Last month, I addressed protecting yourself from ransomware. At that time, ransomware was primarily an attack that was caused by an end user accessing infected documents or web sites. Protection focused on helping educate users and controlling damage. However, since that time, the attackers have stepped up their game.
On March 31, 2016, Department of Homeland Security, US-CERT issued alert TA16-091A regarding a new variant of ransom malware called SamSam. SamSam is notable because it’s the first ransomware that attacks your servers directly, without needing an unsuspecting user to click a link or open an infected attachment. SamSam is also apparently focusing on healthcare, as healthcare typically is not as protected as other industries and the data is even more valuable. Some reports say the recent Med Star Healthcare outage was caused by this new malware variant.
Fortunately, this new attack does not require new protection tactics. From what we know today, the protections you should be doing for other forms of security risks will protect against this new ransomware. SamSam specifically uses a vulnerability in the JBoss server application that has been known since 2010 and should be immediately patched on any internet facing server.
This new attack method should also remind us that we can’t protect against everything. The only completely secure system is one that is turned off. Once we fix one opening, the attackers move to another. The key is that the attackers are always looking for the easy target. As information security professionals, our goal is to make our systems more difficult than others to attack.
Malware often infects one computer then crawls across your network looking for more openings. Deploying a layered security approach will help isolate these efforts and prevent cross infection. We may have good perimeter security, with strong firewalls, but we may not protect the inside of our networks. A layered security strategy adds more firewalling to the interior of the network. Interior firewalls separate the servers, biomed devices and end users from each other, controlling what is accessed across them. These interior firewalls help to protect against the spread of malware and viruses by preventing hackers from jumping from one system to another.
Another piece of layered security is hardening your servers and networked devices. Each server and network device should go through a hardening process before it enters into production. Hardening improves protections by removing unused services, changing default passwords, improving password polices and enacting other improvements on each device. This builds a ‘firewall’ around the server of network device to keep out attackers.
You should also realize that you will be attacked. In fact, most of you reading this have likely had some kind of ransomware attack already. After implementing adequate protection, the next action is to improve your response. How quickly you can detect the attack, react to the attack, and recover from it will help to keep you from making the news. Have an established response team and response plan. A key point in the recovery plan will be restoring from backup. Your server admins should have complete backups and be able to restore the server from “bare metal” back to operational.
As the saying goes, the only constant is change. Every time we improve our security, the bad guys move to a new method. This new ransomware variant that attacks servers directly should serve as a reminder that we must continue to improve all areas of security. Keep your servers patched, limit inside access, harden your devices and practice recovery.