2016 will go in history as the year CyberCriminals made fortune by using vulnerabilities found in technology and moreover exploiting human weaknesses. The infamous CEO Scam brought billions of dollars to CyberCriminals. I had written a separate post to handle this crime, more details can be found here – CEO Scam Prevention Tips
This post is going to focus on another revenue stream for hackers – Ransomware. The technology is dual edge sword; legitimate use of encryption is required to safeguard information from falling into wrong hands; but hackers have used this technology to become their cash cow. They use traditional methods to get initial infection to their victim and encrypt document on client PC so that they are inaccessible. Now, once they have the control over document they demand ransom to give you the access back to your files.
( Read More: Bad USB Defense Strategies )
Let’s see, how we can handle the Ransomware epidemic:
Backup, Backup and Backup
– I can’t stress enough that backup is utmost important for any organization. At enterprise level, mostly there is good backup policy; I’d recommend to reassess what’s currently being backed up; may be check with business on what they think should be backed up – and you’ll be surprised that what business think is most important is not even included in the backup list. So, this will be a good exercise to ensure that what IT backs up is in sync with business needs.
Have second copy of offsite backup; that will come in handy, in case, your primary backup also gets infected (mapped drives, careless admins etc).
Periodical restore would be helpful, so that you can trust your backups.
You may also look for cloud based backup; Azure, AWS or even your local cloud provider have any options for in-cloud backup.
· If you keep backup on your mapped drives; ensure that you disconnect that after the backup.
· Needless to say that don’t keep backup copy on the server which is backed up; have seen many making a mistake of backing up their web server and leaving the master copy on the server itself.
Patch your OS and Apps, and have inventory of your assets
– Ransomware, as any other piece of malware code has to exploit some vulnerability in order to get initial foothold; this may be a careless user running macro enabled document OR a exploit in Java or Adobe OR using legitimate utilities like Powershell. Define a consistent baseline for your operating systems and ensure they’re up to date to latest patch level. Having a single OS across the enterprise helps in base lining and patch management; if you’re on Windows 10 migration journey, it’s your chance to correct the things.
Know your apps; know what versions are installed and if you really need them? Scan now, you’ll find hundreds of different versions of Java installed across your organizations – do you really need it? Get rid of java, if you can – you’ll improve your security posture greatly. Patch all your Microsoft applications as well as third-party apps.
If you don’t have control on your software and hardware inventory – it will be very difficult to achieve decent level of security; and Ransomware will always be a threat to your organization.
( Read More: Secure SDLC Program: “The Art Of Starting Small” )
Awareness, yes! it pays off
– Conduct formal security awareness sessions for your employees; if possible, classroom style; if not, there are various options like webinar; recorded videos; whatever works for your organizations. Link security awareness to them as an individual; show them that the hackers can monitor them via webcam on their machines/phones; they can listen to their conversation by using the mic on their phone/laptops. They should understand that security awareness is not just to defend the organization; it affects them and their family as well. Show them, how by just clicking on link or opening a document can bring Ransomware to their computer. Seeing is believing; no matter what amount of newsletters/other campaign you run, unless they see it happening they won’t believe it – show them how in real-time Ransomware infection happens.
Even the Verizon DBIR says, that social engineering is the top method used by hackers to gain access to organizations.
Gets some education going; this will not only increase your visibility in organization; but you’d gain many human sensors who will work on your behalf to secure the organization.
- for most Ransomware initial vector is phishing; the victim will receive an email with Microsoft office products – Word, Excel, PPT OR sometime a zip archive. The message will be very compelling for user to open it; mostly, it is the invoice.docm as attachment and message says that x amount has been spent on your credit card; user being concerned, immediately opens the attachment and finds that he must click on enable macro (snapshot below) to view the document. As soon as, user clicks on enable macro, it runs a macro code, which begins to encrypt the files on hard disk and sometimes associated mapped drives.
Link – Follow below link to disable macro from Group Policy – How to disable Macro
URL/SPAM Filtering Solution
– It is a good idea to have decent URL filtering solution in place for your enterprise; not only will it keep the junk traffic away from your organization but if configured correctly, it would also help with keeping Ransomware at bay. Configure your URL filtering solution to block the files so that end-user doesn’t end-up clicking on them.
Below URL has list of malicious URL that you can start with and fine-tune based on your experience -
Also leverage IP Reputation feature; as even if the malicious file makes a way into the organization; the reputation service will block the C2C communication to master bot.
You should also configure your SPAM filtering solution to block unwanted files coming as attachment; you can send them to quarantined and have manual review to release as required.
– The easiest protection against most of commodity malware is controlling what is allowed to execute on your computer. The whitelisting approach is recommended to define what all applications can be allowed to run and rest block everything. You can leverage Microsoft AppLocker OR Software Restriction Policies to implement the application execution.
Also, disable the windows scripting host as well, as many malware does come as .JS or .VBS scripts as well, normal user doesn’t need the scripting capability on their computers.
– though I’m not big advocate of having anti-virus; but it’s a necessary evil that we all have to do; so if we’re doing it, let’s do it the right way. Most anti-virus products now have “behavioral analytics” to detect malicious encryption activity and block it – leverage it.
External Media Control
– Don’t stick it in, if you don’t know it. Yes, the Ransomware does come via external media as well, so it’s a good idea to restrict the external media access. You can implement it via Group Policy OR using the extended feature of antivirus product.
– 2017 will see increase activity of Ransomware infection; it is already a 1 Billon dollar industry and set to increase if we only depend on technology solution and stay at mercy of security vendors. Awareness plays a major part in stopping this menace – train your end users, Implement defense in depth; it’s just better planning and implementation. So roll your sleeves and take control of your environment.