Forensic Case Files: Exonerating an Employee of Data Theft
March 7, 2017
The computers our laptop forensics experts see can be very well-traveled. This one had taken a trip to Belize and came back suspiciously different...
Adventures in Laptop Forensics
May 9, 2017
Show all

Rename Your Roses: Tips for Preventing and Recovering from Ransomware

L0013012 Robert "Variae ac...", 1660: roses Credit: Wellcome Library, London. Wellcome Images images@wellcome.ac.uk http://wellcomeimages.org Roses Engraving Variae ac multiformes florum species Nicolas Robert Published: 1660 Copyrighted work available under Creative Commons Attribution only licence CC BY 4.0 http://creativecommons.org/licenses/by/4.0/

What’s in a name? That which we call a rose by any other name would smell as sweet. – William Shakespeare, Romeo and Juliet

Recovering from ransomware by strategically "renaming your roses"

Roses Engraving Variae ac multiformes florum species. Nicolas Robert Published: 1660 Creative Commons.

A Thorny Situation

Here at Gillware Digital Forensics, we see a significant number of crypto-ransomware cases. They are invariably frustrating and maddening situations for just about everybody involved (except, of course, the cyber criminals themselves). Ransomware encrypts critical data and, as the name implies, holds it hostage in exchange for payments in bitcoin. Sometimes we can assist our clients in recovering from ransomware; sometimes we can’t.

One trend we’re seeing with ransomware more and more often is that the crypto virus will delete the backup and system restore files that are often critical to recovery.

The cyber criminal’s focus is on making recovery from the ransomware as difficult as possible. This increases the likelihood that victim will pay up in exchange for their data. They focus on malicious deletion of volume shadow copy, restore points and backup files.

Deletion of restore points makes recovery from restore points significantly less easy. In order to recover from restore points, we would have to recover the restore points themselves first. Likewise, deletion of backup files makes it significantly less easy to recover from backups, and for the same reason.

Sadly, these tactics are the natural result of the never-ending arms race between cyber criminals and cyber defenders. We learn from each other and hone our crafts. While we provide advice to protect our customers and citizens from cyber crime, the cyber criminals accordingly adjust their tactics.

Renaming the Roses: Wherefore Art Thou Backups?

In Shakespeare’s classic tragedy of star-crossed lovers, Juliet famously exclaims, “Romeo, Romeo, wherefore art thou Romeo?” This line tends to trip up modern audiences because they think Juliet is asking where Romeo is. However, in the Bard’s time, “wherefore” meant “why”. In this scene, Juliet is asking why Romeo is Romeo. After all, Juliet is a Capulet, whereas Romeo is a Montague—and the Montagues and Capulets have long been bitter enemies. Juliet is lamenting that if only Romeo had been born into a different family—if he been a rose by any other name—there would be no obstacles standing in the way of their love.

A number of years ago at a SANS Conference, I heard a piece of really commonsense advice regarding Administrative accounts. Simply re-stated, it was: “Don’t name the admin account ‘admin’.”

Or, as the Bard might have written it: “Admin, doff thy name, and for that name, which is no part of thee, take all myself.”

By Any Other Name…

“Admin” or “Administrator” is a straight-up obvious target for an intruder, whether we’re talking about your personal computer or an administrative account for a website. Simply disguising the name makes the target a little less obvious and a little bit harder to find. Sometimes that alone can be sufficient to stymie a cyber criminal altogether. Especially if they’re looking for easy, low-hanging fruit.

Ransomware intrusions will often go after backup files and system restore points, wiping them out in order to leave the victim with no choice but to pay the ransom. In addition to disguising your admin account, you can apply the same strategy and logic to rename your backup files. A custom name for your backups could could lead to the cyber criminal skipping them over, enabling you to easily recover your data without coughing up so much as a penny.

The same can be done for Volume Shadow Copies, though there are a few additional steps involved to be sure your system continues to create restore points effectively.

Preventing and Recovering from Ransomware:

Because of the number of ransomware cases we get at Gillware, we have compiled some pointers and advice about preventing and recovering from ransomware cyberattacks.

How to Prevent a Ransomware Attack:

Ransomware prevention depends on vigilance and appropriate cyber security protocols.

  • Educate employees on creating strong, unique passwords. Password reuse is sadly common. As a result, cyber criminals frequently exploit peoples’ propensity to reuse passwords across multiple platforms to spread ransomware.
  • Train employees to spot email scams and recognize social media phishing techniques.
  • Teach employees how to recognize suspicious links and email attachments that may contain ransomware.
  • Keep abreast of the latest in ransomware attack techniques. Cyber criminals constantly try new tactics to bolster the effectiveness of their attacks.
  • Put two-factor authentication in place for your domain, social media accounts, and other parts of your network. This will ensure that even if an employee’s password is compromised by a hacking or phishing attempt, the hacker will still be unable to log in and wreak havoc.

Gillware Digital Forensics’ Ransomware Prevention Guide

Tips for Recovering from Ransomware Attacks:

Recovering from ransomware attacks depends on your backup system working as intended. However, as we’ve described, cyber criminals will typically try to make sure it doesn’t. Here are tips to make sure that a cyber criminal will have far less luck interfering with your backups.

  • Keep your backups out of plain sight. Like we said, you can rename your admin accounts, your backups, and the Volume Shadow Copies on your machines to make them less vulnerable to interference and deletion.
  • If you have local backups for your server, make sure the backup machine is protected by a hardware firewall.
  • If you have cloud-based backups, make sure that only trustworthy people affiliated with your backup service provider can access and make changes to your backups.
  • Make sure your backups update automatically and frequently. This ensures that when you need to restore from your backups, the versions of your data they have are as current as can be.

Gillware Digital Forensics’ Ransomware Response Guide

Need Help Recovering from Ransomware?

Our ransomware data recovery and forensic investigation services are here for you every step of the way when you need help recovering from ransomware attacks. We here at Gillware Digital Forensics are fully committed to doing everything in our power to prevent tragedy of Shakespearean proportions from befalling your business or organization.

1 Comment

  1. Emil Quast Jr says:

    Great article Cindy

Leave a Reply

Your email address will not be published. Required fields are marked *