What is Ransomware?
Ransomware is a form of malware that has malicious technology pushing organizations to the edge by directly monetizing the threat. After all, most crime is directly attributable to some monetary gain.
WannaCry, SambaCry, CryptoLocker, Petya and Locky are some of the more common names of ransomware that have become mainstream news, and even teams outside of security are very painfully aware of the threats.
While there is no shortage of blogs, articles, and vendor solutions outlining best practices to mitigate the threats of ransomware or to block the threat all together, there is truly no magic bullet. If there was, wouldn’t we all already own it and the manufacturer be the most popular vendor?
The fact is, each best practice helps for some ransomware, and other technology, processes, and education with others. It is a family and attack vector story. Each one is different and the defense for each requires adaptation.
Therefore, consider these five recommendations that cover all of the families of ransomware (to date). If you can do these five well, you can mitigate the vast majority of risk from these modern threats:
1. Education, Training and Measurement
The average user may not be able to tell the difference between a regular email, phishing, or spear phishing attack. They do, however, understand that if you click on the wrong thing, you may lose all your work and files or infect your computer.
If you can translate the threat of ransomware into terms the average user can remember, then the human element of social engineering can have some definable mitigation strategy.
The vast majority of ransomware comes via phishing attacks and the training needs to cover the threat, identification of phishing emails, and the hard lesson of what to click on and when not to open a file.
A simple phone call can verify if the email is legitimate and we need to instruct team members how to verify the source before continuing. It is not hard to do, just like looking both ways before crossing the street, but we need to teach all users about safe computing practices. And, for most organizations, penetration testing with phishing samples is recommended to measure the success of your training initiatives.
2. Secure and Verifiable Backups
The worst case scenario is you do become infected with ransomware. If you follow law enforcement's recommendations, you should not pay the fine.
So how do you recover? Secure Backups. While this recommendation is not preventative, it is the only one that can help you when all else fails.
All data should be backed up, and most important secured such that a ransomware infection can not compromise the backup via mapped drives or network shares. The backup should also be tested on a periodic basis to ensure it can restore all files in an uninfected state.
A common mistake for organizations however, is to attempt a restoration before the ransomware infestation is cleared. While some anti-virus solutions can remove the malware, I always recommend rebuilding or re-imaging the host(s).
There is always a chance the threat was more sophisticated then the endpoint security solution can detect and resolve, and that a persistent threat may be present for a future attack. A complete reload is the only way to be moderately sure that the issue has been resolved.
If the infection is bad enough and found its way to a domain controller, you should strongly consider reloading the entire environment. It is the only way to be sure.
3. Secure Macros
Some of the newer ransomware is taking cues from older malware that leverages Microsoft Office and other application macros. This one isn’t easy to resolve, because many of our spreadsheets and documents depend on macros to satisfy business and functional requirements.
For example, a recent addition to the long list of ransomware, “PowerWare”, comes in typically through a phishing email and contains an infected Word attachment. The document contains a malicious macro, which then calls a PowerShell script, which carries out the payload.
This email is scary because Word and PowerShell are very common and approved applications at almost every organization. Therefore, they represent a trusted attack vector for ransomware.
In newer versions of Microsoft Office, they do contain a setting to drastically reduce the possibility of this happening however. The setting, ‘Disable all macros except digitally signed macros’, found within the Trust Center settings will do just that, prevent a macro without a valid certificate authority from executing. This provides secure granularity to enable macros verses the ‘Disable all macros’ setting.
Unfortunately, you may not be able to enable this setting since not all macros your business requires may be signed, or otherwise the certificate for them may be expired.
Wherever possible, insist any vendor that provides software containing macros sign them and establish a process internally to sign macros so this setting can be properly enabled for everyone.
4. Patch and Update Frequently
As if the thought of an angler fish is frightening enough, an exploit kit sharing the same name targets older versions of Flash and Silverlight. According to the Verizon Data Breach Report, 99% of attacks target known vulnerabilities. Even though this specific vulnerability has been patched, many organizations do not patch third party applications regularly — let alone the operating system itself (think WannaCry).
The payload is another version of ransomware. Maintaining software to their most recent versions is nothing new, but we continue to see outdated, and sometimes years outdated, software in production environments. It is important to have a regular schedule to assess your environment for outdated or vulnerable software, and have a tested process to remediate any findings.
These are security basics and if your organization is not doing it well, it is an easy to solve problem and see some tangible threat reduction results. This includes keeping endpoint protection technology and local anti-virus up to date as well.
Businesses still rely on this for a first line of defense when education fails and the ransomware has been identified (and prevented) before the infection. Basically, if it can be updated to a more secure version, it should be, and as frequently as technically and business friendly way as possible.
5. Remove Administrator Rights
Ransomware spreads by leveraging the user’s privileges to infect files that are within scope. If the user only has standard user rights, the only files visible are the ones they may have local or via a network share.
While the scope of this may be large, it can be much worse if the user actually has administrator privileges. Then, potentially every file visible to an administrator is in scope and therefore the entire environment is potentially susceptible to an infection. This assumes however that the ransomware can execute as a standard user.
The fact of the matter is that most ransomware requires administrator privileges just to launch. Macro-based ransomware is one notable exception in addition to ransomware that leverages vulnerabilities like WannaCry.
If you reduce a user's privilege to standard user, ransomware that tries to install a persistent presence is generally thwarted because it does not have the privileges to install files, drivers, or even access the registry unless it leverages an exploit to escalate privileges. This is a sound mitigation strategy for the vast majority of malware that needs to own a system in order to begin infecting files.
If this strategy is bundled with application control and least privilege technology, only a few forms of ransomware (like WannaCry or macro based) cannot be prevented. This proves that to successfully preventing a ransomware attack requires a blended approach from the removal of administrative rights to handling the edge cases that leverage social engineering, macros, and vulnerabilities and their corresponding exploits.
As you can see from the recommendations, the onus is on every organization and security professional to take the necessary steps to prevent ransomware and other malicious software from threatening the network. There is no magic button, no simple tool, nor any one strategy that can stop this modern threat. If you can follow these five basic security recommendations, your organization can greatly minimize the threat.
For more information on how BeyondTrust solutions can help prevent ransomware, request a personalized demo.
Editors note: this article was originally posted on SecureWorld.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.