Authored by Paul Ducklin, Principal Research Scientist, Sophos
If you’re a system administrator, the network you look after is almost certainly way more spread out since coronavirus stay-at-home regulations kicked in. But even if your colleagues are using their own computers now, and connecting in via their own internet connections, it’s still “your” network, and it still represents a valuable target – as a network, not just as numerous individual computers – to cybercriminals. And one of the most dramatic all-at-once attacks that your network can suffer is, of course, ransomware. Ransomware attacks often rely on victims making a few basic mistakes that are often quite uncomfortable to confront – it’s natural to assume you haven’t made any (or, at least, not many), and it can feel both tired and tiring to keep going through the basics. So we decided that we’d find a fun way to help you to keep track of the common blunders that often lead to ransomware – something with rhyme and rhythym as well as reason.
Imagine that your computer were a house, and ransomware a gang of burglars, and chant along with us…
We’ve summarised the actions you can take into 5 simple phrases, each starting with P so they’re easy to remember.
1. Protect your system portals
Crooks often sneak in by looking for remote access portals such as RDP (remote desktop protocol) and SSH (secure shell) that aren’t properly secured, perhaps because they were set up temporarily but then forgotten about. Learn how to scan your own network from the outside and make sure that any services that are open and listening for connections are supposed to be there, and that they are on your regular security checklist. If you don’t check your network for access holes you’ve left open by mistake, then the crooks will do it for you!
2. Pick proper passwords
When you’re in a hurry, especially if you have to rely almost exclusively on remote access these days due to coronavirus lockdown, it’s easy to take shortcuts to “get it working” and to promise yourself you’ll check all the locks and latches later. Yet every time there’s a huge password dump due to a data breach, you will invariably find the password changeme somewhere near the top of the list. Clearly, lots of people start out with basic passwords with every good intention to pick a proper one soon, but then never get around to it. Start as you plan to go on, with proper passwords from the outset, plus two-factor authentication to augment your security whenever it’s available.
3. Peruse your system logs
Many, if not most, ransomware attacks don’t happen instantly or without warning – the crooks usually take some time, often days and sometimes longer, to get a picture of your entire network first. That’s how they make sure, when they finally pull the trigger that initiates the attacks, that they will get the destructive result they want for the ransom they plan to demand. So there will often be numerous telltale signs in your logs, such as the appearance of “grey hat” hacking tools that you wouldn’t expect your own users to need or use; sysadmin operations such as creating new accounts that happened at unusual times; and network connections from outside that don’t follow your usual pattern.
(The Sophos Managed Threat Response team can help you here – they know not only what to look for but also where to find it.)
4. Pay attention to warnings
If you’ve set up your alerting system to shout at you all the time, you will almost certainly end up with alert fatigue, where you just click through because you’ve run out of time. But be careful not to assume that otherwise interesting warnings can be ignored if they mention a potential threat was already blocked. Often, threats that pop up on your network aren’t just chance events, they’re evidence that crooks are already poking around cautiously to see which actions set off what alarms, in the hope of pulling off a much bigger attack later on.
5. Patch early, patch often
Don’t leave yourself exposed to potential holes for longer than necessary. While the crooks are scanning your network for ways to get in (see 1), they can also scan for externally accessible services that aren’t patched at the same time. This helps the crooks automatically build lists of potential victims to come back to later – so your best result is simply not to be on their list!