— Free Report
Rooting Out Ransomware
By Kevin Beaver, IANS Faculty
Hiding in everything from email, malicious Office files, website ads and more, ransomware is fast becoming a real threat for many businesses. The good news is that preventing ransomware attacks does not have to be that difficult or expensive. Proven network and security tools, as well as philosophies regarding security, make up the essential elements of a ransomware-free network environment. It’s simply a matter of acknowledging the problem, vowing to do something about it and remaining vigilant moving forward.
In this report, we examine ransomware’s latest vectors and offer concrete steps for rooting it out before it brings your business to a halt.
Ransomware — Something’s Gotta Give
It seems that if it weren’t for ransomware, information security would be almost a non-issue these days. Ruling the headlines and discussions in IT/security circles, this form of pay-up-or-lose-your-data malware is impacting all of us in one form or another. In fact, the FBI estimates that ransomware will be a $1 billion industry in 2016.
How Ransomware Works
Ransomware infections are brought about by infected email attachments or malicious web links that are opened/clicked. Once the user action takes place, the common next step is for an exploit kit to run that will enumerate the local system to see which vulnerabilities (often third-party software) can be exploited. A targeted exploit is then run on the machine, often contacting a remote command server for an encryption key. It then proceeds to encrypt files on the local system, and sometimes the entire drive. If the ransomware is smart enough, it will enumerate network shares and proceed to encrypt those as well.
How Ransomware Spreads
According to the 2016 Verizon Data Breach Investigations Report (DBIR), ransomware saw the biggest increase in top malware varieties (for more on the DBIR, see Podcast: Kevin Beaver on DBIR Strengths, Shortcomings and Action Items). It appears to be in its prime with various attack vectors including:
- Word document macros
- PDF files
- Remote server exploits
Ransomware infections are typically carried out through email attachments and links to infected websites — no different from much of the malware we’ve grown accustomed to. However, ransomware is also expanding its horizons by infecting vulnerable servers, obtaining remote access and then spreading the malware internally (as in the case of the recently discovered SamSam ransomware).
The interesting thing is that ransomware has actually been around for a few decades but it’s just now becoming popular, presumably, because the infections are becoming more widespread. And it’s not just affecting Windows-based systems. It’s also bleeding over into Mac OS X, which is growing in popularity in the enterprise.
The criminals behind ransomware are becoming more savvy as well. Instead of writing the code, distributing the ransomware and collecting the money, these people are now simply writing the code and letting others distribute it, while they get a cut of the proceeds in return. Capitalism at its worst!
But why are more organizations getting hit with this type of malware? What has changed in the enterprise that is facilitating these attacks? Are there things that could be done better to minimize the likelihood and impact of a ransomware attack?
Oddly enough, there’s really nothing new going on here. Given the human, business and technical complexities involved, there is a ton of room for security improvement in the average organization. Whether your business is a brand-new startup, an established mid-market enterprise or a large corporation or government agency with a strong information security program, odds are good that you’re failing to defend against ransomware because you haven’t yet mastered the fundamentals.
How to Get Your Arms Around Ransomware
So how do you prevent ransomware infections on your network? The formula is not all that complicated. First, you need to stop treating ransomware as a unique problem in and of itself. Like most other security challenges, there is an asset, a vulnerability (or set of vulnerabilities) and threats looking to take advantage. Rather than something new and mysterious, ransomware is a lot like traditional malware, or perhaps a known vulnerability on your endpoints or on the part of your users that needs to be addressed.
You cannot control the attack vectors of ransomware, but you can control the response. It’s going to go one of two ways:
- The attack is detected and blocked.
- The attack works its way through and successfully infects your environment, encrypting critical data along the way.
The most important thing you can do is to set your users up for success by minimizing their involvement in the security choices being made. We’ve been telling users not to click links and open attachments since the beginning of networked computing. How’s that working for us? There is certainly a user component in the ransomware risk mitigation equation, and I will get to that in a bit. However, there are some core security controls that must be mastered before any fingers can be pointed to user error.
- Take an inventory. Do you even know what systems are on your network? Based on conversations I’ve had with clients and colleagues, a current network asset inventory is a rarity. However, it’s a great ransomware risk mitigation starting point because you cannot secure the things that you don’t acknowledge.
- Disable Office macros. Do not allow the running of macros unless they’re digitally signed as outlined in this Microsoft document.
- Whitelist executable files. Allowing only known-good files to execute on the local system can be done via Microsoft AppLocker or via third-party commercial tools such as Carbon Black. The process, while sometimes complicated, can be extremely valuable long term.
- Run proven malware protection. I say proven because many people simply go through the motions of running traditional antivirus software that is often incapable of handling today’s advanced malware. Good malware protection must be enforced across the board, not only on workstations, but also on servers and, to the greatest extent possible, tablets and phones. Related tools include:
- Patch your software. Rather than chasing down malware prevention perfection, one of the best ways to go about minimizing your risks to ransomware is to eliminate the vulnerabilities in the first place. Patching both the operating system as well as any running applications — especially third-party applications from vendors such as Java and Adobe — is critical. Yet, the majority of networks I see are completely exposed in this area, especially as it relates to third-party software patches.
- Eliminate local admin rights. It’s virtually impossible to do this across the board. However, eliminating local admin rights where practical can go a long way toward holding off any threats that do get through.
- Back up your data. I have been involved in several ransomware incidents where no backups existed. Poof! The data was gone in an instant — never to be retrieved. In many situations, users assume that IT is making backups. I’ve also seen just the opposite, where IT tells users to back up their own data and assumes they are, but there are no checks in place and nothing gets done.
- Test for vulnerabilities. Both external and internal vulnerability assessments and penetration tests can provide good insight into vulnerabilities that might facilitate ransomware. Not only do you want to look at your endpoints, but you also want to look at your web presence, especially WordPress-based websites that are susceptible to infection and exploitation if they are not properly maintained.
- Educate and test your users. The last layer of protection is your users. Don’t just throw policies at them and then assume everyone is on board and will abide. Instead, explain why your policies are important — in terms they understand. Give them an incentive. Otherwise, they’ll remain unmotivated. A great exercise most organizations completely overlook is email phishing. Whether you use an enterprise tool such as LUCY, a security education platform such as Wombat or just send out some basic emails from your own workstation, email phishing is a real eye-opener that commands the attention of users and executive management alike.
Stomping out Future Advanced Malware Threats
There’s no conceivable way to control all user behaviors and all possible malware infections. That’s why it pays to have a fallback plan. By that I mean a formally documented set of incident response procedures that all of the key information security players (including management, legal and public relations) are privy to and involved with on an ongoing basis. Your plan might even outline specific steps that are to be taken once a ransomware infection is discovered, including whether to pay the ransom itself. (I wouldn’t recommend that choice because it only serves to perpetuate the problem.)
Regardless of an organization’s level of security maturity, it’s rare for me to see a formal incident response plan at a corporate level or even within specific business units. You cannot secure what you don’t acknowledge, but just as importantly, you cannot adequately respond without adequate preparation. Rather than relying on backups or written policies, you need to focus instead on preventing the ransomware from ever reaching your end users and executing on your endpoints. That should be your overarching goal.
Don’t Reinvent the Wheel
We don’t need new compliance laws and regulations to make ransomware more illegal than it already is. We don’t need new approaches to fight ransomware either. What we need is discipline. IT and security professionals are defined by the value they bring to their employers or their customers. This does not mean reinventing the wheel just to address ransomware. It might be fun, cool and sexy to implement new security controls aimed at ransomware, but it does no one any good in the long term. Fully functioning information security programs are already addressing — and preventing — ransomware by virtue of the fact that they are putting proven principles to work little by little, day after day.
- Know what you’ve got.
- Understand how it’s at risk.
- Do something about it.
The main reason many IT shops and information security programs have trouble with ransomware is because they are deficient in one or more of these areas. Odds are good that you know where you’re weak and what needs to be improved. The hard part is communicating that message to the proper stakeholders, putting the right systems in place and then making it stick.
It all boils down to whether or not security is a priority in your organization. If it is, you’ll make it work. If it’s not, you’ll continue to struggle — and get hit. You have to decide which approach you want to take. Good management equals good philosophy which, in turn, equals good security — time and again.
IANS Vulnerability and Breach Update: Q1 2016, April 1, 2016
Information Security Trends for 2016 (Webinar Replay/Slides), Jan. 15, 2016
As Ransomware Attacks Evolve, Security Teams Must Prepare For New ‘Drive-By’ Tactics, Dec. 10, 2015
Ransomware Attacks on Sites a Warning to Bolster Web Defenses, Nov. 11. 2015
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.