By Morey J. Haber, Chief Technology Officer, BeyondTrust
Given recent high-profile attacks like WannaCry, Petya (NotPetya) and CryptoLocker, ransomware has definitely matured from a niche IT concern to a more mainstream one. While there is no shortage of seminars, articles, and vendor solutions outlining best practices to mitigate the threats of ransomware and modern cyber extortion threats like malware based crypto-mining, there is no single solution to protect against all of these threats. If there was, wouldn’t we all be implementing it and the manufacturer be the most profitable vendor?
The fact is that there are multiple steps and best practices that can mitigate this growing problem. Rather than going out and buying the latest and greatest security solution available on the market, we would be well served to stop, listen, and master basic security hygiene. To that end, consider these five recommendations that cover all of the families of ransomware and modern cyber extortion tools. If you can do these five well, you can mitigate the vast majority of risk from these escalating attack vectors:
End User Education
The average user may not be able to tell the difference between a regular email, phishing, or spear phishing attack. They do however understand that if you click on the wrong thing, you may lose all your work and files or infect your computer. If you can translate the threat of ransomware into terms that the average user can understand and remember, then the human element of social engineering can have some definable mitigation strategy.
The vast majority of ransomware comes via phishing attacks and the training needs to cover the threat, identification of phishing emails, the hard lesson of what happens when you click on one of these emails. A simple phone call to IT can verify if the email is legitimate and we need instruct team members how to verify the source before continuing. It is not hard to do—just like looking both ways before crossing the street—but we need teach all users about safe computing practices.
The worst-case scenario is you do become infected with cyber extortion-based malware. If you follow law enforcements recommendations, you should not pay the fine. So how do you recover? The answer—Secure Backups.
While this recommendation is not preventative, it is the only one that can help you when all else fails. All data should be backed up, and most importantly, secured such that the infected assets cannot compromise the backup via mapped drives or network shares. The backup should also be tested on a periodic basis to ensure it can restore all files in an uninfected state. A common mistake that organizations make is to attempt a restoration before the ransomware infestation is cleared and the process repeats itself until the environment is truly purged of the malware.
Some newer extortion-based malware are taking cues from older computer viruses that leverage Microsoft Office macros. This one isn’t easy to resolve, because many of our spreadsheets and documents depend on Macros to satisfy business requirements. For example, a recent addition to the long list of ransomware is “PowerWare”. It comes in typically through a phishing email and contains an infected Word attachment. The document contains a malicious macro which then calls a PowerShell script which carries out the payload.
This email is nasty because Word and PowerShell are very common and are approved applications at almost every organization. Therefore, they represent a trusted attack vector for ransomware and can bypass most application control solutions. In newer versions of Microsoft Office, a setting drastically reduces the possibility of this happening. The setting, ‘Disable all macros except digitally signed macros’, found within the Trust Center settings will prevent a macro without a valid certificate authority from executing.
This provides secure granularity to enable macros verses the ‘Disable all macros’ setting. Unfortunately, you may not be able to enable this setting since not all macros may be signed. Wherever possible, insist any vendor that provides software containing macros to sign them and establish a process internally to sign macros so this setting can be properly enabled for everyone and mitigate the threat.
As if the thought of an Angler fish is not frightening enough, an exploit kit sharing the same name targets older versions of Flash and Silverlight. According to the Verizon Data Breach Report, 99% of attacks target known vulnerabilities. Even though this specific vulnerability has been patched, many organizations do not patch and verify third party applications regularly, let alone the operating system itself (think WannaCry or Apache vulnerabilities used in the Equifax breach).
Maintaining software to their most recent versions is nothing new, but we continue to see outdated, and sometimes years outdated, software in production environments. It is important to have a regular schedule to assess your environment for vulnerable software and have a reliable process to remediate any findings. This is security basics.
Standard User Privileges
Ransomware spreads by leveraging the users’ privileges to infect files that are within scope. If the user only has standard user rights, the only files visible are the ones they may have locally or via a network share. While the scope of this may be large, it can be much worse if the user actually has administrator privileges. Then, potentially every file visible to an administrator is in scope and therefore the entire environment is potentially susceptible to an infection.
The fact of the matter is that most cyber extortion malware requires administrator privileges just to launch and embed itself in a system. If you reduce a users’ privilege to standard user, ransomware that tries to install a persistent presence is generally thwarted because it does not have the privileges to install files, drivers, or even access the registry unless it leverages an exploit to escalate privileges. This is a sound mitigation strategy for the vast majority of malware that needs to own a system in order to begin infecting files for ransomware and cyber extortion threats.
As we see a disturbing increase in cyber extortion malware, basic cyber security hygiene is the best defense to protect your organization from becoming the next victim. Defending against an attack requires a blended approach from the removal of administrative rights to handling use cases that leverage social engineering, macros, and vulnerabilities and their corresponding exploits.
To be successful, the onus is on every organization to take the necessary steps to prevent malicious software from threating the network. There is no magic button, no simple tool, nor any one strategy that can stop this escalation of threats. But if you can follow these five basic security recommendations, your organization can greatly minimize the risk of being the next victim.