‘Are you really sure you want to load this attachment? Are you certain that this link is safe?’ A prompt from your computer may be the difference between a disastrous Ransomware infection and a regular day at the office. Ransomware is the Great White Shark of cyber-attacks, the most feared malware of all, and both corporate and home users are running scared. And rightly so. Anyone who has had experience with Ransomware, will attest to the agony and disruption. But instead of worrying about an attack, what action can be taken to safely venture back into the water and not necessarily “with a bigger boat”? writes NNT’s CTO, Mark Kedgley.
Who should be aware?
Home user: The home-user community for ransomware has been highly active for a few years now but has escalated in recent months. Being given just hours to either pay the ransom or lose permanent access to everything on your personal computer is a stark choice (often enough to precipitate agreement to the extortion). What value would you put on all your personal documents, photos, music, etc?
Corporate user: The stakes are even higher for a corporation, where the absolute dependency on IT systems means ransomware could threaten the very life of the business itself. In the case of the LA Presbyterian Hospital, this threat to life was more literal, in that patient systems were under threat from Ransomware – the hospital paid the equivalent of $17,000 dollars in BitCoin as the “quickest and most efficient way to restore our systems and administrative functions”; and just like that a dangerous precedent was set! More details later.
How does Ransomware typically attack systems?
Email – phishing, be it the mass, spear or now whale variety for corporate targets – is still the most common means of invoking a Ransomware attack. The home-user ‘market’ for the extortionists lends itself to mass-emailing, but this means that the malware can just as easily end up on Corporate Workstations. Significantly, now that there has been a very public precedent of a hospital paying a ransom, expect to see greater targeting of corporate targets.
The first thing we need to establish is the fact that Ransomware is no different than any other form of malware in terms of its delivery means – usually, but not exclusively, via email with either malware attachments or links to infected websites. The difference – and the scary part – is how it is used to extort money from victims. Once the malware has been invited onto a user’s computer it can then get to work, encrypting files before announcing its presence and declaring its ransom demand. The nature of its immediate demands and very tangible threat is precisely what makes it more feared than other malware. However, your line of defense and your approach to preventing Ransomware should be the same as it would be for any other Malware. Don’t be thrown by the sensationalism surrounding Ransomware. Pragmatism should always prevail.
Corporate case study
LA Presbyterian Med Center Case Study: The fact that this was a relatively quick and easy ‘Hack for Cash’ is driving this predicted trend. The LA Presbyterian Medical Center attack speaks to both the targeting of Healthcare as well as the increase in Ransomware. The assault on Hollywood Presbyterian occurred Feb. 5, when hackers using malware infected the institution’s computers, preventing hospital staff from being able to communicate from those devices, said Chief Executive Allen Stefanek. The hacker demanded 40 bitcoin, the equivalent of about $17,000, he said.
“The malware locks systems by encrypting files and demanding ransom to obtain the decryption key. The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek said. “In the best interest of restoring normal operations, we did this.” The hospital said it alerted authorities and was able to regain control of all its computer systems by Monday, with the assistance of technology experts. Phil Lieberman, a cybersecurity expert, said that, while ransomware attacks are common, targeting a medical institution is not.
“I have never heard of this kind of attack trying to shut down a hospital. This puts lives at risk, and it is sickening to see such an act,” he said. “Health management systems are beginning to tighten their security.”
CryptoLocker
You don’t want to see this Classic Ransomware operation – after the malware is in place, a unique encryption key is generated for each computer infected and is used to encrypt data on the machine. If the ransom is not paid within the allotted time the files are lost forever.
Make sure backups are up to date and isolated from the computer, otherwise they may be encrypted too.
What should you be doing right now to prevent Ransomware?
Over and above standard firewalling and anti-virus protection, there are additional defenses that should be in place to defend against phishing, given that this is the primary delivery mechanism used. Unfortunately, phishing is, by design, notoriously tough to prevent, due to its cunning and devious methods. The malware is invited in by the recipient, typically either by opening an attachment or by activating/ downloading a link, thereby largely subverting Corporate IT Security. The best approach is to therefore harden the user workstation environment, to prevent malware activity where possible and to at least place more obstacles in the way when not. As with any hardening program, a balance must be found between strong security and operational ease of use. The majority of exploitable vulnerabilities can be mitigated within the Workstation Operating System, and further protection can be provided using manufacturer extensions such as Microsoft’s EMET (Enhanced Mitigation Experience Toolkit) and Windows Defender or third Party AV [anti-virus].
Secure desktop and user
But when it comes to users’ emails and their content, accurately protecting against the bad while allowing the good is beyond any technological solution. While blocking all email attachments and links would improve security, there aren’t many users that would sign up for this. A more graded approach to protecting the user is needed. And in fact this solution already exists for most browsers and the Microsoft Office Applications. Controlled by Group Policy, the desktop applications otherwise used to welcome in Ransomware can be fine-tuned to mitigate exploitable vulnerabilities while requiring elevated approval for other functions – this may slow the user down for certain tasks, but that additional pause for thought while the system prompts for approval elevation will ensure security hygiene is observed.
For example, MS Outlook security policy options are available to control:
•How administrator settings and user settings interact in Outlook 2013
•Outlook COM add-ins
•ActiveX and custom forms security
•Programmatic Access settings
•Settings for Attachments, Cryptography, Digital signatures, Junk email, Information Rights Management and Protected view.
Similarly, fine grain security settings are available for Excel, Word, PowerPoint and Office, all serving to mitigate vulnerabilities within the application that could be exploited by an attacker, overall bolstering Ransomware defenses. Likewise for contemporary browsers like Chrome, Firefox and Internet Explorer, antiphishing controls should be enabled alongside other built-in security measures that are often disabled by default.
Questions
•Which settings need to be set and which are optional?
•What are the implications in terms of user experience and application function if security settings are enabled?
•How do you actually apply the necessary secure configuration, and how do you do it in bulk for your entire IT estate?
Five steps to mitigate
1.Hardening Homework: While organizations like The Center for Internet Security (CIS), NIST and the National Vulnerability Database provide system hardening guidance, you’ll still need to work out what is right for your users
2.Leverage Automation: Most scanners and FIM solutions will provide fast, automated reports to establish where vulnerabilities exist, while the best options will also provide remediation advice, or better still, Group Policy or Puppet templates to automatically apply a hardened configuration to Workstations and their Applications.
3.Change Control: You’ll also need to make sure that patching is up to date as a further means of closing of exploitable vulnerabilities, but think about getting more structured. Change control is a key security best practice when done right, makes a cyber attack much easier to detect and head-off before lasting damage is done
4.Ransomware: If you can’t stop, make sure you can spot it. There still is no such thing as 100% security, so while your emphasis will be on prevention, accept that detection of a breach is going to be a necessary contingency. This is where FIM and SIEM systems also enhance security, by analyzing system activity for signs of suspicious behavior.
5.Rip it up and start again: And if you do fall victim to Ransomware, think how grateful you will be when you can simply scrap a Desktop, re-image it and recover all data, all in its useable, non-encrypted state. Goes without saying that backups are critical, but make sure the restore process works by testing regularly.
