One of the biggest digital security threats that businesses, governments, and consumers all face is ransomware. What makes ransomware especially offensive is its capacity to inflict extensive damage in an incredibly short space of time, and the difficulties in remediating an infection.
Ransomware is a type of malware that deliberately interferes with the standard operation of a computer until a ransom is paid.
In recent years, ransomware has taken a more malevolent turn, with the rise of crypto-ransomware. This form systematically encrypts files that are stored locally, or are on accessible network file shares, using strong cryptographic algorithms. The ransomware determines what files to encrypt by their file type, with Office documents – .docx, .xlsx, .pptx, and media (photographs and video files) – almost always being targeted.
Ransomware is propagated in a variety of ways. Perhaps the most widely used method is through spam networks. The Locky variant, for example, is typically spread through emails that contain fake invoices. When opened, the document will ask the user to allow macros. When the user enables them, it will start to encrypt files using strong AES encryption.
Most of the blogs on ransomware malware infections that I’ve read so far focus on the business disrupting effects on the ransomware infection and on the hype of the new cyber crime trend. However, they forget to mention the prevention strategies that organizations can effectively put in place to prevent ransomware and malware infections in the first place.
This is my personal rundown of preventive ransomware strategies. In this post, I will not include an exhaustive list of technical ransomware details, different malware strands, and business implications of this kind of crimeware. I will focus, instead, on preventive measures to stop ransomware.
- Conduct periodic end-user security training: Since ransomware infections spread primarily through spam networks and via phishing attacks including attachments, conducting end-user security training with employees is a particularly effective strategy to prevent them from clicking on fake and phishing emails pretending to come from legitimate and known contacts. The act of clicking on attachments can cause a domino effect, where the malware spreads through the network and encrypts documents it finds. Addressing the human factor in malware infections is the single most important preventive action an organization can take.
- Obviously not all risk to users’ actions can be prevented. A system-compromising action will happen eventually. With this mind, an organization’s security posture needs to be resilient in a way it needs to have compensating controls to prevent the infection and spreading of the malware. Vulnerability and patch management are the security disciplines that help tremendously in this area. Identifying and remediating critical vulnerabilities not only in operating systems (like Windows) but also in applications, such as Microsoft Office, Adobe Acrobat and Flash, and Java can help prevent the original exploit used by ransomware from working., thus preventing the downloader from getting the ransomware remotely. Again, the last and most difficult frontier of vulnerability management is the application arena.
- Most of the ransomware found in the wild uses Microsoft Office macros to escalate privileges upon opening the document and executing remote code. Simply disabling macros on the Microsoft Office suite of applications can often do the trick at stopping ransomware from spreading. Another strategy could be using Microsoft Office viewers that do not include macro functionality to check those attached documents. With macros disabled, the exploit trick ransomware uses to install itself and spread is no longer effective.
- Often times the infection through a Microsoft Office vulnerability or macro launches in small stages which reach outwards on the Internet to download more malware. This Command & Control (C&C) channel is possible because certain protocols and ports are allowed outbound access. Proper firewall egress blocking and monitoring and internal network segmentation would allow this C&C channels to be blocked thus preventing further downloads to be achieved.
- Properly working endpoint security controls should be in place so that in-memory malicious processes and egress traffic could be detected and blocked as soon as they arise.
- Protocol and application-level filtering and blocking - better if performed in-line - is another effective strategy to block common C&C network protocol and application communication channels (for example: Tor) used by malware and ransomware to spread and call “home”.
- An established part of most organizations’ security programs is the business continuity and disaster recovery plan. As part of these practices, regular incremental backups should be taken and maintained for the purpose of restoring information essential to the business. A simple backup could transform a crisis situation into a routine event of replacing the information encrypted by ransomware.
- Regularly performed penetration testing and ongoing vulnerability management would help organizations identifying “low-hanging fruit” attack vectors in order to prevent malware from installing and spreading.
- Well-managed threat intelligence information such as Open Threat Exchange (OTX) will allow organizations to know whether they are under attack by specific hacking groups, what are the malware / ransomware / vulnerabilities used in such attacks, and what are the best courses of action to be taken to mitigate such emerging threats.
- Create, manage, and train for proper security incident response with defined roles and responsibilities of people throughout the organization. In the case of a malware infection and security breach this will help with prevention and recovery efforts as well.
As you can see, in the area of malware and ransomware, an ounce of prevention is worth a pound of detection. My suggestion is to not fall prey for the hype and scare tactics. Go back to basics by appropriately building your organization’s security program from a good foundation. Harden and secure your security posture and use a solid vulnerability management platform that can help you analyze, prioritize, and remediate your risks.