Whether you manage your own systems and devices, or rely on third-party hosted systems (i.e. ‘in the cloud’), your Ransomware risk is real, constant and growing….
What to do first?
Set up regular data backup procedures – then ensure they happen
Backups are ESSENTIAL in protecting data. If you are successfully attacked with Ransomware your backup is the best, possibly only, option for saving your data and ability to do business. Backups also help you recover from many other forms of damaging malware attacks and even hardware failures. Some Ransomware variants, such as Cryptolocker, will also encrypt files on drives that are mapped. This includes connected cloud file stores, attached network drives and USB thumb drives. Action: Backup often, to an external drive or backup service (one that is not assigned a drive letter) & physically disconnect it from the computer between backups. Make sure the Backups are tested and are usable!
Setup your defences
CESG spent many years determining which security best practices would remove the most risk. (a Cyber Essentials version of the 80/20 rule!)Following Cyber Essentials guidance can reduce your risk by 80%. In addition to being a great security guide, some Cyber Essentials checks can help to prevent Ransomware. The following is a list of those checks:
- Installing the latest software patches and updates can help against known security issues being leveraged by malicious software.
- Installing and keeping up to date the latest anti-malware/virus software can ensure that known bad executables, and potentially software behaviours, are stopped.
- Disabling auto-run can prevent malicious software being transferred between systems using storage technology such as USB pens.
- Do not use Administration-level accounts for day-to-day tasks. As well as being good security practice, this will help restrict the impact of any malware infection.
- Access privileges should be used to limit access to resources and systems.
- As above, this should also help to restrict the impact of any malware infection.
- Firewalls should limit network traffic to only approved source / destinations and service types.
- Malware protection, possibly in the form of APT / IPS, can prevent potentially malicious software from calling home or propagating on your systems.
You can check some of these controls using the FREE Risk Assessment Auditing Tool (www.titania.com/risk-assessment-tool). It provides key risk analysis in 21 areas, includes step by step mitigation suggestions and automates some of the manual configuration reviews, needed for Cyber Essentials.
Automate Defence (when possible)Patch or Update your software
Keeping your software up to date is a security essential, it significantly reduces your risk. Ransomware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto your system. If you make a practice of updating your software often it can block their access. (As a triple bonus it also helps defend against other Malware and makes it harder to hack into your systems!). Action: Enable automatic updates, especially on major vendors such as Windows and Adobe.If you can’t auto-update go directly to the software vendor’s website (good practice as Ransomware / Malware creators can disguise Phishing attacks as software update notifications).
Filter EXEs in email
If your gateway mail scanner can filter files by extension, you may reduce risk by denying mails sent with “.EXE” files, and “*.*.EXE” files. Users who then legitimately need to send or receive executable files could use password-protected ZIP files or via secure cloud services. Naturally this is not fool proof and you may want to consider other options (a 7-Zip vulnerability was recently discovered and patched).
Re-enable showing full file-extensions
Window’s default behaviour hides known file-extensions. Re-enabling showing full file-extensions will help your team spot & avoid clicking on suspicious files – e.g. those with unexpected “.EXE” (executable) extensions often used by Ransomware.
Use a reputable security suite and keep it updated
Ensure you include anti-malware software and a software firewall, they will both help identify threats or suspicious behaviour. Ransomware developers frequently send out new variants, (to try to avoid detection) multiple layers of protection, will reduce their chances of success. If you run across a Ransomware variant so new that it gets past anti-malware software, it may still be prevented from executing, or be blocked from connecting with its Command and Control server (to receive its encryption instructions) by Software Restriction Policies (SRP) or your firewall…
Firewalls/Proxies and APT/IPS
Once something malicious is running inside your network, you do not want it to communicate with the outside. Firewalls should be configured to restrict network traffic going in both directions, not just inbound traffic. Web browsing should also be limited to prevent access to known malicious websites. Internet proxies can be used to help prevent access to malicious content, or user access to websites by content type. Advanced Threat Protection (APT) / Intrusion Prevention Systems (IPS) can also detect and prevent software from accessing or performing potentially malicious activity.
Windows Policy Updates
There are a number of Windows group policies that can be deployed to help prevent running malicious code. e.g. The user application data folder is often used by Malware developers, as a location to launch malicious software.
Software Restriction Policies (SRP) can be used to prevent the execution of software from that folder. Computer Configuration/Policies/Windows Settings/Security Settings/Software Restriction Policies To prevent execution of programs within certain types of files, they can be configured under the following policy tree:
User Configuration/Windows Settings/Security Settings/Software Restriction Policies
On the latest versions of Windows you can take this further by configuring AppLocker policies to restrict the execution of software.
This is a complex subject in its own right and Microsoft has provided lots of details in the following TechNet article: https://technet.microsoft.com/en-us/library/ee619725(v=ws.10).aspx An example would be to configure policies to only permit the execution of signed software.
Train your People
Train your people to detect what “suspicious” looks like and what to do in the event of an attack. Help them by giving sensible policies, “attack reaction” training and showing hidden file-extensions.
Before opening email attachments, you should first check the emails validity. Potential malicious software is often attached to emails in the hope that someone will open it. The malicious emails can range from very simple and obvious through to sophisticated and less obvious.
These are fairly obvious…
With emails that have “Invoice Attached” or something similar may be harder for someone in an accounts team to ignore. However, there are simple checks that you can perform to confirm details about the email. If you are unable to confirm any of the details, then try getting in touch with the sender to confirm its validity (do not use any of the contact details supplied in the email – they could be fake). Also check the attachment type, would you normally have an invoice attached as a ZIP or Executable file?
It is important that everyone is trained on what to look out for in emails. And remember, banks do not send emails asking you to login to your account using a link contained in an email (or they should not). Also, Inland Revenue send information in the post, not via email. Be aware of what you are opening, clicking on and viewing.
What if the worst happens?
You’re in the middle of an attack or your files are being encrypted – what can you do?
Disconnect from WiFi or unplug from the network immediately
This technique may not always help, but training your people to “immediately disconnect the system and notify IT” if they think they’ve clicked on a malicious attachment, can (if done quickly enough) limit your risk, damage and costs. Depending on the breed of Ransomware this action may cut off communication with the attackers’ server and localize the data encryption to just one machine (which may be far easier to recover from).
It normally takes some time to encrypt all your files, so even if you’re not quick enough to outpace the malware spread, disconnecting from the network and notifying IT – will give your team valuable response time. It may help to isolate an infection.
Restore or Recover
If you have System Restore enabled Windows, you might be able to defeat a Ransomware or Malware attacker. However, some versions of Ransomware (e.g. Cryptolocker) may delete the System Restore files, before you can return the system to a known clean state. If that is the case, then your best option would probably be a full restore from a clean back up. (You’ve got a clean backup and tested the procedure already…right?)
Pay or Don’t Pay?
If you have any other option open to you, my advice would be don’t pay for two main reasons:
- You have no guarantee you will get your data back. In many cases the decryption key is never received, it fails to work or only partly decrypts the data.
- You’re then a proven “paying customer” which increases your likelihood of future re-targeting!
If you leaning towards paying…
You can normally do a very quick google search to determine if you have viable option for recovery and often whether the criminals in question have a track history of delivering your data back. Some Ransomware variants such as Cryptolocker & Jigsaw, now have payment timers (after which time the price for your decryption key, or damage, goes up significantly)At time of writing, you could “beat the clock” with Cryptolocker, by setting the BIOS clock back to a time before their 72 hour window was up – resulting in a lower Ransom payment demand. In every case, if you’ve decided to pay, it’s worth quickly investigating your potential actions first…
One Final Suggestion….
For the policies and practices you put in place to remain effective in protecting you and your business they must be enforceable, measurable and consistent. User training on cyber / information security procedures can be made part of your HR on-boarding process and refreshed regularly. For System Settings, firewall rules and policy enforcement, I would recommend using detailed system / configuration auditing tools such as the award winning Nipper Studio and Paws Studio
Useful Links & Free Tools
Government-backed walk-through on protecting yourself against cyber threats
FREE Risk Assessment Auditing Tool
The Risk Assessment Auditing Tool, created by Titania Ltd, automates the auditing of 21 key security risks (such as unpatched software, missing anti-virus updates and poor password enforcement) that would leave your business vulnerable to attack. It will significantly reduce the time of hardening your system against Ransomware attacks.
Cryptolocker Prevention Kit
Cryptolocker Prevention Kit created by Third Tier to help automate making a Group Policy to disable files running from the App Data and Local App Data folders, as well as disabling executable files from running from the Temp directory of various unzipping utilities.