There is an ugly truth of ransomware that the cybersecurity community neglects to discuss. It is not about the crime committed, the cyber threat actors trying to monetize your misfortune, nor about the potential loss of systems or data. It is the simple fact that ransomware is really just a computer virus.
Regardless of whether you refer to it as malware or ransomware, it is essentially an undesirable program that you did not intend to execute and that has potentially dire consequences for your systems. As with most malware, it is a maliciously designed piece of software intended to compromise your systems by exploiting vulnerabilities, administrative rights, office macros, lateral movement, and social engineering to extract funds from your organization, or otherwise inflict harm.
So, What Does this Mean for Your Cyber Defense Plan?
As just another computer virus, ransomware must be treated as such. This is just a simple truth and why going above and beyond traditional virus countermeasures actually provides an effective cyber defense strategy that can prevent infection. Consider the following:
- Ransomware, despite have a unique name branded to it, is just a computer virus (the ugly truth)
- Computer viruses execute on a computer only if they have privileges to execute, leverage methods to launch remote code (MS Office Macros or PowerShell), or they exploit a vulnerability or misconfiguration (a realistic truth about how they infect a system).
- An unauthorized program, like ransomware, cannot execute on a host that has implemented good allow listing and block listing application control. This includes blocking anything not properly digitally signed (an honest truth about a possible defensive strategy).
- Ransomware is not traditionally a targeted attack. The weak are generally infected and, recently, state and local governments have been taking the brunt of the attacks due to aging systems, lack of funding, limited personnel resources, and poor basic cybersecurity practices (another ugly truth).
So, where does this leave the typical organization or information technology professional? Just remember the U.G.L.Y. truth:
- U. is for Users: Ransomware succeeds because end users typically fall victim to their primary method of delivery, social engineering via phishing / spear phishing attacks. Educate and train your users to identify these malicious emails so they don’t fall victim to the malicious payloads.
- G. is for Grant Access: Only grant access to trusted applications and properly digitally signed macros and PowerShell scripts. You can accomplish this by using application control technology. Application control can mute the viral portion of ransomware by stopping its execution from the start.
- L. is for Least Privilege: Remove administrative rights from end users. In 2018, 81% of all Microsoft Vulnerabilities could be mitigated by removing administrative rights and exploits that are used to propagate ransomware can be stopped dead in their tracks too with this basic policy change. You can actually enforce least privilege and application control with the best endpoint privilege management solutions.
- Y. is for You: You can be a victim of ransomware—no one is immune. Implementing these basic procedures in addition to cybersecurity fundamentals like vulnerability, patch, end-of-life, and configuration management. These will help ensure YOU are not a victim of ransomware.
And, the next time another ransomware attack is in the news, consider how UGLY it could be for your organization and what you can do to prevent it.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.