Fencing with the digital highwayman: How to give ransomware a run for its money
Laurance Dine discusses what you can do to mitigate the risk of being struck by ransomware
Laurance Dine, managing principal, investigative response, Verizon
The headlines have recently been awash with reports of increasingly nasty strains of ransomware and the plight of those caught in its crosshairs. From Californian hospitals to UK County Councils, seemingly no organisation is safe from cyber-criminals' attempts to extort ransom demands by locking up their data. Verizon's recent Data Breach Digest identified ransomware as one of the most lethal scenarios facing today's organisations, looking at a real-world case study to reveal how these attacks take place.
Keeping the bandits at bay
So, what can you do to mitigate the risk of being struck by ransomware? Here are top five tips:
1. Deploy GPO to block executables and disable Microsoft Office macros: Malware commonly is executed from the Windows ‘%temp%' and ‘AppData' directories. By blocking file execution in these locations, you can reduce the risk of unknown code running on your endpoint systems. This is good practice for preventing a variety of Windows-based infections. The latest crypto-ransomware variants have used macros contained within Microsoft Office documents. The Office Administrative Template files for your version of Office allow you to restrict the use of these macros via Windows Group Policy Objects.
2. Patch third-party applications as soon as possible: We often see popular applications being exploited to spread malware, such as Java, Adobe Reader, Adobe Flash, and Adobe Shockwave. Keeping these commonly attacked third-party desktop applications updated is critical. Older versions, especially applications no longer used or needed by certain endpoints, should be uninstalled to reduce the number of attackable applications that may still exist on systems within your network.
3. Test and validate data backup processes: The recent crypto-ransomware variants are deleting Windows system restore points and shadow copies, which are commonly used to recover ransomed data. This leaves organisations to rely on having a good backup strategy in order to recover their important data without having to pay the attacker's ransom. Additional back-ups, kept on a separate system offer a trump card in many ransomware situations. When restoring your data, it's critical to restore only the files related to the organisation and not to restore the ransomware (or any other) malicious code.
4. Remove local administrative rights: An attacker with administrative credentials can wreak havoc on any compromised system. Removing local admin rights can reduce the risk of malware being able to leverage persistence mechanisms or move laterally within your environment.
5. Block email attachments: Some of the recent samples we have observed use files with ‘.doc' extensions and ActiveMime headers, used to evade signature based blocking. Implement blocking rules on email attachments based on both file signature and extension. This also helps reduce the risk of the human element clicking and opening the attachments.
Sending in the cavalry
Of course, no organisation can make itself completely bulletproof and eliminate the risk of ransomware completely (unless they stop using digital systems), so here's top five tips for how you can minimise the damage if ransomware does make its way onto your systems.
1. Block access to command and control servers: As with many malware attacks, Command and Control (C2) servers are key to ransomware campaigns. If you can determine the domain or IP address the malware is communicating with, you can implement network-based blocks at your endpoints. These could include firewalls, routers, or even your web proxies. For specific details on how to implement these changes, consult with your vendors. It's important to note that many ransomware campaigns leverage domain generation algorithms, which may change domain names too quickly to effectively block.
2. Set file shares into read-only mode: A common path for cypto-ransomware to spread is using network shares. Temporarily setting your network file share permissions to read only access for all users prevents the malware from modifying and encrypting your data.
3. Take infected systems offline: While leaving the infected systems powered on, disable or remove their access to the network (to include Wi-Fi access). This preserves potential artifacts in physical memory for analysis. The information needed to access or decrypt the files could only exist in memory; if the system is powered down, this data is likely gone forever.
4. Recall known phishing emails from user mailboxes: Once you have identified a malicious email – stop the malware from continuing to spread. If your email solution has the ability to recall or remove delivered emails, leverage it to delete known bad emails. You can search for these messages by sender, subject, attachment, or even originating SMTP. This continues to reduce the risk of the human element and the ransomware being clicked on by more users.
5. Check ownership on encrypted files to determine infected users: In the event a file share or a server's data is encrypted as a result of the attack, review the file and directory ownership or last user who accessed the data. This can help you determine the possible source of infection within your network and provide direction for containing the infection early.
These are just some recommendations on how you can reduce the potential chance of falling victim to a ransomware attack. You wouldn't drive around without a seat belt on and it'd be equally foolhardy to risk all your data and security by brazenly taking a chance by not following best practice. If you do unfortunately still fall victim though, remember the five steps to minimise the impact and consider seeking professional support that might be able to further reduce the damage.
Contributed by Laurance Dine, managing principal, investigative response, Verizon