Are we too busy with pancakes to get serious about ransomware?
Are we too busy with pancakes to get serious about ransomware?

Google Trends should reveal much about our thirst for knowledge, but the most asked questions are far more fundamental to our basic existence.

‘How do I get home' and ‘How many calories do I need' make the Top Ten, along with ‘How to make pancake's and ‘How to get away with murder' (results are for the TV show, not an alibi-creation tutorial).

But because you can never be fully immune from a ransomware attack, this remains one of the key questions for InfoSec professionals.

2017 was a big year for Ransomware. Petya/NotPetya crippled the European advertising giant WPP and left Heritage Valley Health Systems of Pittsburgh offline. And they weren't the only healthcare provider incapacitated by Ransomware, with the UK's NHS hit by WannaCry.

The NHS is the 5th largest employer in the world, while WPP revenues are over US$18 billion (£13.5 billion). Susceptibility to Ransomware isn't due to a lack of resources. In fact, the opposite applies - the larger the organisation, the greater the chance of an attack. With Ransomware distributed via phishing, more users mean a larger attack surface.

Mostly we defend well enough, but there is always a fresh attack coming, and only one needs to succeed. Zero-Day Ransomware is as effective at evading AV (Anti-Virus) as other Zero-Day malware. The worrying trend is that the number of ransomware families is increasing. By contrast, ransomware defence measures are evolving rather than expanding.

Prevention

Malware works because it is able to exploit vulnerabilities at a platform and application level. To counteract this, it is necessary to harden the workstation environment, including the OS, browser and Office software. Further protection is provided using manufacturer extensions such as Microsoft's EMET (Enhanced Mitigation Experience Toolkit).

Application Whitelisting turns on its head the weak spot for Zero-Day malware in AV. A Block-All policy is applied requiring all applications to be whitelisted. Microsoft AppLocker provides a rules framework for classifying permitted applications based on signatures, folders or file hash values, while the newest Windows Defender Device Guard elevates protection further by isolating the Code Integrity Policy controller as a virtualised hypervisor.

It's an effective approach for malware mitigation, but get ready for regular operational problems due to false positives and as such it's not for everybody. Passive process/service monitoring with alerting may be a better compromise between prioritising business operations over protection.

Detection

As ever, layered security is king, so the prevention measures outlined should be backed with breach detection. System integrity monitoring will give an early warning that you have a problem. As discussed, whitelisting regular processes/services allows new, unexpected activity to be flagged and the concept of integrity monitoring and change control can be extended to other attributes too. Changes to installed programs, open network ports, registry hives and other configuration settings all provide indicators of compromise, and monitoring for file integrity changes is still a potent breach-detection safety measure. False positives can be handled by integrating a file whitelist repository to alert only on not-previously-seen files to ensure that all Zero-Day malware missed by your AV is identified.

Recovery

Despite of all this, if you still find yourself with a ransom note and encrypted files, the simplest countermeasure is to be prepared to start again via regular backups. Now is the time to act if you are not fully confident in your backup operations. Test that you can restore data, don't wait until you really need it to find out there's a problem.

No backups to work from? All is not lost. Ransomware doesn't stay as a Zero-Day threat forever, and you may find that your next AV signature update can help limit the damage. Next, take a look at nomoreransom.org, a site backed by cyber-security organisations worldwide. Since its launch in 2016, nomoreransom.org claims to have saved 6,000 victims of Ransomware over £1.5 million to date. It's simple to use - upload a file encrypted by the ransomware to the Crypto Sheriff page and if there is a solution available, you can unlock your files for free.

Finally, don't pay the ransom except as an absolutely last roll of the dice. It is far from guaranteed to work – criminals aren't reliable people to do business with.

In summary, Ransomware is an ever-present, lethal threat to every organisation worldwide. The best defence is to take advantage of all the prevention, detection, and recovery measures outlined, and do it now. Then you can get back to making pancakes.

Contributed by Mark Kedgley is Chief Technical Officer at New Net Technologies (NNT).

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.