Amazon. It’s email, password, and two-factor authentication, or I call it multi-factor authentication.

I have a couple of websites where it actually requires four pieces of information. It’ll be username, password, of course, and then it’ll be a PIN, and then it’ll be a token. So that is true multi-factor, when you’ve got four. Anyway turn that on on any website that you can and that’ll help as well.

Then another thing is don’t reuse credentials. Get a password manager. We send out links frequently, our affiliate links, to 1Password. We don’t get rich off that. It’s just a link straight to 1Password, and I think you get a trial that the general public doesn’t get or something. It’s something minor. But it is the best password manager we have found yet. I don’t have a problem with LastPass, but day in and day out, 1Password just works smoother. LastPass, especially the last couple of years, has really been – and this concerns me a little bit. I guess I do have a little bit of a problem with LastPass. Their software has been a little buggy and their support has been poor. That generally reflects on other sloppy practices within the business. It leads me to be more concerned about their security practices.

At any rate, 1Password, or if you’re using Apple products, I don’t have a problem with you using the – what’s it called? The iCloud Keychain. I don’t have a problem with that. Some of my stuff is in Keychain just because it was super convenient and I never got a chance to update it in 1Password. So either one of those are fine.

Don’t use browsers at all to store credentials. Firefox, Safari, Chrome, Opera, I don’t care what it is. Turn that off. Do not use browsers to store credentials. First of all, it’s not even portable. It’s only on that browser, on that computer, that device. If you use something like 1Password or Keychain, it’ll cross-platform. It syncs up between all your devices. So that’s a really cool way. And it generates unique credentials so you don’t have to remember what they are, and it stores them.

Some people say, “What if that gets hacked?” I’m going to cover that on a different webinar. It’s a little too much to get into, but suffice to say it’s very unlikely. They use very particular cryptology. Even if they did get hacked, it wouldn’t matter.

Anyway, on to endpoint protection, or EDR, endpoint detect and respond. If you’re relying on antivirus to protect you from ransomware, it will not. It absolutely will not. The reason is antivirus relies on signatures of threats. In other words, it’s got to be a piece of code that has been identified as a virus. It looks for signatures of threats. Ransomware attacks have no signatures. They are no virus. It uses email. If it’s a Word document that’s got a macro in it, it’ll use email, Word, and the built-in encryption service on your PC.

There is nothing in the entire – what we call the storyline, which is basically the sequence and how the attack played out – there’s nothing in there that has a signature or is a virus or a trojan or any bad thing, any malware. There’s zero malware in there. So if you’re not using an EDR, or an endpoint protection program that contains an EDR, that uses artificial intelligence and/or machine learning to look at the computer behavior to say, “Wait a minute, that’s weird. Why is a Word macro calling the encryption service? That doesn’t happen. I’m freezing it” – and that’s what a good EDR does. I’m going to show a demo of that here in just a minute.

Then finally, you do have to plan for a failure of your defense layers, and you’ve got to plan what happens if you actually have a successful ransomware attack. You’ve got to be able to recover, preferably without paying the ransom and/or the extortion, which opens up a different can of worms. Because it is possible to restore from backup, but then the ones that are adding on the extortion thing, they want you to pay that ransom or else they’ll release the data into the wild, or sell the data, sell whatever data they’ve collected.

That’s two different business decisions that you guys as a manager, president, owner, director, CEO, whatever your head honcho title is, that’s two different decisions you’ve got to make. “What data has been stolen? How do I know?” Because believe me, they will sell it. And the flipside of that is, if you pay the ransom, they’ll unencrypt your files, and they won’t sell it because it’s a bad business model. They’re all about good customer service and, for lack of a better term, doing the right thing. They realize that if they didn’t unencrypt the files, the whole business plan that they’ve been using for 10 years now would all fall apart. No one would ever pay a ransom. So they understand it’s important that they unencrypt those files and not betray the agreement that they’ve made with their victim. There is ethics among thieves, in a weird way.

So let’s look at a demo of a phishing thing. And if I’ve got this right, I should be able to – oops, I don’t think that’s it. Can you still see my screen?

KINDSEY: Yeah.

TOM: I may have to stop the share. Do you see my mail right there, or is it still the slideshow?

KINDSEY: I still see the slide.

TOM: Let me do this. This is an actual – now what do you see?

KINDSEY: Your email.

TOM: This is actually sent to Kindsey. If I can get my mouse over there – there it is. This email was originally sent to Kindsey. We were scrambling to try to find a phishing simulation. This is part of our security training. We periodically send out emails that are phishing attempts to see if anybody in the organization falls for it.

If you look down here, it’s from “Dropbox,” “Delivery Failed,” and it says “You have received a new document from accounting@customer-portal.info. If I click on the “View document,” it then takes me, if I can get it over there – I’ve used computers before. Let me stop my share and get it over to the right one. Here we go.

This is what website it goes to. Remember, this is not a real phishing email. This is a simulation. It says, “Warning: You’ve fallen for a phishing simulation.” This particular one has got the logo of our MSP division, Kirkham.IT. “Thankfully, this was not a real phishing email, but an authorized test by your organization. One wrong click could open the door to cyber crime for your employer, your coworkers, or your loved ones.” And that’s absolutely true.

So, “Watch the training video.” It goes on to some more detail – “What’s the worst that could happen?” What’s the very first thing? Ransomware. Financial losses. They can steal credentials to your bank accounts. Reputational damage. Personal impact.

That’s one of the great things about cybersecurity awareness training: it helps protect your people in their personal lives. You don’t want them to have any personal struggles with identity theft or having all their money wiped out of their bank account. That creates a security event for the company, because if you’ve got an employee that’s all stressed out or they don’t have any money – whatever your head honcho title is, there’s two things right there that should raise red flags for the company.

It’s not personal. If you’ve got a financially distressed employee, they may be looking to steal. It’s not personal. Everybody in my organization, to the best of my knowledge and ability, don’t really have to worry about that. And that’s the way all your people should be too. But if they’re suddenly financially compromised – I had an attorney once that took money straight out of the law firm. Lost his bar license and everything like that. And he was one of the most renowned attorneys in the area for business law. Totally weird thing. So you just never know.

Then the second thing is the fact that they’re under stress, not only are they not productive, but more importantly, they’re more likely to fall for a scam. So training them helps them in their personal lives and just makes everybody better and smarter and great team players.

So let’s watch the video. We’ve got time, don’t we, Kindsey?

Video: If you are watching this, that means you have fallen victim to a simulated phishing attack authorized by your organization. Luckily, this was only a simulation, but we promise, a real phishing email won’t be so forgiving. To help educate employees who fall for a phishing simulation, we are requiring you to watch this short video on the consequences of a phishing email and how to spot them in the future. Cybercriminals, i.e. the individuals who typically perpetrate these phishing emails, have been getting very clever with how they craft their content.

TOM: Okay, you get an idea. They go through a training video. This one’s a little bit longer than usual. It’s 10 minutes. We don’t really have time to sit here and watch this, and that’s not the purpose of this. So let me stop that and move on to the next topic. But it trains them in real time that they’ve fallen victim and corrects their habits.

We’ve got 2 or 3 different educational methods now, and some of our others have different ways to go about doing this. This is the main awareness training package that we’re currently using. We’re switching over – well, we’re adding another one that does more psychological training. The urgency – there’s some other tactics that go into it. So it’s a little bit more advanced way to do training.

Let’s see, where were we? I didn’t start my camera. Let’s get back to the slideshow. I will share out the screen once again. Is it back, Kindsey?

KINDSEY: Yes.

TOM: Anyway, you got to see the phishing demo, and then this is the EDR demo. Remember I said antivirus is useless? This is our primary EDR. We do not have a client out there that doesn’t have this product. We quit supporting antivirus. If we take you on as a client, we’re going to require that you have an EDR and we’re going to strip most antiviruses off the computer. That’s how serious we feel about it. If you think you’re going to keep McAfee or Norton or one of those off-the-shelf AVs, you’re not going to be a client of ours. We have a very specific way we do things, and it works.

Now, what this particular EDR does is it’s very, very effective against ransomware. It uses artificial intelligence to look at computer behavior. In this demo, we’re just detecting only, just to show you how it works. Normally we say “kill the process and fix everything if you can.” I’ve got a victim machine here, so we’re going to execute the CryLock malware. This is what happens if you open those file attachments. It executes the ransomware attack or the encryption deal.

The encryption occurs almost immediately on this computer because it only has, what is that, 20 files maybe. It searches the entire network. We have actually seen victims take days to encrypt everything it can. Now, once it gets to this point, it’s found everything it can encrypt, and this is the screen that shows you what the ransom is.

Now, on our side, we go to our command center, or the SOC, and we see a whole bunch of details about what this is, and we can look at a storyline. Remember I mentioned the storyline, which is how the attack takes place. We can see through analysis, this is where the entry point was; this was probably the attack vector. We find that in a post mortem that you guys have heard me discuss before. Every security company does post mortems. Even if the attack wasn’t successful, we’ve got to do a post mortem. That’s why you hire us. One of the reasons.

So here it goes into a bunch of technical stuff. Behavioral indicators. These are indicators that artificial intelligence says “This is not normal. This is an anomaly for opening a Word document. Why is a Word document calling encryption services?” So it freezes it, normally. Now, this one went ahead and executed because we let it. But normally, in default, in production, it will kill that process.

This particular one – and it’s the only one – actually will roll back and attack and unencrypt the files. It’ll make it just like nothing ever happened. We rarely have to use this. Occasionally do. But it stops the stuff so fast and so well that it’s pretty rare that we actually have to use the rollback command. We haven’t had a successful ransomware attack that we had to rely on backup since we’ve started using particularly this product, but adding all the other multiple layers of defense. Because it is more than just one layer.

Anyway, you’ve got to get an EDR, or an MDR, whatever. These are not only artificial intelligence, but they’re also monitored by human beings and security operation centers and/or in our command center. So you’ve got humans looking at anomalies. That doesn’t happen with an antivirus. Consequently, you can’t buy this stuff off the shelf. It has to be obtained through either a security or an infosec company like IronTech, or through an IT company that has a security division or security is a big part of their business.

All EDRs are not created equal. When a vendor with a competing product calls us and asks what we use, we say SentinelOne, and the conversation usually goes something like, “Oh, okay, well, it’s nice talking to you.” It’s generally acknowledged as the best in the business, and they’re a fantastic company. I’m really excited, the things they’ve got coming forward. It’s getting even better and better and better.

Let’s get to the – this is a virtual machine backup. It’s instantly virtualized. This is your backup. This is in case the ransomware attack is successful and the only way is to restore from backup.

This particular backup strategy actually backs up the entire machine to a virtual machine. That virtual machine can be turned on instantly if we have an onsite device, and/or run from the cloud halfway across the country. And it’s all ransomware-proof. The way we protect say our accounting computer – we only have one. Well, two, three, something like that, but our main one, the one that actually gets the work done – we do both. We have a local VM backup that we can turn on whenever we want to, and a cloud-based one in case we have a catastrophic facility loss.

We always look at what happens – tornadoes, floods, hurricanes, terrorist attack. We want to have a backup strategy for that. We consider that in the backup strategy as well. Everyone knows a disaster – if you’re in California or the West Coast, you’ve got wildfire issues. If you’re in the South – well, practically the whole country, you’ve got flooding issues. Gulf Coast, East Coast, you’ve got hurricane issues. All of these different natural disasters and cyberattacks. You’ve got to be prepared both from a geographical distribution backup method, but also time-based. How fast can you get back up and running? We can literally turn on a virtual machine of our accounting machine within minutes, and it picks up right where it left off.

So how does that look? How do we know this works? Well, every day, I get a verification screen. If you’re familiar with the lock screen on Windows, that particular garden is a scene that’s built into Windows and it’s the lock screen. 8:37 October 15th is that screenshot. That gets emailed in. What that means – that’s a screenshot of a virtual machine starting up and running. That means it’s tested automatically each and every day.

In addition to that, IronTech also monitors backups with another automated tool, and then finally, we lay human being eyes each and every day, practically all day long, and monitor continuously for any backup failures. First of all, it’s really hard to do it manually, so you have to automate a lot of it. But if you don’t monitor your backups – say you outsource your IT and it’s usually time and materials, or what we call break/fix in the business. If you’re not paying them to monitor the backups and check them, to make sure they’re there, you might as well not have any.

You can’t believe how many times I’ve seen those types of organizations go in and set a backup and they make a comment that says, “You’ve got to go here to check out.” Most users don’t – it’s not the user’s responsibility. It’s the IT company and/or the security company that needs to check and make sure those are going to be there, because we don’t know when there’s going to be a tornado or a ransomware attack. I’ve got to count on that virtual machine being able to be spooled up from the cloud to make payroll or to pay vendors or to pay payroll taxes. I can’t wait for a month for an accountant or bookkeeper to reconstruct all of our accounting files from a month earlier, even if I have a month earlier good backup from QuickBooks. I may not have any because they all got encrypted.

So like I said, multiple locations, so we have multiple destinations for the backups. Other backup strategies are data-only. We work with your head honcho title, we work with you guys to get a good balance of multiple layers of backups – keeping in mind business resilience, for those of you under EPA rules. That’s what they call it. Other people refer to it as business continuity and/or disaster recovery. There are technical differences between those three, but for the purpose of our strategy, we rarely get into the weeds that much. We have a tendency to lump all those together.

Another thing is remember that a snapshot, like a VM snapshot, is not a backup necessarily. Sometimes you do want data-only backups because you need a version of that Word document or that spreadsheet from last Tuesday at 3 p.m. You’re not going to get that kind of granularity with a virtual machine backup. Just the sheer size of those backups creates what we call time slice problems. The next backup wants to start before the last one’s finished. So we accept a little risk there that maybe the VM backup – now, ours does do a lot more frequently, but maybe that VM backup, the worst we can do is 4 hours or 12 hours or whatever. Whereas data, if the files aren’t that many – it depends on how many people.

Once again, that’s part of the security assessment that we do with you guys and walk through that. You have to understand what risk you have. Educate yourself on what risk you’re putting the company at. That’s what you do each and every day when you lock your door. Who’s got the keys to the office? You’ve got to shift that whole way of thinking to the virtual world or the information world. The same principles apply. I see too often that business owners put their head in the sand. “I don’t know anything about it, don’t want to know anything about it.”

Well, that’s all well and good, but you have to know the risk. I don’t want to know how to do heart surgery; I just want a guy that knows how to do it, and I expect him to explain to me what the risks are, the likelihood of success, and so on and so forth. I don’t have to be an expert at it. I’ve just got to make sure I’m picking the right guy and he explains to me exactly what – a captain has to know the condition of his ship, no matter how dire it may be. And if you’re in this head-in-the-sand part about IT or cybersecurity, you’re not being a good manager, nor are you being a good leader.

Anyway, enough of the soapbox. How does all this fit into NIST Cybersecurity Framework? Remember, that’s what we use. That’s what we go down to be in compliance. It’s just a good framework. Just those 3 things, you’ve got at least two layers on the 5 components of the NIST Cybersecurity Framework. That’s a great, great start. Locking your door to your office is another layer. You guys are already doing some of this. Let’s get your technology up to snuff and get those enterprise grade tools in there, because they’re not expensive. EDR costs more than McAfee, no doubt, but it’s not outrageously expensive. It’s a bargain considering the alternative.

For those of you that aren’t a client or you haven’t done a security assessment, this is easy-peasy stuff. 20-30 minutes for most of you. Get a high level assessment. Just get a ballpark of the dollars that we’re talking about. If you do nothing else, just do that. You’re going to be much more informed. You’re going to understand your risk a lot more. And if it’s not in the budget, it’s not in the budget. But I have yet to see any kind of small organization that couldn’t afford at least those 3 things.

I don’t know what else to say. I’m amazed that we have any openings on our assessment calendars, actually. Anyway, do we have any questions, Kindsey? Did I leave something out? I’m a little over time.

KINDSEY: We did have one in the chat, but I was able to answer it. They were just asking what EDR stood for again.

TOM: Oh, okay. There’s a lot of confusion out there. This is another one. Some of you are going to leave this call and go, “Tom said McAfee is not an EDR, or Norton is not an EDR,” and now they’re marketing those things, so-called EDRs. They may say it’s got artificial intelligence, machine learning, and all of that. But here’s what I do know: those aren’t enterprise grade tools.

If you’re familiar with us, you know how much we preach best of breed. SentinelOne’s only product is EDR. Think about that. If you make only one thing, how good could you make it? Just how incredible can you make it? That’s what we do. We do best of breed. Our secondary EDR, that’s all they do. I don’t think there’s a tool in our toolkit – except for the training and the phishing sims. Those are almost always together. But that’s security awareness training, and they kind of stand off on their own. But everything else in our arsenal is a vendor with a single product. They’re best of breed. If somebody comes out with a newer, better mousetrap, we’ll either add it or rip and replace because we want to stay on that best of breed.

What invariably happens – “Tom said McAfee doesn’t have EDR.” Well, they may. I don’t know. I don’t keep up with them. So you go, “I think I’m going to call them up.” You call them up and they go, “Oh yeah, we’ve got EDR. We’ve got spam filter,” or whatever else, if you’ve seen some of the other webinars on all these other different layers. They’re going to tell you they’ve got all that stuff.

There’s a couple of things you’ve got to remember. None of it is best of breed. I’ve never seen any of those suites or those integrated solutions that are best of breed, or any one component was best of breed. And second of all, there’s nobody monitoring that stuff. There’s no people involved. You’re coming at it from a position of just buying the least resistant way. It’s fine to talk to them about that. Bring it back to us during the security assessment and we’ll look at it. But there’s nothing out there as good as what we put in.

EDR is endpoint detect and respond. What we actually do is managed endpoint detect and respond. That’s adding the human component to it. And we’re beginning to see more of this endpoint protection platform. That’s what SentinelOne is starting to call theirs, but it’s still just an EDR. It’s the same EDR they’ve always had; they’re just saying this component is actually a platform. Anyway, some people think those terms are interchangeable. I don’t think it’s a good way to call it, but if you’ve been exposed to IT in any way, you know we’re all crazy about acronyms. I can’t even keep up with all of them.

At any rate, I hope everybody enjoyed that. Once again, drop Kindsey a line or send me an email, tom.kirkham@irontechsecurity.com or kindsey.haynes, about topics you’d like for us to cover, or clarify any questions. If you want to get an assessment set up, if you want to try a 30-day trial of cybersecurity awareness training, just drop us an email, give us a call. I think that’s it, Kindsey.

KINDSEY: That is all.

TOM: Thank you, guys.