What can we do about the expected increase in ransomware and cyber-extortion tools?
By Morey J. Haber, Chief Technology Officer, BeyondTrust.
While these is no shortage of seminars, articles and vendor solutions outlining best practices to mitigate the threats of ransomware and modern cyber extortion threats like malware based crypto-mining, there is no single solution to protect against all threats. If there was, wouldn’t we all be implementing it and the manufacturer be the most profitable vendor?
There are multiple steps and best practices that can mitigate this growing problem and we just need to stop, listen and do them better and not necessarily go out and buy another tool. To that end, consider these five recommendations that cover all the families of ransomware and modern cyber extortion tools. If you can do these five well, you can mitigate the vast majority of risk from these escalating attack vectors:
- End User Education – The average user may not be able to tell the difference between a regular email, phishing or spear phishing attack. They do however understand if you click on the wrong thing, you may lose all your work and files or infect your computer. If you can translate the threat of ransomware into terms the average user can understand and remember, then the human element of social engineering can have some definable mitigation strategy. The majority of ransomware comes via phishing attacks and the training needs to cover the threat, identification of phishing emails, what to click on and when not to open a file. A simple phone call can verify if the email is legitimate and we need to instruct team members how to verify the source before continuing.
- Secure Backups – The worst-case scenario is you do become infected with cyber extortion-based malware. If you follow law enforcements recommendations, you should not pay the fine. So how do you recover? The answer is secure backups. While this recommendation is not preventative, it is the only one that can help you when all else fails. All data should be backed up, and most importantly, secured. The backup should also be tested on a periodic basis to ensure it can restore all files in an uninfected state. A common mistake that organisations make is to attempt a restoration before the ransomware infestation is cleared and the process repeats itself until the environment is truly purged of the malware.
- Disable Macros – Some newer extortion-based malware is taking cues from older computer viruses that leverage Microsoft Office macros. This one isn’t easy to resolve, because many of our spreadsheets and documents depend on Macros to satisfy business requirements. For example, a recent addition to the long list of ransomware is “PowerWare”. It comes through a phishing email and contains an infected Word attachment. The document contains a malicious macro which then calls a PowerShell script which carries out the payload. This email is nasty because Word and PowerShell are very common and approved applications at almost every organisation. Therefore, they represent a trusted attack vector for ransomware and can bypass most application control solutions. In newer versions of Microsoft Office, a setting drastically reduces the possibility of this happening. The setting, ‘Disable all macros except digitally signed macros’, found within the Trust Centre settings will prevent a macro without a valid certificate authority from executing. This provides secure granularity to enable macros verses the ‘Disable all macros’ setting. Unfortunately, you may not be able to enable this setting since not all macros may be signed. Wherever possible, insist any vendor that provides software containing macros to sign them and establish a process internally to sign macros, so this setting can be properly enabled for everyone.
- Remediation – As if the thought of an Angler fish is not frightening enough, an exploit kit sharing the same name targets older versions of Flash and Silverlight. According to the Verizon Data Breach Report, 99% of attacks target known vulnerabilities. Even though this specific vulnerability has been patched, many organisations do not patch and verify third party applications regularly, let alone the operating system itself (think WannaCry or Apache vulnerabilities used in the Equifax breach). Maintaining software to their most recent versions is nothing new, but we continue to see outdated software in production environments. It is important to have a regular schedule to assess your environment for vulnerable software and have a reliable process to remediate any findings. This is security basics. If your organisation is not doing it well, it is an easy problem to solve and see some tangible threat reduction results from it.
- Standard User Privileges – Ransomware spreads by leveraging the user’s privileges to infect files that are within scope. If the user only has standard user rights, the only files visible are the ones they may have locally or via a network share. While the scope of this may be large, it can be much worse if the user has administrator privileges. Then, potentially every file visible to an administrator is in scope and therefore the entire environment is potentially susceptible to an infection. The fact of the matter is that most cyber extortion malware requires administrator privileges just to launch and embed itself in a system. If you reduce a user’s privilege to standard user, ransomware that tries to install a persistent presence is generally thwarted because it does not have the privileges to install files, drivers or even access the registry unless it leverages an exploit to escalate privileges. This is a sound mitigation strategy for the majority of malware that needs to own a system to begin infecting files for ransomware and cyber extortion threats.
As we see a disturbing increase in cyber extortion malware, basic cyber security hygiene is the best defence against your organisation becoming the next victim. Successfully defending against an attack requires a blended approach from the removal of administrative rights to handling use cases that leverage social engineering, macros and vulnerabilities and their corresponding exploits. The onus is on every organisation to take the necessary steps to prevent malicious software from penetrating the network. There is no magic button, no simple tool, nor any one strategy that can stop this escalation of threats. But if you can follow these five basic security recommendations, your organisation can greatly minimise the risk of being the next victim.