Ransomware Epidemic Countermeasures
In the last three years the ransomware epidemic has grown both in volume and shape (number of infections and number of different variants). Although the first ransomware ever was found in 1989 (see “AIDS Trojan”), it was pretty rare until recently.
Nowadays, almost every day, hundreds and even thousands of home users, corporations and even legal and government agencies suffer from this epidemic. This epidemic is serious and very painful in some cases, but like any other cyber threat there are possible solutions that will help prevent and also mitigate the ransomware infection threat.
In this short article we will try to explain what kind of countermeasures can be taken by corporations and even home users in order to be prepared for the ransomware epidemic.
Known Ransomware Infection Channels:
- Phishing-like emails with malicious attachments (execution files / office files with macro / links that redirect to a malicious server / web site).
- Surfing to a malicious website that can exploit a vulnerability in the end point browser.
- Downloading malicious files from an untrusted website.
- Trojan horse that retrieves the malicious ransomware from its Command and Control servers (after the endpoint is already compromised by the Trojan horse).
- Unauthorized external storage device (USB).
The sophistication of infection channels leads to a situation in which almost every organization, small to enterprise, may find itself infected with a variant of ransomware. Therefore, countermeasures are necessary and should be constantly addressed.
In order to minimize the likelihood of ransomware infections, we suggest implementing a layered defense strategy. This strategy covers all of the relevant infection channels in the organization, from the perimeter to the endpoint.
User awareness is one of the important prevention mechanisms against ransomware infections:
- Do not surf to untrusted sites (e.g. porn, gambling, freeware downloads and so on.). It is recommended to use Chrome / Firefox browsers which are less vulnerable to attacks (unlike Internet Explorer some versions of which are vulnerable).
- Do not open an email / attachment that originates from an unknown source or has a weird attachment (exe file inside a zip archive for example). Even a word document with a macro could be dangerous as well (e.g. Locky).
- Be careful when transferring files from a mobile storage unit / D.O.K. to your end point. Remember to scan the device for known viruses / suspicious files before use. Disabling auto run will also help improve endpoint security.
Endpoint security Layer:
- Endpoint user permissions should be hardened by restricting users from being local administrators on the endpoints. Consider applying the “Least Privilege” principle.
- Minimizing the amount of mapped shared folders on endpoints and also OneDrive, Google drive type folders, (Ransomwares can encrypt every accessible file, even if it is located in a shared folder or any other accessible folder).
- Enable “Volume Shadow copy” on important partitions, in order to be able to restore in case of infection.
- enabling “System restore” option, in order to be able to restore the system state after a ransomware infection.
- Backup important data on a regular basis, consider saving the backup data on a separate device (e.g. Dedicated Backup server, Mobile Storage unit etc).
- Apply a software whitelisting solution (e.g. Windows AppLocker / Commercial solution). a good software whitelisting solution can help prevent executing malicious software components like ransomware.
- Use an anti-virus solutions and remember to update them on a regular basis.
- Consider applying a 3rd party anomaly based detection solution in order to locate malicious activity / files (e.g., freeware like Microsoft EMET).
- Update operating system and 3rd party software on a regular basis (for example, Browsers and also Adobe, Java software components which are known for multiple new vulnerabilities every year).
- Consider preventing execution of files with macro’s (e.g. Microsoft word / Excel). This can be done via Group policy.
- Consider importing and implementing “IOC’S” (indicators of compromise) to your endpoint protection solutions (See SANS description). For example, detect / prevent software from writing files into appdata / localdata / roaming directories (very common with ransomwares) .
- Consider restricting insertion of mobile devices, USB devices, CD’s and even floppy to the endpoint (can be done by a 3rd party solution and also by applying group policy restrictions).
Internal Network Security Layer:
- Apply an adequate network segmentation via Firewalls. In case of a malware lateral movement, this will help to restrict the malware’s “movement” around the network (e.g., spreading to other endpoints and servers in the corporate network with the credentials of the compromised user).
- Consider implementing IPS (intrusion prevention system) between the corporate network segments. Applying IPS between network segments could help blocking known attack vectors.
- Consider backing up network accessible storage devices on a regular basis (in order to be able to save as much data as possible in case of an infection).
Perimeter Layer Security Layer:
- Web filtering – applying a web filtering solution that will prevent access to untrusted websites, downloading files (e.g., exe, zip, rar, jar, scr, etc.). If possible, use “surfing virtualization” solutions like VDI, Citrix smart browsing, Jetro secure browsing, etc. This will help to minimize the possible effect on internal endpoints so that internet surfing will not affect the internal endpoint.
- Mail Relay – applying a mail relay solution. That solution will help to filter the incoming emails. Apply rules that will prevent incoming emails with attachments like ZIP, RAR, EXE, SCR, JAR, JS, BAT, CPL, and so on. Only allow what is required for the ongoing work. Also restricting incoming attachments with PDF’s and Office Macro’s if possible.
- Consider applying a “Sandbox” solution that will check every incoming file that originates from the email infrastructure and even downloaded files from the internet.
- Consider applying IPS for ingoing and outgoing communication, also update the IPS signature database on a regular basis.
- Importing Domain and IP addresses blacklists of known malicious servers / websites. It is possible to update the corporate firewalls and IPS’s with those blacklists in order to prevent such communications.
Nevertheless, if an infection has accorded, specific countermeasures are required to reduce damage and to mitigate the threat as soon as possible.
- Isolate the station from the corporate network in order to prevent spreading of the ransomware encryption process (e.g. pull the network cable out of the plug / Isolate the station via Corporate NAC).
- Isolating the station, do not turn the station off (some of the ransomware’s keep their encryption key in the registry, and also it can affect the forensic work that may be done later), unless you want to stop the encryption process (if you caught it at the beginning).
- Some of the “old” ransomwares have a “decryption” toolkit (mainly produced by anti-virus vendors) that can help you save your files (very rare but worth a shot). If not, do a damage assessment, in order to understand what was encrypted and check if there is any valid backup that you can restore your data from.
- Investigate how it happened – the investigation phase is basically the aftermath analysis that will help you apply countermeasures that will minimize the likelihood of your corporation getting infected again. All the suggestions written above should help in this process.
- It is recommended to fully format the infected station in order to eliminate any residues of malware.
- After making sure (scan, formats, tools) that no other ransom infection exists, restore from backup.
Should I Pay?
Not recommended – if you don’t mind losing the money and losing your files will be much more expensive than paying the 400$, you can do it and cross your fingers that it will work (sometimes it will work and sometimes it won’t).
Most of the time, paying the ransom is not always a good idea, for mainly two reasons:
- Money is the “fuel” that runs the cyber crooks.
- You don’t have any guarantee that your files will be decrypted (so basically you will pay for nothing).
By Matan Ben Lulu & Tal Eliyahu
For any other questions or a need to a ransom incident response, feel free to contact us.