Proven Ways to Combat Ransomware. Ransomware stole a lot of headlines in 2016 and rightfully so. Every type of organization was afflicted by its intrusion this past year, even healthcare. With revenues of over $18 million dollars in 2015, it’s a safe bet that Ransomware isn’t going anywhere in 2017. That’s because it is highly profitable and thanks to the new prepackaged multi-level like distribution operations that are now offered by malware creators, just about anyone can get in on it.
The good thing though is that Ransomware as of right now, most strains of this encrypting menace can be prevented through comprehensive end point protection. Of course there are some weapons that you should have in your arsenal already to protect from this any other types of threats such as:
- SPAM filtering to protect users from phishing attack attempts that utilize links and attachments that are embedded with malicious code
- Web filtering to prevent users and automated sessions with websites that serve as download hub mechanisms
- Reputable antivirus and antimalware protection on endpoint devices
- Gateway antivirus which scans all active internet sessions and strips packets of malware infected code
In addition, it is important that your IT staff perform regular security tasks such as:
- Implement regular updating and patching of all devices
- Disable the remote desktop protocol on any computers that are directly exposed to the Internet
- When possible, disable Flash
- Enable security settings in all web browsers to warn users when sites attempt to install add-ons
- Enable security settings in all web browsers to block reported attack sites and forgeries
- Configure security settings in all web browsers prevent automated downloads
- When applicable, configure all web browsers to prevent users from downloading files
No matter how robust your security perimeter is however, this invasive malware will find its way through your network at some point. The inherent goal of ransomware is to establish a beachhead in some type of computing device. From there, it seeks to infect all local volumes and most importantly, mapped drives that reside on server volumes. For this reason, it is imperative to prevent ransomware from establishing a beachhead from which to commence its incursion.
For the time being, most current strains of ransomware target the same AppData and Temp folders. It is within these folders that the malevolent app takes root. In the case of Windows devices, administrators can easily create Software Restriction Policies (SRP) using Windows Group Policy to disallow certain file types from running in those folders. You can specify these files by a number of ways such as their hash identity but in this case, configuring a path rule is the most effective.
You should include all of the following folders below:
| %AppData%\*.exe | Disallowed |
| %AppData%\*\*.exe | Disallowed |
| %TEMP%\*.exe | Disallowed |
| %TEMP%\*.\*.exe | Disallowed |
| %TMP%\*.exe | Disallowed |
It’s also important to remember that this type of malware is downloaded and operates under the user account which downloaded it, meaning that it takes on the security privileges of that user in most cases. This is but one more reason not to give users local administrator rights. Although it will certainly impact the experience of your users, maximizing UAC settings will also put a damper on the automated execution of malware.
A Magic Bullet
If you have read the many stories concerning ransomware infections over the past year, you have probably read that the majority of organizations never pay the ransom. That’s because they don’t have to, because they have made sure that they host the magic bullet, the key to escaping the devastating aftermath of ransomware.
They have a well strategized backup plan.
Regularly scheduled up-to-date backups are like Houdini’s keys to escape the aftermath of a ransomware attack. In most cases, organizations that paid a ransom did so because they lacked these escape keys. In order to ensure dependable worry-free backups, you need redundancy which is what the traditional 3-2-1 Backup. The topology design of the 3-2-1 backup is as follows:
- Have at least 3 copies of your data
- Utilize two different media formats
- Have one of the copies be offsite
Three copies of your data means that one copy is the original data supported by two separate backup copies. Your data should reside on two separate mediums such as that of a network share, an SSD drive on some type of storage array or else traditional tape media that seems so legacy but is mobile enough to take offsite to a secure location such as a separate location used by your organization or even a safety deposit box at a local bank. Of course it goes without saying that any backup plan includes regular test restorations of the data to ensure that your data can be recovered intact. There have been instances in which a strain of this menacing malware has openly pursued local back storage. It is safe to assume that ransomware creators will strive to achieve some method of encrypting backups as well in order to prevent an escape route in order to improve their payout ratios. For this reason, it is recommended that you place your backup silo on a separate subnet that is protected by some type of firewall.
Enhance your security strategy to address your changing working environment and risk profile due to COVID-19.HALOCK is a trusted cyber security consulting firm, PCI compliance, and penetration testing company headquartered in Schaumburg, IL in the Chicago area servicing clients on reasonable security throughout the United States.
Are you prepared for a cyber security incident? Assess your incident response readiness. We can help if you have a security incident to help minimize the impact.
