Protecting against ransomware using PCI DSS and other hardening standards
Protecting against ransomware using PCI DSS and other hardening standards

Ransomware continues to bring organisations down to their proverbial knees. SamSam ransomware crippled systems for the US city of Atlanta. Not too long before that, SamSam locked up systems at AllScripts. Meanwhile, WannaCry continues to pose a threat, hitting Boeing one year after making a huge impact on the UK's National Health Service and others last spring.

To pay or not to pay? But is that really the question? First of all, keeping back-ups is always a good idea, so even if you do get ransomware on your system you can recover quickly without paying and encouraging this sort of activity. But also, the question most organisations should be asking – especially those who have yet to get to the "pay or not pay" question – is "are our systems hardened properly and have we done enough to lessen the chances of ransomware getting on our systems in the first place?”

Let's take a look how the latest biggest and baddest ransomware attacks happened to explore this further.

SamSam

Attackers hit the City of Atlanta in the US with ransomware that caused disruption to at least five out of 13 departments. There were outages on customer facing applications, including some that customers may use to pay bills or access court-related information. Police reportedly had to resort to handwritten reports. 

This isn't the first time SamSam has struck; it's been around since at least 2015. A strain hit the US Colorado Department of Transportation in February, and locked up systems at Allscripts the month before that.

While lots of run-of the-mill ransomware spreads through social engineering such as phishing, SamSam takes a different approach. Instead of relying on trickery, this sophisticated ransomware exploits known vulnerabilities or attempts to guess weak passwords to get onto systems.

WannaCry and NotPetya

WannaCry made quite the impact when it made its first outbreak last May. It infected hundreds of thousands of vulnerable computers around the world, including 34 percent of UK National Health Service (NHS) trusts. 

This ransomware's attack vector of choice is also known vulnerabilities. 

Less than two months later, NotPetya abused that same Microsoft vulnerability to strike banks, airports and power companies in Ukraine, Russia and parts of Europe. (Kaspersky Lab says NotPetya is wiper malware, not ransomware, because its encryption algorithm prevents the decryption of infected disks even if victims pay the ransom).

One year later we're still seeing WannaCry and NotPetya post a threat to organisations, as made evident by the recent attack on Boeing. 

Sophisticated, not invincible

While these strains of ransomware are more sophisticated than the run-of-the-mill ransomware attacks, the fact that they are technical in nature means there are specific measures we can take to decrease the chance of a significant attack.

These attacks use technology, they don't rely on people being fooled into "inviting" ransomware on their system. By way of comparison, let's review the AIDS Trojan – believed to be the first piece of ransomware to be written.  

AIDS Trojan didn't abuse a vulnerability for distribution.

Bad actors circulated the threat on infected floppy disks they sent to unsuspecting web users' homes. When someone loaded the disk onto their computers, the malware allowed 90 boot cycles to pass before hiding the directories, encrypting the names of files on the C drive, and demanding the user send a cheque for US$189 (£140) to a PO Box in Panama for the PC Cyborg Corporation.

The attack relied on people being fooled into inserting the disk on their system. And while we don't see a lot of floppy disks going around these days; lots of ransomware attacks follow the same sort of social engineering approach – only now it's usually in the form of people clicking on malicious links. 

But the fact that the latest big ransomware attacks didn't focus on fooling humans mean we can improve defences by hardening our systems.

What you should have been doing already

Most organisations that process card payments, should comply with the PCI DSS standard. Ensuring compliance with PCI DSS is a good place to start in defending against threats like ransomware. Doing so can help organisations identify and strengthen weakened controls and reduce their attack surface. It can also assist companies in implementing security controls such as file integrity monitoring, vulnerability management and deploy a central log aggregator, such as a SIEM. 

But it's not just PCI DSS that offers these hardening capabilities. There are a number of standards and regulatory requirements that have overlapping controls, such as CIS (Center for Internet Security) and ISO27001, HIPAA (Health Insurance Portability and Accountability Act) is widely used which offer similar recommendations to help reduce the attack surface.

Enterprises sometimes struggle to achieve compliance, however. Time and effort are required to initially reach compliance. Organisations must then attempt to remain compliant and determine if compliance is consistent, all while dealing with tedious audits. They must also make sure they're going beyond compliance to emphasise the security of their systems against threats like crypto-ransomware. Using a technology such as file integrity monitoring (FIM) could help detect the outbreak of a ransomware attack by identifying a number of files changed; it could also help understand what files were impacted, helping recovery from backups an easier process. Some FIM products provide the capability to detect the presence of early indicators of compromise, such as a specific patch deployed, or a security control in place. 

Done well, compliance with regulations such as PCI DSS and other recommended hardening standards, can protect against ransomware, so it's well worth the investment. 

Contributed by Paul Norris, senior systems engineer - EMEA at Tripwire. *Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.