Planning for Post-Ransomware

I have a biker friend who tells me that there are two kinds of bikers: those who have dumped their bike, and those who haven’t dumped their bike yet. It is beginning to look like the same concept applies to companies and ransomware. Every week we hear about another company whose operations have been paralyzed by a ransomware that encrypted all their servers.

Of course, the first step is to protect your systems as much as possible, but hackers are getting ever cleverer, and there is a non-zero chance that they will successfully attack your company. What can you do to reduce the pain of the attack as much as possible?

The first step is to isolate your networks. Your VOIP phones should be on their own network. If you have to take you main network down to stop the spread of malware, things will go much more smoothly if you can still use the phones. Most VOIP phones have an extra RJ45 jack to plug in a computer. This should be made inoperable, so someone doesn’t plug their infected laptop into the phone when the main network is down. (Could the malware on the laptop infect the phones or switches on the VOIP network? I don’t know, but there is malware that attacks routers, and malware keeps getting smarter, so I don’t want to take the chance.) There are devices available to lock the extra jack, like the Azco RJ45 Lock Jack, model AZRJ45JLP, or the RJLOCKDOWN RJ45JLB Jack Lock:

Another alternative, if you do not plan to sell your old phones on eBay when you upgrade, is to just fill the extra jack with epoxy.

If you have POE (Power Over Ethernet) lighting, that should be on its own network, so you can see what you are doing while you are trying to recover from the attack.

If you have a large aquarium, like several casinos do, it should be on a separate network. There are a couple of reasons for this. This first is that is could be an entry point for malware. Consider this case from security company Darktrace, described in this article:

A casino had a large fish tank, with automated sensors to monitor water temperature, salinity, oxygen content, feeding schedules, etc. These sensors connected to the network via Wi-Fi. Even though they attempted to isolate the tank on a separate VPN, an attacker was able to gain control of the fish tank and begin using it to exfiltrate data.

Note: If you look up articles about this hack, they frequently show one of the big aquariums at the major Las Vegas casinos, frequently the impressive 53-foot-long one at the Mirage. Darktrace did not indicate which casino was hacked, nor did they provide a picture, so these are just stock photos. Some of the articles say as much; some do not.

This would have been less of a vulnerability if the connection to the aquarium was wired, but we do not know if this was possible.

A second reason is the possibility of the aquarium controller getting infected. Large aquariums use some serious equipment. (Here is an example of a company that supplies large aquariums.) Some aquarium systems use software to monitor and control the temperature, salinity, and pH of the water. If your controller is corrupted, it might kill all your fish.)

If you run a hotel that has a guest network, either wired or Wi-Fi, it should also be on its own isolated network, since you have no idea what malware the guests are unwittingly bringing on their laptops.

When the MGM Casino was hit with ransomware in September 2023, it also took down all their slot machines. At first I was surprised that their slot machines were on the network, but then I remembered that a lot of slot machines take credit cards, so they need to be able to contact the credit card processors. If you have slot machines, their network should be isolated, too.

Some of these isolated networks may need to communicate with the business network in order to report status. In this case, you should use a one-way link to ensure that the isolated networks cannot get infected from the business network. This post talks about one-way links, and lists some commercial vendors. (This is part 3; the first two parts were about roll-your-own solutions, but if you have this large a network, you can probably afford commercially-supported solutions.)

One time I was at a hotel, and I asked the front-desk clerk for some change. He did not have enough money in his cash drawer. The manager opened another cash drawer and gave me the change. The clerk said “What’s that drawer? I don’t know about that.” The manager said “That’s the secret cash drawer, so we have some money to work with after we get robbed.”

It might be worth setting up a separate emergency network for use when the business network in compromised. It might connect the front desk, reservations, finance, security, and whatever other departments as essential in an emergency situation. The important thing is that the network is unused except in case of emergency.

At each network location, there would be an Ethernet jack in a locked box, like the L6000E High Security Electrical Outlet Vault from Selective Security Services:

This box is nice because it takes a standard lock, unlike most locking outlet covers which are all keyed alike. (Of course, you will replace the duplex output with an Ethernet jack.) Also, the jack will be recessed, which will be important in a moment.

Each jack will have a loopback adapter, like this one from Cables Online, plugged in before the box is locked.

The other end of the cables will go to a managed switch in a locked cabinet. The speed on each port will have to be manually set to Fast Ethernet (100mb), because loopback adapters do not work with Gigabit Ethernet. The managed switch will be set up to send an SNMP trap whenever a port goes offline. This will let you know if someone accidentally cuts or drills through the cable, or if a squirrel eats it. This supervision is necessary since the cables will not be in use until there is an emergency, and that is not the time you want to find out that they don’t work. The SNMP trap will be sent to security on the business network, via a one-way link. (SNMP traps are UDP packets, so there is no problem sending them through a one-way link.)

One concern I have is that someone is going to plug an infected laptop into the emergency network. I would have a fresh laptop for each network point, kept in a safe, to be distributed when an emergency arises. I might use M12 connectors, like industrial Ethernet installations do, rather than RJ45 connectors, and have an adapter cable like this attached to each of the emergency laptops.

(For extra security you might use an RJ-45 plug lock-in device, like the Panduit PSL-DCPLE, to keep anyone from unplugging the adapter cable from the emergency laptop and plugging it into an infected laptop.)

(I have not yet found M12 loopback adapter plugs online; your network department might have to make their own.)

It would probably be useful for the emergency network to be able to connect to the outside world. In this case, it should be another isolated connection. Traffic should be kept to a minimum (no surfing) in order to reduce the chances of clicking on a bad link and infecting one of the computers on the emergency network.

By the way, some companies, when their systems are taken down by hackers, use free Gmail accounts for company communication. This is against Google’s terms of service, and they frown upon it. Paid Gmail accounts are not very expensive, and are less likely to get you in trouble.

So is all this extra work worth the trouble? It depends on how big your operation is. When the MGM Casino had their systems taken down, it was costing them several million dollars a day. This chart from Wired shows how much the NotPetya malware cost several large companies in 2017:

If you are a large corporation, the cost of these precautions is minuscule in comparison with what you have to use. On the other hand, if you are running a Ma and Pa shop, an attack may have less affect on you, and this level of protection may be cost prohibitive.


Leave a Reply

Your email address will not be published. Required fields are marked *