What’s in a name? That which we call a rose by any other name would smell as sweet. – William Shakespeare, Romeo and Juliet
Here at Gillware Digital Forensics, we see a significant number of crypto-ransomware cases. They are invariably frustrating and maddening situations for just about everybody involved (except, of course, the cyber criminals themselves). Ransomware encrypts critical data and, as the name implies, holds it hostage in exchange for payments in bitcoin. Sometimes we can assist our clients in recovering from ransomware; sometimes we can’t.
One trend we’re seeing with ransomware more and more often is that the crypto virus will delete the backup and system restore files that are often critical to recovery.
The cyber criminal’s focus is on making recovery from the ransomware as difficult as possible. This increases the likelihood that victim will pay up in exchange for their data. They focus on malicious deletion of volume shadow copy, restore points and backup files.
Deletion of restore points makes recovery from restore points significantly less easy. In order to recover from restore points, we would have to recover the restore points themselves first. Likewise, deletion of backup files makes it significantly less easy to recover from backups, and for the same reason.
Sadly, these tactics are the natural result of the never-ending arms race between cyber criminals and cyber defenders. We learn from each other and hone our crafts. While we provide advice to protect our customers and citizens from cyber crime, the cyber criminals accordingly adjust their tactics.
In Shakespeare’s classic tragedy of star-crossed lovers, Juliet famously exclaims, “Romeo, Romeo, wherefore art thou Romeo?” This line tends to trip up modern audiences because they think Juliet is asking where Romeo is. However, in the Bard’s time, “wherefore” meant “why”. In this scene, Juliet is asking why Romeo is Romeo. After all, Juliet is a Capulet, whereas Romeo is a Montague—and the Montagues and Capulets have long been bitter enemies. Juliet is lamenting that if only Romeo had been born into a different family—if he been a rose by any other name—there would be no obstacles standing in the way of their love.
A number of years ago at a SANS Conference, I heard a piece of really commonsense advice regarding Administrative accounts. Simply re-stated, it was: “Don’t name the admin account ‘admin’.”
Or, as the Bard might have written it: “Admin, doff thy name, and for that name, which is no part of thee, take all myself.”
“Admin” or “Administrator” is a straight-up obvious target for an intruder, whether we’re talking about your personal computer or an administrative account for a website. Simply disguising the name makes the target a little less obvious and a little bit harder to find. Sometimes that alone can be sufficient to stymie a cyber criminal altogether. Especially if they’re looking for easy, low-hanging fruit.
Ransomware intrusions will often go after backup files and system restore points, wiping them out in order to leave the victim with no choice but to pay the ransom. In addition to disguising your admin account, you can apply the same strategy and logic to rename your backup files. A custom name for your backups could could lead to the cyber criminal skipping them over, enabling you to easily recover your data without coughing up so much as a penny.
The same can be done for Volume Shadow Copies, though there are a few additional steps involved to be sure your system continues to create restore points effectively.
Because of the number of ransomware cases we get at Gillware, we have compiled some pointers and advice about preventing and recovering from ransomware cyberattacks.
Ransomware prevention depends on vigilance and appropriate cyber security protocols.
Recovering from ransomware attacks depends on your backup system working as intended. However, as we’ve described, cyber criminals will typically try to make sure it doesn’t. Here are tips to make sure that a cyber criminal will have far less luck interfering with your backups.
Our ransomware data recovery and forensic investigation services are here for you every step of the way when you need help recovering from ransomware attacks. We here at Gillware Digital Forensics are fully committed to doing everything in our power to prevent tragedy of Shakespearean proportions from befalling your business or organization.