Ransomware: The great white shark of malware, and what you need to do about it
The threat of a cyber-attack is a concern for us all, but nothing strikes more fear than ransomware says Mark Kedgley.
Mark Kedgley, CTO, NNT
Right now, ransomware is the great white shark of cyber-attacks, the most feared malware of all, and both corporate and home users are running scared.
But instead of worrying about an attack, what action can be taken to safely venture back into the water and not necessarily “with a bigger boat”?
Who should be aware of the ransomware threat?
Home User: Home users have been targeted for years but attacks have escalated recently. Being given hours to either pay the ransom or lose everything on your computer is a stark choice. What value would you put on all your personal documents, photos and music?
Corporate User: The stakes get even higher, where the absolute dependency on IT systems means ransomware threatens the life of the business itself.
How does ransomware attack systems?
Email – phishing, be it the mass, spear or now whale variety for corporate targets – is still the most common means of invoking a ransomware attack, delivering malware as attachments or via links to infected websites.
Once the malware has been invited onto a user's computer it can then get to work, encrypting files before announcing its presence and its ransom demands. It is precisely the nature of its immediate and tangible threat that makes it more feared than other malware.
However, your approach to preventing ransomware should be the same as it would be for any other malware. Don't be thrown by the sensationalism surrounding ransomware – pragmatism should still prevail.
What should you be doing to prevent ransomware?
Beyond standard email inspection and anti-virus protection, additional defences against phishing are needed, given that this is the primary delivery mechanism used. Unfortunately, phishing is notoriously tough to prevent, due to its devious methods. Malware invited in by the recipient, typically by opening an attachment or by activating/ downloading a link, will often subvert Corporate IT Security.
The best approach is to therefore harden the user workstation environment to prevent malware activity where possible, and to place more obstacles in the way when not. As with any hardening programme, a balance must be found between strong security and operational ease of use.
The majority of exploitable vulnerabilities can be mitigated within the Workstation Operating System, and further protection can be provided using manufacturer extensions such as Microsoft's EMET and Windows Defender or 3rd Party AV.
Secure the desktop and user
But when it comes to users' emails and their content, accurately protecting against the bad while allowing the good is a challenge for technological solutions. While blocking all email attachments and links would improve security, there aren't many users that would sign up for this. A more graded approach to protection is needed.
Solutions already exist for most browsers and Office Applications. Controlled by Group Policy, the desktop applications otherwise used to welcome in ransomware can be fine-tuned to mitigate exploitable vulnerabilities while requiring approval for other functions.
For browsers like Chrome, Firefox and Internet Explorer, anti-phishing controls can be enabled alongside other security measures that are often disabled by default.
Five steps to mitigate the ransomware threat
1. Hardening: While organisations like the CIS, NIST and the NVD provide system hardening guidance, you'll still need to work out what's right for your users – take your time.
2. Automation: Most scanners and FIM solutions provide fast, automated reports to establish where vulnerabilities exist, with the best options providing remediation advice, or even Group Policy or Puppet templates to automatically apply a hardened configuration to Workstations and Applications.
3. Change Control: You'll need to make sure that patching is up to date as a further means of closing off exploitable vulnerabilities. Change control is a key security best practice when done right, making a cyber-attack much easier to detect and head-off before lasting damage is done.
4. Ransomware: If you can't stop it, make sure you can spot it. There is still no such thing as 100 percent security, so while your emphasis will be on prevention, accept that detection of a breach is going to be an essential contingency. FIM and SIEM systems enhance security, by analysing system activity for signs of suspicious behaviour.
5. Be ready to start over: If you do fall victim to ransomware, think how grateful you will be when you can simply scrap a desktop, re-image it and recover all data, all in its useable, non-encrypted state. Backups are critical, but make sure the restore process works by testing regularly.
Contributed by Mark Kedgley, CTO, NNT