How to prevent & mitigate against Ransomware using VMware security solutions

    Cyber-crime is not something that can be ignored and unfortunately it is not something that is going to go away.  A good example was the recent ransomware attack that exploded across major industries such as the NHS in the UK.  This particular ransomware has been called WannaCrypt. Such attacks are tipped to intensify over the coming weeks and years according to security analysts and are likely to keep IT security at the top of the agenda for many organisations. 

    So what is ransomware and how can you mitigate the risk?

    Ransomware is a piece of software used to encrypt files on the target machine, once encrypted the key used to decrypt the data is offered to the victim but at a price.  A report by zdnet estimate the damages rose from $24M to $1B from 2015 to 2016 indicating this is not something that’s going away.

    WannaCrypt

    WannaCrypt ransomware worm, also known as WannaCry, targets a vulnerability in Windows PCs and servers then once exploited spread across the network.  This vulnerability has recently been patched by Microsoft.

    This vulnerability was exposed by the NSA, tools used by the NSA were recently stolen from the agency and leaked online available to anyone.  Thankfully a “kill switch” in the code was discovered to stop the spread but it’s only a matter of time before a new variant without said “kill switch” will be used.

    For more information see https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/

    Mitigating the risk

    Viruses and cyber-attacks have been around for a long time and are continually evolving with no sign of slowing down.  Thankfully though we have technology and practices in place to mitigate the risk of an attack as well as to recover from such an attack.

    • Reduce the attack surface
    • Patch management
    • Backup and availability

    Reduce the attack surface

    Traditionally network security has been deployed at the external facing services (perimeter network), meaning although the attack surface for public facing services could be strong via a perimeter firewall, there was little protection once an attacker was inside the network. 

    Software Defined Networking (SDN) solutions such as VMware NSX can provide protection within the organisation and within the datacenter, providing not only perimeter security but also internal security isolation within the perimeter firewall too.  Should an attack such as WannaCrypt infects a machine on the network, its spread across the network can be stopped in its tracks before any further major services are affected through the Micro Segmentation capability of NSX

    By applying a “Zero Trust” approach using solutions like NSX, the network can be monitored and only the required ports for each service can be allowed – all other ports and attack surfaces can be blocked, preventing exploitations.

    VMware NSX can also leverage other security vendors to provide anti-virus protection outside of the Operating System meaning the attack cannot disable agents running within the Operating System.

    Patch management

    Patch management solutions exist to assist the network & systems administrator to approve and deploy patches across the enterprise. Applying patches across large enterprises can be difficult to manage and is often overlooked by many organisations which results in unfortunate incidents like that of the WannaCrypt infection.  By using a Virtual Desktop Infrastructure (VDI) such as VMware Horizon that is integrated with VMware NSX, the administrator only needs to patch a handful of “Gold Images” making compliance easy to manage. 

    VDI desktops can be deployed in a stateless fashion meaning if a desktop was infected it can easy be deleted and recreated – no user data is stored on the desktop.

    For physical desktops, solutions such as VMware Mirage can be used to not only apply a gold image for compliance across all desktops but it can also keep a backup of those desktops that can be easily restored after an attack.

    Backup and availability

    Of course should critical system be infected somehow, a reliable backup solution is critical to be able to restore back to a working state.  A successful backup design should include offsite copies of data on none connected media, so that should a ransomware worm such as WannaCrypt spreads throughout the network, a copy of the backup data must not be vulnerable for the same attack. Sadly, there are too many stories of companies infected with ransomware that also infected the backup data resulting in permanent data loss with huge financial impact for the organisation.

    Backup solutions such that utilises core VMware vSphere API for efficient offloading of backup capabilities, such as Veeam or Rubrik can address these requirements by promoting the 3-2-1 rule: have 3 copies of the data, stored on 2 different media and keep 1 backup copy offsite (i.e. The Cloud).

    Final Thoughts

    Cyber security threats are inevitable for most organisations and the likelihood of being affected by one is going to increase in this digital age. Having a suitable security solution focused on the prevention, mitigation and recovery against such attacks must be at the forefront of every organisation’s IT agenda. As highlighted above, VMware’s Software Defined Datacenter solution stack offers number of inherent solutions to address these requirements efficiently.

    If you’d like to talk to one of our Solutions Architects to find out more about how VMware security solutions can help you with your security needs, please get in touch via your Insight account manager or visit our VMware shop page here.