Skip to main content

Don’t Let Ransomware Take Your Organization Hostage

By: Morey J. Haber, Chief Technology Officer, BeyondTrust 

Given recent high-profile attacks like WannaCry, Petya (NotPetya) and CryptoLocker, ransomware has definitely matured from a niche IT concern to a more mainstream one. While there is no shortage of seminars, articles, and vendor solutions outlining best practices to mitigate the threats of ransomware and modern cyber extortion threats like malware based crypto-mining, there is no single solution to protect against all of these threats. If there was, wouldn’t we all be implementing it and the manufacturer be the most profitable vendor?

The fact is that there are multiple steps and best practices that can mitigate this growing problem. Rather than going out and buying the latest and greatest security solution available on the market, we would be well served to stop, listen, and master basic security hygiene. To that end, consider these five recommendations that cover all of the families of ransomware and modern cyber extortion tools. If you can do these five well, you can mitigate the vast majority of risk from these escalating attack vectors:

End User Education

The average user may not be able to tell the difference between a regular email, phishing, or spear phishing attack. They do however understand that if you click on the wrong thing, you may lose all your work and files or infect your computer. If you can translate the threat of ransomware into terms that the average user can understand and remember, then the human element of social engineering can have some definable mitigation strategy.

The vast majority of ransomware comes via phishing attacks and the training needs to cover the threat, identification of phishing emails, the hard lesson of what happens when you click on one of these emails. A simple phone call to IT can verify if the email is legitimate and we need instruct team members how to verify the source before continuing. It is not hard to do—just like looking both ways before crossing the street—but we need teach all users about safe computing practices.

Secure Backups

The worst-case scenario is you do become infected with cyber extortion-based malware. If you follow law enforcements recommendations, you should not pay the fine. So how do you recover? The answer—Secure Backups.

While this recommendation is not preventative, it is the only one that can help you when all else fails. All data should be backed up, and most importantly, secured such that the infected assets cannot compromise the backup via mapped drives or network shares. The backup should also be tested on a periodic basis to ensure it can restore all files in an uninfected state. A common mistake that organizations make is to attempt a restoration before the ransomware infestation is cleared and the process repeats itself until the environment is truly purged of the malware.

Disable Macros

Some newer extortion-based malware are taking cues from older computer viruses that leverage Microsoft Office macros. This one isn’t easy to resolve, because many of our spreadsheets and documents depend on Macros to satisfy business requirements. For example, a recent addition to the long list of ransomware is “PowerWare”. It comes in typically through a phishing email and contains an infected Word attachment. The document contains a malicious macro which then calls a PowerShell script which carries out the payload. This email is nasty because Word and PowerShell are very common and are approved applications at almost every organization. Therefore, they represent a trusted attack vector for ransomware and can bypass most application control solutions. In newer versions of Microsoft Office, a setting drastically reduces the possibility of this happening. The setting, ‘Disable all macros except digitally signed macros’, found within the Trust Center settings will prevent a macro without a valid certificate authority from executing. This provides secure granularity to enable macros verses the ‘Disable all macros’ setting. Unfortunately, you may not be able to enable this setting since not all macros may be signed. Wherever possible, insist any vendor that provides software containing macros to sign them and establish a process internally to sign macros so this setting can be properly enabled for everyone and mitigate the threat.

Remediation

As if the thought of an Angler fish is not frightening enough, an exploit kit sharing the same name targets older versions of Flash and Silverlight. According to the Verizon Data Breach Report, 99% of attacks target known vulnerabilities. Even though this specific vulnerability has been patched, many organizations do not patch and verify third party applications regularly, let alone the operating system itself (think WannaCry or Apache vulnerabilities used in the Equifax breach).

Maintaining software to their most recent versions is nothing new, but we continue to see outdated, and sometimes years outdated, software in production environments. It is important to have a regular schedule to assess your environment for vulnerable software and have a reliable process to remediate any findings. This is security basics.

Standard User Privileges

Ransomware spreads by leveraging the users’ privileges to infect files that are within scope. If the user only has standard user rights, the only files visible are the ones they may have locally or via a network share. While the scope of this may be large, it can be much worse if the user actually has administrator privileges. Then, potentially every file visible to an administrator is in scope and therefore the entire environment is potentially susceptible to an infection.

The fact of the matter is that most cyber extortion malware requires administrator privileges just to launch and embed itself in a system. If you reduce a users’ privilege to standard user, ransomware that tries to install a persistent presence is generally thwarted because it does not have the privileges to install files, drivers, or even access the registry unless it leverages an exploit to escalate privileges. This is a sound mitigation strategy for the vast majority of malware that needs to own a system in order to begin infecting files for ransomware and cyber extortion threats.

As we see a disturbing increase in cyber extortion malware, basic cyber security hygiene is the best defense to protect your organization from becoming the next victim. Defending against an attack requires a blended approach from the removal of administrative rights to handling use cases that leverage social engineering, macros, and vulnerabilities and their corresponding exploits. To be successful, the onus is on every organization to take the necessary steps to prevent malicious software from threating the network. There is no magic button, no simple tool, nor any one strategy that can stop this escalation of threats. But if you can follow these five basic security recommendations, your organization can greatly minimize the risk of being the next victim.

- Ends -

Comments

Popular posts from this blog

Cloud Computing powering India’s priority of ‘Digital-first country’

By: Sunil Mahale, India MD and VP, Nutanix
Digital transformation has been recognized as being vital to the growth of our nation. This transformation has enjoyed the unanimous approval and contribution from all stake holders including enterprises, MSMEs, government bodies and citizens. But this level of adoption in a country with a population of over a billion people would need a robust technology base that is capable to collecting and distributing vital data seamlessly.
Digital India envisions creating high speed digital highways, that will impact commerce and create a digital footprint for every individual. Technologies based on mobility, analytics, Internet of things and most importantly, cloud technologies are the building blocks for the digital India missionThere is a growing need to manage huge volumes of data, and making them readily available to public through digital cloud services. Cloud has a pivotal role in enabling this change.
While Data centers have become crucial to th…

RevStart launches its RevItUp Incubation Programme

Underlining its vision of creating a nurturing ecosystem for start-ups to grow in, RevStart, a co-working and incubation centre, has announced the launch of its RevItUp Incubation Programme. The 12-week long programme will be held at RevStart Incubation Centre in Noida from July 1, 2018 onwards. As part of the programme, RevStart will select five high potential start-ups from the ed-tech sector, AI, Consumer Internet, Sustainability, as well as for-profit social impact companies to assist them with developing their business, along with connecting them to global mentors across industries and sectors. In addition, start-ups selected for the programme will receive INR 5 lakh to Rs. 25 lakhs worth of cash and benefits, while RevStart will get an equity stake in the ventures.
The RevItUp Incubation Programme has been created to enhance the founding team’s industry, product, and company building knowledge and capabilities through a world-class curriculum. The programme will focus on tailor…

The Workplace of the Future

By: Arnab Ghosh – Director, Synergy Property Development Services)
Workplaces are undergoing a major transformation today to stay relevant. Conventional space planning and design approach for office space are slowly but steadily changing across the globe. What was a trickle a decade back is snowballing into a movement as we speak? The nature of the work we do and the time we spend in our workplace is driving this change. 
The Social Workplace The original office in the west was originally based on the factory floor design. The Workers occupied the maximum space followed by Managers and the Senior Executives in their glass cabins. The term “productivity” also has industrial roots. There were well-defined tasks and targets for the employees to achieve in their working time. All these have changed drastically over the last few decades and going to change further in the future. The culture of organizations has to adapt to this change to stay ahead and retain talent. Productivity is no long…