Ransomware: 7 Strategies for Mitigating Risk
May 16th, 2016
Reveton, CryptoLocker, Locky…words that IT, the FBI and even everyday Joe’s have learned to hate. Being a family blog, I won’t say what we all want to say about Ransomware, so I’ll just leave it as, “It’s not good”. There is no shortage of articles on the latest threat, no one industry at more risk than another, but most alarming, no one method or software that offers total protection from it.
There are ways to help protect our organizations from ransomware attacks, and really, these practices have become mainstream in the enterprise. Keep reading for seven strategies for mitigating the effects of ransomware.
1) Knowledge is Power
The average user may not understand the difference between a bit and a Byte or SATA and SSD, but they do understand, “Do you want to lose that picture of little Johnny receiving his first communion?” Inform users of various types of attacks, including ransomware. I know what you’re thinking, “Jason, they won’t read the email”. I get it. If they did, Johnny’s picture wouldn’t be on their work computer anyway. But it happens; it’s an inevitable result of being in front of a work computer all day. But I urge you, don’t sit back. Many will read it and it’s another addition to the mindshare of your employees to pay attention. I’ve seen people in my town go from, “How do I get my router working?” to proactively posting links helping their friends avoid a horrible day.
2) A good email filter goes a long way
Email filters have come a long way since the days of manually checking every email flagged as spam. Besides blocking email attachments containing various types of malware and spam, they’ve developed into a great defense against ransomware as well. Find one that fits your company’s scale and budget and use it. Keeping with the intent of these first two items, take a look at companies like PhishMe that can ethically send and track statistics on users who have read, opened an attachment or clicked a link in an email so you can better evaluate your training and security practices. I’ve always loved the irony of a company sending a fake…fake, email.
3) Backup, and more importantly, validate those backups regularly
Little Johnny is getting to be a popular kid, and while his picture may end up on some magnetic strip locked in a safe or some other means of off-site backup, it’s critical your company has a good backup procedure. Also, test the integrity of these backups. I’ve been in this industry for a couple of decades, but I haven’t always been the sharp tack you read before you. I have made this error, and assumed the backups were working; right up until the time I needed to recover some data. Trust but verify my friends. It’s no wonder I find myself at a company named, BeyondTrust.
4) Attention Macros, Sign Here Please
This one isn’t always as easy as it sounds, but it’s no less important than anything else on this list. Macros have been an intrusion point used by malware for years so it’s no surprise ransomware uses them as well.
A recent addition to the long list of ransomware, “PowerWare”, comes in – typically through a phishing email – and contains a Word attachment. The document contains a malicious macro which then calls a PowerShell script which carries out the payload. A scary thought: email, Word and PowerShell are very common, approved apps at any organization.
Versions of MS Office released in the past few years do contain a setting to drastically reduce the possibility of this happening though. The setting, ‘Disable all macros except digitally signed macros’, found within the Trust Center settings will do just that – prevent a macro without a valid certificate authority from executing. This compliments the ‘Disable all macros…’ settings but allows a middle ground, whereas previously macros were just on or off. As mentioned, you may not be able to enable this setting, as not all macros you need for your business may be signed, or may be out of maintenance with no chance of being signed in the future. Wherever possible, insist any vendor that provides software containing macros sign them.
What was it that Ben Franklin said (or technically Henry de Bracton, but who’s keeping track), “An ounce of prevention is worth a pound of cure.” Whomever you credit for this, its meaning still holds true.
5) Update and Patch Your Software
As if the thought of an Angler fish isn’t frightening enough, an exploit kit sharing the same name targets (now patched) versions of Flash and Silverlight and delivers what? Yes, yet another variant of ransomware. Maintaining software to their most recent versions is nothing new, but we continue to see outdated – sometimes years outdated – software in production environments. It is important to have a regular schedule to scan your environment for outdated or vulnerable software, and have a tested process to remediate any ill findings. This is one of the points from the list BeyondTrust can help with. Our Retina Enterprise Vulnerability Management software has helped companies identify and patch issues for over a decade.
6) Someone Call Dora, the Map is Broken
Actually, Map is working just fine, in fact he’s doing exactly what we asked him to, or in some cases, not do. Mapped Drives are used everywhere, with good reason; I would much rather type M:\AppShare then \\Harbringer\ILoveSuperHeroes\MoreThanYou\AppShare any day. Here’s the problem, though – ransomware has developed a knack for following mapped drives and encrypting the files on those as well. So while the use of mapped drives isn’t going away any time soon, be very cautious of who gets access to them, what permissions are given to the shares and where they point to. Pay special attention to drives that map to critical servers. The Retina Discovery Scanner, which ships with most products offered by BeyondTrust can scan, list and report on mapped drives available on every computer that touches your network.
7) It’s a Privilege, Not a Right
At times overlooked, consider what rights your users log into their machines with. Do they have Local or even Domain Admin rights? Do they really need to have those rights? That’s unfair of me to ask, I already know the answer…No. Think about it, why is it they have these rights in the first place? Is it because that’s the way it’s always been? Is it because the thought of trying to manage users with a minimum set of rights is overwhelming?
The reason many companies allow excessive rights is really about the applications and tasks they run. It’s applications that need elevated access, not the users. By providing this targeted access, or outright denying non-approved software or software not run in a specific way –think PowerShell running specific scripts, rather than allowing PowerShell by itself – you greatly reduce the attack surface ransomware can use. As has been the trend in this list, PowerBroker for Windows helps companies maintain a least privilege model, while still allowing the functional capabilities employees require to do their jobs.
As you can see from the list, the onus is on each of us to take the necessary steps to prevent ransomware and other malicious software from penetrating the network. There is no magic button, no ivory tower with a council of sorcerers that can wave their hands and make it all go away, but it is by no means hopeless. In regards to whether to pay or not, ultimately it is up to you. For me however, I’d accept the slight loss in work, wipe the system, and restore from backup.
Watch for more blogs coming soon explaining how to configure PowerBroker for Windows to provide additional protection against ransomware. In the mean time, for more on how BeyondTrust solutions can mitigate the risk of ransomware and other malware, contact us today.