‘STOP! Are you really sure you want to load this attachment? Are you certain that this link is
safe?’
A prompt from your computer may be the difference between a disastrous Ransomware
infection and a regular day at the office.
Right now, Ransomware is the Great White Shark of cyber-attacks, the most feared malware of
all, and both corporate and home users are running scared. The latest WannaCry ransomware attack impacted more than 230,000 victims in more than 150 countries, causing agony and disruption for both corporate and home users across the globe.
But instead of worrying about an attack, what action can be taken to safely venture back into the
water and not necessarily “with a bigger Boat”?
Who should be aware of the Ransomware threat?
Home User: The home-user community for ransomware has been highly active for a few years now but has escalated in recent months. Being given just hours to either pay the ransom or lose permanent access to everything on your personal computer is a stark choice (often enough to precipitate agreement to the extortion). What value would you put on all your personal documents, photos, music, etc?
Corporate User: The stakes are even higher for a corporation, where the absolute dependency
on IT systems means ransomware could threaten the very life of the business itself.
In the case of the WannaCry ransomware attack on the UK National Health Service (NHS), the threat to life was more literal, in that patient systems were under threat from Ransomware, leaving patient administration systems locked and many trusts to divert emergency patients.
Corporate Ransomware Case Study
NHS Case Study: The NHS was the first of many to be hit by the WannaCry ransomware attack. The attack occurred on May 12 at 12:30 PM when email servers crashed, clinical systems and patient systems were brought to a screeching halt, and a bitcoin popup window was introduced on to the network asking users to pay $300 to be able to access their PCs.
Hospitals across the North, East and West Midlands, and London experienced massive delays and were only able to see the sickest of patients, leaving many to postpone all non-urgent activities.
Two NHS physicians describe the attack, “As you would expect in a pandemic, the headlines were alarmist: we were reportedly locked in a race against time to protect millions of patients from a new virus of unprecedented virulence that had crippled the United Kingdom’s National Health Service (NHS) and was spreading rapidly across the country. Except in this case, the virus was not organic but digital.”
This attack should serve as a wakeup call to all health organizations that the cyber criminals are just around the corner. If the organization is running out of date systems, hackers will exploit these vulnerabilities to their advantage, leaving sick patients ultimately to suffer the consequences.
How does Ransomware typically attack systems?
Email – phishing, whether it be mass, spear, or of the whale variety for corporate targets, is still the most common means of invoking a Ransomware attack. The home-user ‘market’ for the extortionists lends itself to mass-emailing, but this means that the malware can just as easily end up on Corporate Workstations. Significantly, now that there has been a very public precedent of a hospital paying a ransom, expect to see greater targeting of corporate targets.
The first thing we need to establish is the fact that Ransomware is no different than any other form of malware in terms of its delivery means – usually, but not exclusively, via email with either malware attachments or links to infected websites. The difference – and the scary part – is how it is used to extort money from victims.
Once the malware has been invited onto a user’s computer it can then get to work, encrypting files before announcing its presence and declaring its ransom demand. The nature of its
immediate demands and very tangible threat is precisely what makes it more feared than other
malware. However, your line of defense and your approach to preventing Ransomware should
be the same as it would be for any other Malware. Don’t be thrown by the sensationalism
surrounding Ransomware – Pragmatism should always prevail.
CryptoLocker – Best avoided!
You don’t want to see this Classic Ransomware operation – after the malware is in place, a
unique encryption key is generated for each computer infected and is used to encrypt data on
the machine. If the ransom is not paid within the allotted time the files are lost forever.
Make sure backups are up to date and isolated from the computer, otherwise they may be
encrypted too.
What should you be doing right now to prevent Ransomware?
Over and above standard firewalling and anti-virus protection, there are additional defenses that
should be in place to defend against phishing, given that this is the primary delivery mechanism
used. Unfortunately, phishing is, by design, notoriously tough to prevent, due to its cunning and
devious methods. The malware is invited in by the recipient, typically either by opening an
attachment or by activating/ downloading a link, thereby largely subverting Corporate IT
Security.
The best approach is to therefore harden the user workstation environment, to prevent malware
activity where possible and to at least place more obstacles in the way when not. As with any
hardening program, a balance must be found between strong security and operational ease of
use.
The majority of exploitable vulnerabilities can be mitigated within the Workstation Operating
System, and further protection can be provided using manufacturer extensions such as
Microsoft’s EMET (Enhanced Mitigation Experience Toolkit) and Windows Defender or 3rd Party
AV.
Secure the Desktop and the User
But when it comes to users’ emails and their content, accurately protecting against the bad
while allowing the good is beyond any technological solution. While blocking all email
attachments and links would improve security, there aren’t many users that would sign up for
this. A more graded approach to protecting the user is needed.
And in fact this solution already exists for most browsers and the Microsoft Office Applications.
Controlled by Group Policy, the desktop applications otherwise used to welcome in
Ransomware can be fine-tuned to mitigate exploitable vulnerabilities while requiring elevated
approval for other functions – this may slow the user down for certain tasks, but that additional
pause for thought while the system prompts for approval elevation will ensure security hygiene
is observed.
For example, MS Outlook security policy options are available to control:
- How administrator settings and user settings interact in Outlook 2013
- Outlook COM add-ins
- ActiveX and custom forms security
- Programmatic Access settings
- Settings for Attachments, Cryptography, Digital signatures, Junk email, Information Rights Management and Protected view
Similarly, fine grain security settings are available for Excel, Word, PowerPoint and Office, all
serving to mitigate vulnerabilities within the application that could be exploited by an attacker,
overall bolstering Ransomware defenses.
Likewise for contemporary browsers like Chrome, Firefox and Internet Explorer, anti-phishing
controls should be enabled alongside other built-in security measures that are often disabled by
default.
Key Questions Regarding Desktop Application Hardening
- Which settings need to be set and which are optional?
- What are the implications in terms of user experience and application function if security settings are enabled?
- How do you actually apply the necessary secure configuration, and how do you do it in bulk for your entire IT estate?
Help is at Hand: 5 Steps to Mitigate the Ransomware Threat
- Hardening Homework: While organizations like The Center for Internet Security (CIS), NIST and the National Vulnerability Database provide system hardening guidance, you’ll still need to work out what is right for your users
- Leverage Automation: Most scanners and File Integrity Monitoring solutions will provide fast, automated reports to establish where vulnerabilities exist, while the best options will also provide remediation advice, or better still, Group Policy or Puppet templates to automatically apply a hardened configuration to Workstations and their Applications.
- Change Control: You’ll also need to make sure that patching is up to date as a further means of closing of exploitable vulnerabilities, but think about getting more structured. Change control is a key security best practice when done right, makes a cyber-attack much easier to detect and head-off before lasting damage is done.
- Ransomware: If you can’t stop, make sure you can spot it. There still is no such thing as 100% security, so while your emphasis will be on prevention, accept that detection of a breach is going to be a necessary contingency. This is where FIM and SIEM systems also enhance security, by analyzing system activity for signs of suspicious behavior.
- Rip it up and start again: And if you do fall victim to Ransomware, think how grateful you will be when you can simply scrap a Desktop, re-image it and recover all data, all in its useable, non-encrypted state. Goes without saying that backups are critical, but make sure the restore process works by testing regularly.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.