Since January of this year, ransomware has emerged as a popular attack impacting large corporations, small businesses, schools, hospitals and home users. This malicious type of crimeware encrypts, locks, or obfuscates digital files, then demands a ransom to return the files. An ill-prepared user or organization can experience catastrophic damage if the data encrypted includes months of work or critical business information. Far worse is when the data encrypted includes financial, legal, or medical records for which retention is required by law. In some cases, these users have no choice but to pay the ransom and hope for the best. Some who pay have their files returned, while others are not as lucky.
Unlike more sophisticated Advanced Persistent Threats, ransomware is entirely opportunistic in nature. If cyber criminals stand to earn hundreds of dollars by targeting one user, they stand to make thousands by spreading their ransomware to as many users as possible. Since the user must be aware of the ransomware in order for the criminal to achieve their objective of financial gain, there is no reason for ransomware operators to operate stealthily.
In a typical attack, a ransomware operator pays for delivery of their installer through a web-based exploit kit such as Neutrino, or via an email phishing campaign. When an unsuspecting user visits a website that has been compromised, or opens a malicious attachment, a weaponized payload attempts to exploit vulnerabilities in the installed software and gain control of the user’s workstation. The weaponized payload then retrieves the ransomware installer, and the ransomware quietly installs in the background and encrypts the user’s files before finally notifying the user that they must pay a ransom to regain access to their data.
While ransomware may seem like a new and alarming threat, the underlying building blocks used to perform these attacks are similar to any other broad-based cybercrime attack. Consequently, all of the same network defense best practices are applicable to ransomware as well. Specifically:
- Vulnerability Patching – All software contains vulnerabilities. Since finding new vulnerabilities is expensive, cyber criminals tend to exploit vulnerabilities that are at least a few weeks old. If you are running the latest version of a software product that is no longer vulnerable to what the weaponized payload is attempting to exploit, then the ransomware will never be installed.
- Website categorization and filtering – There are many commercial products on the market that categorize sites based on the type of information on the site. It is common for businesses to permit categories such as “Business/Economy”, “Internet/Technology” and to block categories that may be harmful to the business, such as “Adult Content”, “Gaming”, and “Malicious”.
- Blocking uncategorized websites – In addition to blocking categories that are obviously not beneficial to the business, companies can benefit from blocking websites that have not yet been categorized by the tool provider, and providing a process for users to request unblocking of uncategorized sites that have a legitimate business purpose. This is highly effective against malware that is delivered from brand new domains established by cyber criminals that were stood up in the past few days for that purpose.
- Least Privilege – Users should have the least set of privileges that permits them to do their jobs effectively. While this is a good mitigation for limiting the impact of a malicious insider, it also confines the damage that ransomware can cause by limiting the number of files that it can be encrypted.
- Antivirus – Like any malware, some ransomware attacks will slip by antivirus software due to the fact that antivirus can only detect threats for which it has definitions. However, the broad nature of ransomware attacks means that antivirus vendors release definitions capable of stopping the attack within a day or two of the start of an attack wave.
- Prohibit users from accessing the web directly – Adopt policy or technical controls that requires your user community to connect into the corporate network via VPN prior to accessing the web. This is necessary for the blocking of malicious or uncategorized websites to be effective.
- Train users to spot suspicious emails – Provide guidance to your user community regarding the signs of a malicious email, including specific steps that the user should follow if they are uncertain. Contacting the supposed sender of a questionable email via phone is highly effective at determining whether the user actually sent the email. Follow this guidance with an email testing campaign where you send benign phishing emails to users and gather metrics on how often users take appropriate action.
- Investigate spearphishing emails and implement countermeasures – Every email that comes into your environment is a hint at what the next attack will look like. When users report these emails, don’t simply congratulate them on making the right decision. Identify indicators within the email that can be used to block delivery of similar emails to additional users.
- Segregate critical systems and critical data from the business network - Systems that are used for web and email access are the systems most likely to be impacted by ransomware. These systems should not be the same systems that are used to access systems, processes and data that are most critical to the business. For example, medical records human resource systems, and process control networks should be isolated or accessible via VPN only.
- Maintain Backups – When ransomware strikes, the most effective way of restoring your data is to restore it from a recent backup. Best practices using multiple sets of full and incremental backups, including an offsite backup provide the soundest backup strategy to mitigate against a wide variety of threats.
While ransomware may be the “threat-du-jour”, effective mitigation should not require investment in new network defense technologies and processes. The same best practices that mitigate against other broad-based threats are effective at preventing ransomware or limiting the damage in the event ransomware does strike.