Raj Samani
AFTER slowing slightly in mid-2015, ransomware has overall regained its rapid growth rate. According to the June 2016 McAfee Labs Threats Report, total ransomware grew 116% year-over-year for the period ending March 31.
Total ransomware rose 26% from Q4 2015 to Q1 2016 as lucrative returns continued to draw relatively low-skilled criminals. An October 2015 Cyber Threat Alliance analysis of the CryptoWall V3 ransomware hinted at the financial scale of such campaigns. The researchers linked just one
campaign’s operations to $325 million in victims’ ransom payments.
This spurt in Ransomware attacks can be attributed to three key reasons. The first driver is the syndication of the activity into ransom as a service with offers of revenue sharing to operatives facing the target recipients. The second driver is the development of polymorphism in ransomware generating a unique threat signature for each attack. And the third driver is the increasing sophistication within the malware, widening the scope of damages.
As organizations in KSA become a target for Ransomware attacks, it is incumbent on the C-suite to take action and ensure that their data and organizations are not held ransom.
Remediation Strategies for Each Stage
Ransomware attacks occur in five stages — distribution, infection, communication, encryption and demand. So it is only logical that there should be prevention and remediation strategies for each of these stages.
Distribution Stage
Build a “human firewall”: The biggest threat is users who let the ransomware on their endpoints. People are the weakest link. Organizations need to make sure that all employees from the CEO down, understand both how ransomware works as well as the ramifications of an attack.
Stop ransomware before the endpoint: The most-proactive method of protecting a network from ransomware attack (other than the human firewall) is to keep ransomware from reaching the endpoint in the first place. Consider a web-filtering technology.
Apply all current operating system and application patches: Many ransomware strategies take advantage of vulnerabilities in the operating system or in applications to infect an endpoint. Having the latest operating system and application versions and patches will reduce the attack surface to a minimum.
Spam filtering and web gateway filtering: Again, the ideal approach is to keep ransomware off the network and the endpoint. Spam filtering and web gateway filtering are great ways to stop ransomware that tries to reach the endpoint through malicious IPs, URLs, and email spam.
Allow only whitelisted items to execute: Use an “application control” method that offers centrally administered whitelisting to block unauthorized executables on servers, corporate desktops, and fixed-function devices, thus dramatically reducing the attack surface for most ransomware.
Limit privileges for unknown processes: This can be done easily by writing rules for host intrusion prevention systems or access protection rules.
Infection Stage
Don’t turn on macros unless you know what’s happening: In general, do not enable macros in documents received via email. Notice that Microsoft Office turns off auto-execution of macros for Office documents by default. Office macros are a popular way for ransomware to infect your machine, so if a document “asks” you to enable macros, don’t do it.
Make yourself “weaker” when working: Don’t give yourself more login power than you need. If you allow yourself administrator rights during normal usage, consider restricting this. Surfing the web, opening applications and documents, and generally doing a lot of work while logged in with administrative rights is very dangerous. If you get hit with malware while you have fewer rights, you will reduce your risk because malware will also execute with fewer rights, which will reduce the threat’s attack surface.
Use access protection rules on software installs: Write access control rules against targeted file extensions that deny writes by unapproved applications. This complements host intrusion prevention systems rules with a similar strategy.
Use sandboxing for suspicious processes: If a process is flagged as suspicious (due to low age and prevalence, for example), that process should be sent to a security sandboxing appliance for further study.
Block “unapproved” processes from changing files: Block these by writing rules for host intrusion prevention systems or access protection.
Communication Stage
Firewall rules can block known malicious domains: Writing rules to block malicious domains is a standard capability of network firewalls.
Proxy/gateway scanner signatures for known traffic: For those with proxy and gateway appliances, these technologies can be configured to scan for known ransomware control server traffic and block it. Most ransomware cannot continue operations if it cannot retrieve the public encryption key needed for asymmetric encryption.
Encryption Stage
Back-up and restore files locally: By creating a storage volume and running archival differential-based file backups to that storage volume, remediation is as easy as removing the ransomware, going back in time with the backup to a point before the ransomware affected the files, and restoring all the affected files. This can be done today by network administrators who could either use external storage volumes with a good archival backup utility or partition a local drive and run the backup utility against that.
Limit shared file activities: Many ransomware variants will look for access to files on storage other than the boot volume — such as file servers, additional volumes, etc. — and will encrypt everything they can find to inflict maximum damage. Consider limiting operations allowed on shared volumes.
Ransom Demand Stage
Restore from backup, keep a recent backup offsite and “air gapped”: Store a set of multiple, complete backups and assume an attack. An “air-gapped” backup is not connected to the computer or the network anywhere. (For an individual this could mean back up to an external hard drive. When the backup is done, unplug the drive and keep it in a drawer, away from any computers. That way ransomware cannot detect the backup and damage it.) Consider using a “bare metal backup” utility, which not only backs up your user files, but also lets you erase all storage volumes (in case the machine is stolen) and get you back to a usable state with all your applications and data restored.
Ensuring your organization’s precious data is not ripe for the taking is a daunting task, especially with the steady rise of ransomware as an attack vector. By adopting a planned approach involving both end users and IT administrators, and implementing integrated security solutions that protect, detect and correct, businesses in KSA can avoid the unplanned downtimes and losses associated with such malware attacks.
— The writer is VP & CTO, EMEA, Intel Security