Ransomware infections occur due to execution of malicious code on the computer of one of your coworkers, your own or, Heavens forbid, on a file server (in some scenarios, when people have mapped drives as shared folders to file servers, the whole file severs may get encrypted by ransomware even when only one person is infected).
The code execution can happen from anything – if they open an attachment in an e-mail or just a innocently looking link. The attachments can be powerpoint presentations, word or excel documents (as detailed on this post by PhishMe) or even simple .js files hidden in .rar archives. The malicious code can hide in a binary looking like a PDF document or even in the PDF document itself.
Can you prevent your employees from opening infected office documents or archives? Even in companies with stringent security awareness training people tend to make exceptions for things which look really legitimate. And hackers nowadays are getting very inventive with their wording and strategies – the time of bad grammar and ugly looking attachment images is over, these people are making millions and are hiring some of the best web designers and graphics designers, along with really good programmers, to do their bidding.
So as you can see, fighting ransomware has become a priority for any and all organisations, even hospitals (criminals don’t care).
14 steps to prevent ransomware:
There are several things you need to do right now, if you want to prevent ransomware infections:
- Make sure that you have proper backups for all documents on all file servers and make sure that these are verified. What I mean by that is: if your file servers get encrypted and you back up the encrypted files, deleting old backups and replacing them with encrypted files… well, you get my point. There are ways to regularly scan for infected files as these infected files have common signatures, so you can implement this scanning on your file servers as a detective measure. Recent particularly nasty strains of ransomware seek backup servers and encrypt them as well. Make sure the only code which can write to the backup location is the backup application itself – and make sure you have checks in place the data is intact.
- Do the same for your databases and critically valuable source code and application servers.
Backing up your data is imperative, but you should also try to test restores from time to time. This is important because if you backup data which has already been encrypted by ransomware, then it may overwrite old good backups with bad ones and your backed up data may become useless. Source code escrow is something to consider. Also, there have been cases of hackers exfiltrating databases and critical information first, before encrypting it – so they could leak it little by little and force you to pay a ransom either for decryption or keeping your information private.
- Force the backup of all documents from the workstations and laptops of critical departments and employees, protect the same backup in the same way as you protect the backups from your file servers. Do not trust people with backup software – they will forget and they will ignore all warnings to backup their files manually. Trust me, I’ve seen this, multiple times at multiple companies.
- Make sure that you do NOT trust your antivirus vendor. A recent study shows that 95% of all malware arriving and infecting a machine is unique to the recipient and has never even been seen by an AV vendor. Antivirus protection is a thing of the past, relying on it is a thing of the past and the protection it offers is minimal, to say the least.
- Use an up-to-date version of Chrome instead of Internet Explorer on all your workstations, and use the proper Group Policies to configure Chrome securely (use the Chrome Stig for that purpose). If you can sandbox the browsers used by your users, the better.
- Install and enable a good ad-blocker for Chrome – such as uBlock – and make sure it is properly configured on all workstations for your region. This is critically important as many ransomware infections come from malicious advertising (malvertising). By blocking ads, you block a lot of bad code executing in your environment.
- Disable and uninstall Flash wherever and whenever possible. Use my Flash Hardening guide for the workstations where removing flash is not an option.
- Make sure your users are not administrators on their computers. It is debilitating to know how many companies still ignore that rule and allow people to install whatever they want on their corporate computers.
- Control the execution of unknown code and binaries on your workstations. Whenever possible, use tools to alert you on execution of any unknown binary in your environment (okay, this might involve buying some security software, but it can also be done with free open source tools, albeit it will take more time and labor).
- Use Windows 10 and specifically Device Guard. It’s 2016, time to get rid of that Windows 7! It is old and insecure!!! If you have the time (and you should) – watch this video: https://www.youtube.com/watch?v=ZkqcIbhDH00. A really good deployment guard for Device Guard can be found here.
- If you absolutely cannot use Device Guard on Windows 10 and are locked into a Windows 7 environment, make sure to use Application Whitelisting using AppLocker or at least Software Restriction Policies.
- Install and configure EMET. Seriously, this is very important. Ransomware often exploits vulnerabilities in common plugins and software when browsing – EMET effectively prevents that and is a dead easy solution, it can be deployed to the whole enterprise in less than one day, solving not just ransomware but many other malware problems which depend on exploitation of the endpoint.
- Have a system in place to isolate any infected machine from the network. Whenever anyone calls IT or helpdesk complaining that their computer is infected or they see a message that their computer is encrypted, ask the user to immediately shutdown their machine and start a company-wide search for similar indicators of compromise (usually .txt and .html files with warning demanding ransom, etc, you will find them on the infected machine). If applicable, it might be a good idea to fully shutdown all critical machines and workstations – especially if you suspect that the whole company is affected. The faster you shut down, the more files will be yet unencrypted (this takes time). This is a last resort step – execute it with caution and if absolutely necessary, but have the tools and techniques in place in the event that happens. The chances are high, in 2016 and beyond.
- Be ready for the same happening on the mobile phones of regular employees and even executives. Ransomware for Android is gaining speed and velocity in infections – have some plan to backup corporate information on these devices and even control which applications can be installed and executed on corporate smartphones. Samsung Knox is a really good technology for corporate devices, Apple iOS is even better from the standpoint that no iOS device has ever been encrypted, yet.
Update: ransomware is also affecting websites and webservers, one of the variants of this malware is called CTB-Locker. In order to protect your webserver from being compromised and encrypted, make sure your web server OS is always updated, preferably installing security updates automatically via a cron job. Make sure that your web application is updated as well with whatever patches are available for its content management system and any additional plugin / code it uses, including the so-called ‘themes’ for WordPress. A really good article explaining what CTB-Locker is can be found on The Hackernews.
It would be a great idea to use some sort of a Web Application Firewall (WAF) in front of your website, but keep in mind the really good cyber adversaries will know how to bypass a WAF. It will only (most likely) protect you from automated attacks, but that is not a small thing. Having your website checked by a reputable penetration testing company is a very good idea.
Do you need script/wscript?
Finally, if your workstations don’t need cscript / wscript enabled on them, disable it. Many ransomware infections begin with a user running a script from a phishing e-mail – which then downloads the second stage. There are multiple ways to achieve that, I will not get into details in this article as it is supposed to serve as a guide, not as a detailed step-by-step instruction, which would be the length of a good book.