Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

A Blue Team's reference guide to dealing with Ransomware

Steve Ragan | March 22, 2016
Ransomware is a known threat IT/InfoSec, but sometimes it's good to be reminded of the defenses that can be marshaled against it


Ransomware has been around since 2013, but it was the success of CryptoLocker that spawned a booming vertical market for criminals.

The effect of Ransomware has been felt by organizations both large and small; each of them well aware of the risks associated with this type of malware. Some even had, what they assumed, were solid defenses against this type of attack - but their assumptions were wrong.

Most Ransomware victims have a shared connection - they lacked some essential security basics, and that's what this article will address.

Daniel Tharp, a government IT manager in New Mexico, recently published a blog post on Ransomware that's worth further examination.

In it, he addresses the topic of Ransomware as something that's here to stay and hammers home some essential practices that administrators can use to help defend their networks and users from the threat.

"The trouble with ransomware right now is that it behaves like a standard application. It doesn't require local administrator privileges, it doesn't care if UAC is on, and most of them make use of the standard Windows API for encryption, which you can't disable without really messing up a workstation. So if we can't control the behaviors, we have to make do for controlling the vectors," Tharp said in an interview with Salted Hash.

For example, there's a great Office ADMX template for disabling macros. The template kills the non-executable variants of Ransomware that are starting to gain in popularity among criminals. One of the reason such variants exist is because they load directly into RAM and bypass most restriction policies.

Tharp's post lists a number of other protective steps; we've reproduced a few of them below.

  • Avoid mapping your drives and hide your network shares. WNetOpenEnum() will not enumerate hidden shares. This is as simple as appending a $ to your share name.

  • Work from the principle of least permission. Very few organizations need a share whereby the Everyone group has Full Control. Delegate write access only where it's needed, don't allow them to change ownership of files unless it's a must.

  • Be vigilant and aggressive in blocking file extensions via email. If you're not blocking .js, .wsf, or scanning the contents of .zip files, you're not done. Consider screening ZIP files outright. Consider if you can abolish .doc and .rtf in favor of .docx which cannot contain macros.

  • Install the old CryptoLocker Software Restriction Policies which will block some rootkit-based malware from working effectively. You can create a similar rule for %LocalAppData%\*.exe and %LocalAppData%\*\*.exe as well. It was pointed out in the Reddit comments, that if it's at all feasible, run on a whitelist approach instead of a blacklist. It's more time-intensive but much safer.

  • Backups. Having good, working, versionable, cold-store, tested backups makes this whole thing a minor irritation rather than a catastrophe. Even Windows Server Backup on a Wal-Mart External USB drive is better than nothing. Crashplan does unlimited versioned backups with unlimited retention at a flat rate, and there's a Linux agent as well. Hell, Dropbox does versioned backups. Get something.


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.