Fantom Ransomware: Looks Like Windows. Disrupts Like Hell.

Digital Internet securityAs if ransomware and Windows updates weren’t already challenging enough, a new threat pretends to be the latter but delivers the former.

If your organization has been in the process of deploying (or considering to deploy) Windows 10, then you already know about the issues regarding Microsoft’s shift to cumulative updates and the problems with third-party applications they’ve already caused at some companies.

Microsoft updates

Even if you’re not moving to Windows 10, you may still be affected by changes Microsoft is making to how it delivers updates to Windows 7 and Windows 8.1. And if you haven’t already, you should read the sagacious guidance offered in blog posts on these and related subjects by LANDESK Director of Product Management Stephen Brown and Senior Product Manager Chris Goettl.

In addition, you’ve doubtless heard and read about—or maybe even been affected by—ransomware.

Most ransomware infiltrates computer systems, locates and encrypts critical files, then demands payment of a ransom for access to the keys needed to restore access to those files. A recent variant, known as “Hitler ransomware,” threatens to encrypt critical files, but in reality, deletes them. (Read more about this variant in blog posts by me and Stephen.)

Fantom ransomware

And now, there’s Fantom. Once it gets into a system, it looks and acts like a legitimate critical Windows update. As reported by Lawrence Abrams of BleepingComputer.com and others, it even displays a realistic-looking screen that says the updates are being configured.

fantom

What’s really going on, though, is that the software is busily encrypting all the files it can find. It then displays a poorly written ransom note.

fantom2

Once that note appears, victimized users have no choice but to pay the ransom and hope that they receive the decryption keys promised by that ransom note. And that those keys actually restore access to all of their files, and that the malware infection doesn’t result in further mayhem.

This is only one recent variation on the ransomware theme. Others can be at least as disruptive to your users and your business, if not more so. A ransomware variant known as “Petya,” for example, ignores your files and goes directly after the master boot records and file tables that govern access to entire hard drives.

Ransomware webinar on September 14

All of this is why we’re having a ransomware update webinar on September 14, featuring Stephen Brown and Principal Product Manager Eran Livne. (Eran’s also written some sagacious and helpful guidance for combatting ransomware, as have other members of the LANDESK team. You can browse, read, and share these in our ransomware archive.)

It’s also why we continue to evolve our solutions for fighting ransomware. In the webinar, Stephen and Eran will describe some specific upcoming enhancements to LANDESK Security Suite that can help you to defeat even the newest ransomware variants, and keep your organization’s computers and users productive and operational.

Get and stay ahead of the bad guys developing and distributing ransomware. Protect your organization, its users, and its critical information. Start now by registering for the webinar today!

Also, be sure to get your free copy of our most popular white paper below.

Blog-CTA-Whitepaper-527x150

Saving Time, Money and Your Network With LANDESK

IT teams are constantly on the hunt for ways to save their organizations time and money. LANDESK’s portfolio of products is doing just that and MORE for its customers. The key is consolidation.

LANDESK has listened and learned from what IT professionals have been asking for and, as a result, has developed a feature-rich line that is meeting and exceeding the needs of consumers.

Everything you need in one place

“We had several different platforms to accomplish a bunch of different tasks,” said Chris Frediani, senior support specialist at NEPC, LLC. “What we wanted to accomplish by implanting LANDESK was to consolidate all those different tools into just one suite of tools.”

That’s exactly what you get with LANDESK. All the tools you need to manage your entire network — nicely packaged into one customizable platform.

“We are more efficient as a team when we just have one platform with all of the tools that we use every day, readily available in one system,” he said.

It’s a new level of efficiency that isn’t just saving customers minutes or hours, they’re shaving days off formerly time-consuming tasks.

“Before, we had this kind of archaic method of making sure that all of our endpoints were patched and within compliance standards. It would take two days to get the patching process started,” said Frediani. “Now, what used to a be a two-day thing is a 15-minute thing once a month.”

Going beyond IT management

In addition to saving time, LANDESK’s clients say they’re now able to go outside the normal bounds of IT management.

“One of the main things we wanted to accomplish with LANDESK Service Desk was to become more efficient, to get our processes nailed down, and to start rolling it out to other areas (besides IT) within our organization,” said Mike Abranink, desktop support analyst for the City of Leduc, a busy suburb of Edmonton, Alberta.

Abranink pocketed time he would have normally wasted traveling from desktop to desktop and was able to impress his bosses at the same time.

“It has made my life as a desktop analyst easier. I don’t have to go out to my users as often, it makes the distribution of software easier, and it makes tracking for our executive and CIOs easier,” he said. “One of the main benefits is through the built-in reports in LDMS. I’ve been able to pull reports that demonstrate to our executive and to our managers that by remotely controlling a desktop, we actually save time and money.”

Security-focused

Our focus isn’t just on saving you time and money; security is our number one priority. LANDESK’s security solutions are constantly on the prowl for possible vulnerabilities that threaten to wreak havoc on your system.

“The problem that we were facing when we first considered LANDESK was that we didn’t know what we didn’t know,” said Nick Gehr, enterprise support manager for Aviall. “Once we got it up and running in our environment, the light that shined on in every corner — that we just had originally no sense of awareness around — we were able to take action upon those.”

The unknown can be detrimental to a network. LANDESK’s solutions are helping IT managers seek and destroy hidden threats and keep your system protected.

“We discovered a ton of devices in our environment that weren’t being managed at all — that we didn’t even know were there until we spun up LANDESK Management Suite and it pointed them out to us,” said Frediani. “What you can do with just a couple of application platforms like LDMS and LDSD is pretty incredible.”

Businesses, corporations, and even cities are using LANDESK products to streamline their workflow and tailor IT management to the ever-changing needs of users and administrators.

“Some of the problems we were facing that made us consider LANDESK were that we started with a very small, out-of-the-box solution for a ticketing system that wasn’t meeting our needs. It wasn’t customizable; it didn’t let us have a process flow in it,” said Abranink. “LANDESK Service Desk addressed all the needs we had as we grew and it has scalability and functionality in it that’s hard to find in other places.”

Blog-CTA-Whitepaper-527x150

Why Failure to Sponsor ITSM Is Just Asking for Ransomware

Locky Ransomware virus“You are traveling through another dimension, a dimension not only of sight and sound but of mind. A journey into a wondrous land whose boundaries are that of imagination. Your next stop, the Twilight Zone!”

If you are even slightly connected on social media, maybe you have been feeling like I have lately: that you have mysteriously entered a parallel universe.

One universe is filled with rainbow-colored unicorns, where developers are magically empowered with unlimited knowledge of operational excellence. They also instinctively know the perfect customer experience (DevOps).

The other universe consists of a den of trolls who have maliciously infected every electronic device you own. What’s worse, they’ve systematically cooked up a scheme where you’re holding a winning lottery ticket, all so they can steal it from you and leave you holding the source code (SecOps).

Somewhere in the middle of all of this madness is reality.

As IT leaders, we must ground our ITSM disciplines in reality. In doing so, we recognize that ITSM is how IT gets work done. We need to understand that an appropriate balance is required in addressing any risk or opportunity.

There has always been a balancing act for our prioritization of IT resources.

CHEAP, SECURE, GOOD, or FAST. PICK TWO.

Let’s take a look at some realities. We’ll start with SecOps, and in particular, the immediate threat of ransomware.

REALITY: You are already hacked and it’s going to happen again.

How do I know this?

Ransomware and malware do not happen as a result of vulnerabilities. They happen as a result of failed ITSM sponsorship and support.

Failure to manage ITSM disciplines have enabled one or more of the following activities to take place within your environment:

  • Failure to sanction an approved software distribution program. Since users are not able to get software from the sanctioned self-service request catalog, they download and install applications on devices from other sources.
  • Failure to inventory software configuration items. With the lack of support to discover and document configuration items properly into your CMDB, management of applications (and particularly, their security) is impossible. Patch management is about updating the keys, but if you don’t know where the safes are and what type they are, your patch management is already flawed.
  • Business service models don’t exist. Failing to map critical business services and vital business functions to your technology assets removes the impact of vital decision making for access control, risk assessment, and recovery. IT works with limited resources, and this lack of intelligence is critical to change, access, and availability planning around high-value targets.
  • ITSM is focused on IT support and is separate from PMO and SDLC. Incident and request management is not ITSM. Relegating accountability for how IT gets work done to your service desk manager or director of IT operations is a critical management flaw. Asset acquisition starts with a project. Sourcing the IT asset or building it requires all parties to understand the risk levels involved. Once operational, this will directly impact response procedures, change authority, and other governance.
  • We don’t need ITSM; we outsource everything and use the cloud. Heaven help me!

BOTTOM LINE: Ransomware is a byproduct of failing to effectively sponsor ITSM enterprise-wide.

The following three tactical efforts need to happen to improve protection against ransomware and malware:

1. Establish critical business service mappings. Starting with customer-facing offerings, map the interfaces, technologies, and systems that support these customers. Define their value and risk to the business. Yes, this is hard and expensive. But try data hostage negotiations for a couple of weeks! This is a walk in the park compared to what could happen.

2. Establish the sanctioned enterprise architecture of approved and supported technologies. This definitive list should be tracked in your ITAM solution, mapped to the discovered inventory. It should be followed by a solid white-listing strategy and a rigorous “non-allowed” removal program to eliminate rouge (non-sanctioned) applications.

3. Redefine the accountability in your BYOD and cloud usage policies. Yes, it’s great that everyone wants to use their own devices for work. However, it must be crystal clear that their allowance for hijacking or malware is a personal liability. Arm your employees with security, inventory, and patch management tools that will ensure they are equipped to protect themselves, but more importantly, the corporate assets they access.

Clearly, it will take more than this to protect against ransomware. However, effective ITSM is already providing processes and tools to support these governance areas.

Is your ITSM lacking this level of governance focus or sponsorship? Talk to us about how to take your governance to the next level, and be sure to download our free whitepaper on how to prevent ransomware.

Blog-CTA-Whitepaper-527x150

Pokémon Go Ransomware: Don’t Catch This One

GettyImages-185127135It appears that this summer’s creature-catching craze has caught something of its own: ransomware.

Any type of digital, cultural phenomenon like Pokémon Go is likely to be exploited by malware writers, so it’s no surprise that Pokémon Go is now a transmitter of the malicious code.

Fun vs. fear

Just last week we learned of Hitler ransomware, which, as I noted, leverages fear by using an offensive image as a way to drive irrational behavior.

Pokémon Go appears to tap into the opposite emotion—fun—by riding the wave of this cultural juggernaut. Just as someone might panic to pay a ransom due to fear, someone might download a file without thought due to the overwhelming desire for fun.

Supply and demand

There are a few interesting economic considerations with this ransomware.

First off, as noted in the analysis by Bleeping Computer, this ransomware targets Windows computers, and apparently Arabic speakers, too, based on the image in the infected splash screen.

According to a recent CNET article, Pokémon Go isn’t even available in the Middle East yet, so any hype that is building in the media (and there is a lot) only accelerates that interest for countries that do not yet have the game.

Secondly, Pokémon Go is a mobile game, so the developers of this ransomware would need to con someone who doesn’t have a basic understanding of the game to download the application to their Windows computer on the assumption that they could get the game that way.

Considering that Pokémon Go started in the United States and has been rolling out primarily to Western countries first, it is easy to see how truth could be lost in translation, only to be exploited by unsuspecting victims.

Forbidden fun

Another interesting note is the fatwa against Pokémon games that was issued years ago by Saudi Arabia clerics and recently renewed due to issues around certain images and concepts including that of evolving the creatures.

Nothing drums up more interest than that which has been banned. Again, this is perhaps another emotion-based tactic used to lure unsuspecting victims into being exploited.

Ransomware’s future plans

Other interesting notes about this ransomware are the inclusions of a backdoor account called Hack3r which is created and hidden from users. There is no apparent use for the account except for perhaps as a seed for future devious use.

Also, there is the creation of a network share with no apparent use except as a potential delivery vehicle.

In addition to the network share, there is also an attempt to write to any removable media with and autorun entry that would attempt to launch the ransomware when loaded by other computers.

Finally, the executable is written to a drive other than C: with an autorun when the user logs into Windows. None of these techniques are new, but it appears that the authors were looking to develop something pervasive and easy to spread.

It appears that the ransomware is in development based on an incomplete encryption approach that uses a fixed key of 123vivalalgerie.

Also, the incomplete propagation techniques mentioned earlier indicate that this ransomware was caught early. Kudos to Michael Gillespie (@demonslay335) who caught this sample in the wild before it has evolved into something nastier.

Key takeaways

If there is one thing to learn with this latest ransomware discovery, it’s that malware writers leverage trending events and interests to drive the spread of their scams.

Ransomware hits at our digital hearts (our data) and therefore emotions are key to spreading and monetizing their work.

As always, beware of things that are too good to be true and take good precautions such as those listed in our article Everything You Need to Know to Prevent Ransomware.

Now back to capturing the local gym!

Blog-CTA-Whitepaper-527x150

Top 10 Most Shared Blog Posts From July 2016

GettyImages-480890367July was a hot month for LANDESK content, with nearly 1700 shares on our ransomware-related blog posts.

Our resident experts in the field—Product Manager Eran Livne; Director of Product Management Stephen Brown; and Chief Security Officer Phil Richards—each pulled from their vast amounts of knowledge and experience in the IT security space to contribute valuable insights on the topic.

Their prevention tactics, practical advice, and security solutions will help protect your business from cyber attacks.

In case you missed any of this great content, we’ve rounded up the top ten most popular blog posts from July. Starting with number ten:

10. Ransomware Bytes! How to Recover Quickly in 5 Steps

— By Stephen Brown

This post is most useful for those who have found themselves caught with ransomware. The important thing to do is not to panic and read on to find out what to do next.

9. 5 Ways Ransomware Might Make You Its Next Target

— By Eran Livne

From malicious email attachments to compromised websites, ransomware employs several insidious tactics to get into your system. Learn what they are so you won’t be the next target.

8. Satana, a New Strain of Ransomware That Mimics Petya Has Been Discovered

— By Eran Livne

Like any virus, ransomware is continuously mutating and presenting itself in different ways. Satana is one of the many newer strains to watch out for.

7. Q&A With Phil Richards, CSO: Vulnerability and How it Leads to Cybersecurity Attacks

Our Chief Security Officer, Phil Richards, gave us the rundown on system vulnerabilities and how they can lead to malicious attacks.

6. How to Stop Ransomware Once It’s Already on Your System

— By Eran Livne

As with post number ten, we want to help people recover from ransomware just as much as we want to help them prevent it. This post looks at what ransomware used to be in comparison to what it is now, and how you can stop its spread.

5. Ransomware: Should You Pay the Ransom?

— By Phil Richards

It’s a question everyone who gets infected by ransomware has to answer: Should you pay the ransom? Read on to find out the pros and cons.

4. Ransomware: The Threat and How to Protect Your Enterprise Part 1

— By Eran Livne

Your enterprise has a ton of valuable assets. Years and even decades worth of hard-earned data could all be wiped away with a cyber attack. Here’s how to protect all of that data in a few easy steps.

3. We Put Ransomware on Our Machine and Here’s What Happened

— By Eran Livne

Want to see what ransomware looks like? Check out the videos of us putting ransomware on our computer. (But don’t try this at home.)

2. Security Insider Stephen Brown Explains the Threat of Ransomware

How big of a problem is ransomware, anyway? From costing over $1 billion this year to managing multiple new mutations of the malware, Stephen Brown explains the threat in detail.

1. Infographic: The 8 Scariest Stats About Ransomware

Our number one most shared post is probably the scariest, not just because it gives visual representation of the statistics, but also because the statistics themselves are… well, scary. Read them at your own risk.

Blog-CTA-Whitepaper-527x150

Hitler Ransomware: How Low (and How Lame) Can They Go?

Red shield on a digital backgroundThe short answer to this question is pretty low and very lame.

Hitler ransomware, targeting Windows computers, was recently discovered and presents two newer angles to ransomware: an offensive presentation and the ability to destroy files without using encryption (ransom scams).

Offensive, fear-based presentation

Part of ransomware’s power is the ability it has to instigate fear in the user. Namely, the fear of losing personally valuable files. Anything that can exacerbate that fear–such as an offensive image–will trigger an even stronger primal response to protect at all costs (literally). This is the reaction that malicious developers are seeking.

As noted in an article on Hitler ransomware by Bleeping Computer, one of the elements that gives this variant of ransomware its name is the lock screen with a picture of Adolf Hitler.

He is giving his militaristic salute followed by a message that files have been encrypted and then demanding payment in the form of a Vodafone card.

Using universally-offensive imagery of a historical figure creates an immediate negative reaction in the user. This fear-based reaction, compounded by the ransom demand, is more likely to trigger irrational responses that lead to higher payments.

Crash and delete instead of encryption

The second element of this ransomware is an action other than encryption of files.

Hitler ransomware developers were either too lazy or too inept to develop encryption capabilities, so they simply decided to crash infected computers and, upon reboot, delete files.

The command used with this ransomware (del *.* /s /q) unfortunately doesn’t put files into the Recycle Bin, but a positive note is that there are many utilities available for recovering deleted files.

Key takeaways

Here few things to learn from this offensive ransomware:

  1. Implement some best practices, such as those in our article Everything You Need to Know to Prevent Ransomware, to prevent ransomware from affecting you.
  2. Use good Internet hygiene when it comes to opening attachments in email or browsing websites.
  3. If you or your business gets hit by ransomware, take a deep breath and don’t emotionally respond. Remember that fear is a tool that is used by ransomware authors.
  4. Not all files are permanently lost. In the case of Hitler ransomware, a file recovery tool may be able to help. Some ransomware has been cracked and there are utilities for decrypting files. Do some research or get an expert to help see if your data is recoverable.

Be safe out there and be sure to get your free copy of our white paper on how to protect against ransomware below.

Blog-CTA-Whitepaper-527x150

The Methods Behind the Ransomware Madness and How to Prevent an Attack

The majority of ransomware attacks today are infecting users’ machines using two main methods.

In this post, I will describe these two methods, as well as provide actionable tips on how to reduce the risk of these types of ransomware infecting your end users.

Distribution Method 1: Ransomware as an Attachment

Cybercriminals are using social engineering to trick users into opening attachments that are embedded into seemingly convincing and legitimate-looking emails.

In some cases, the attachment is the ransomware itself (i.e., running it will run the ransomware code), but since ransomware is just an executable, security solutions have a good chance of catching the ransomware and preventing it from running.

For this reason, many types of ransomware are using different attachmentsand not pure executablesto trick users into opening them.

The common attachment type, until recently, was Microsoft documents. Specifically, cybercriminals were utilizing Microsoft macro capabilities to download the ransomware executable and run it on the victim’s machine.

This poses two challenges for them:

  1. First, they need to convince the user to open the document.
  2. Second, since Microsoft by default requires the user to approve running a macro, the user has to be tricked to allow Microsoft to run the macro.

Both are accomplished by different tactics, and one example is described here. However, even without reading the blog, the screenshot below provides a simple example:

ransomware

Once the user enables macros, the macro will download the ransomware code and execute it in the background–effectively encrypting the victim’s files.

Warding off Ransomware as an Attachment

Tip 1: Protect against ransomware that uses Microsoft macros to download by disabling macros on end users’ machines. This will disallow users from running the macro and, as a result, the ransomware cannot be unleashed. LANDESK Security Suite provides an automated method for disabling macros on all endpoints, all of which can be done remotely from a central console.

As tricking users to run macros can be a bit challenging, cybercriminals have shifted their attention to a different kind of attachment: JavaScript-based ones.

In most cases, the attachment will actually be a ZIP file which includes the JavaScript malicious code. Users are tricked to open (unzip) the zip file and execute the JavaScript (.js) file inside it.

By default, Windows runs JavaScript code using the Windows script engine (wscript). Note that by default, JavaScript is not executed inside a web browser. The JavaScript code will download the ransomware code and execute it.

Tip 2: Protect against ransomware that uses JavaScript by preventing Windows from running the JavaScript code so users cannot run this malicious JavaScript code. This can also be done using LANDESK Security Suite, which allows you to define rules that prevent wscript (or any other scripting engine) from executing .JS (JavaScript) code.

Distribution Method 2: Compromised Websites

Like many other types of malware, ransomware is all about leveraging vulnerabilities. These vulnerabilities are mainly discovered in internet-facing applications such as web browsers, Adobe Flash and PDF Reader, Java, and others to infect the victim’s machine.

Using spam emails and other web technologies, the cybercriminals are doing a good job of convincing users to visit “their” websites. These websites were designed to detect the software used by the victim and apply the best exploit based on the software the victim is using. Once the exploit is applied, the ransomware is downloaded and executed on the victim’s machine.

Warding off Ransomware on a Compromised Website

Tip 3: Protect against ransomware that is spread via compromised websites by ensuring that your users’ software is up-to-date. This is especially important for internet-facing applications like web browsers, Adobe, Java and in many cases Microsoft Office.

Compromised websites are most likely to exploit known vulnerabilities in software as the cost involved in finding zero-day vulnerabilities is high and most users do not update their software, which means there is a good chance that users are still running software with known vulnerabilities that are easy to leverage.

Ensuring users are using the latest version of the software reduces dramatically the chance of a compromised website be able to infect the end user machine and successfully run a ransomware on that machine.

LANDESK Patch Manager allows security administrators to easily and cost-effectively scan for missing software patches (software updates) and install the latest software version remotely on each one of the end users’ machines. LANDESK Patch Manager also supports scanning and patching for most third party applications including all web browsers, Java, Adobe flash, PDF readers and Microsoft Office.

In addition, smart distribution and bandwidth management capabilities ensure that large and distributed deployments are possible.

Don’t catch ransomware on your system! Check out our free white paper below for more information on how YOU can avoid getting infected.

Blog-CTA-Whitepaper-527x150

Everything You Need to Know to Prevent Ransomware

“Just pay the ransom.”

That what’s an FBI official said during a Cyber Security Summit 2015 in Boston several months ago.

However, since then, the FBI has published an official document that warns against ransomware and provides a list of best practices on how to fight it. Oh, and the new document specifically says: “The FBI does not support paying a ransom to the adversary.”

In this post, I will go over the FBI’s recommendations and explain what steps you can put into practice to implement them.

Prevention Tactics

For ransomware, a “detect and respond” model provides little value, since once the ransomware is running, it is too late. That is why prevention is critical to combating ransomware.

The FBI suggests you implement the following prevention methods:

  • Awareness and training

We know now that most ransomware is spread using phishing or spam emails. Just recently, users in the US House of Representatives fell victim to a ransomware campaign reportedly designed to trick users into opening an attachment sent to their Yahoo Mail accounts.

Increasing end-user education and awareness are always good ideas, but it is important to understand that the “bad guys” are professionals. They use many professional marketing and social engineering tools to improve their abilities to trick users into opening fraudulent emails and attachments.

This means that you should assume that even the most educated and aware user may be tricked. In fact, the latest Verizon data breach report found that 23 percent of recipients are opening phishing messages, and 11 percent click on fraudulent attachments. So the odds are against you.

  • Patch the critical operating systems and applications

Patching for most organizations should be the first or second line of defense against any attack. This holds true for ransomware as well.

Recently, a flaw in Adobe Flash was used by the Locky and Cerber ransomware attacks to distribute themselves to victim workstations.

Making sure each client system’s OS and required third-party applications are up-to-date will prevent many such attacks. A special effort should be made to ensure that all critical patches and updates for applications such as Adobe Flash, Java, Web browsers, and Microsoft Office are kept current. In addition, patch and update deployments should be prioritized based on business needs and policies, and executed in ways that don’t disrupt user or business operations.

Many organization fear that comprehensive, timely and consistent patching is too complex to execute and maintain, or that it may break critical business applications. However, using the latest patch management tools to scan for missing patches and deploy them to workstations or servers is a straightforward task—even in the most complicated environments.

LANDESK has many years of experience in delivering complete, flexible, end-to-end patch management solutions. Our experts can easily demo how you can efficiently use LANDESK solutions to automate patch management, and to deploy those critical patches with minimal to no disruption to your business or your users.

  • Ensure that antivirus (AV) software is up-to-date and that regular scans are scheduled

If patch is your first line of defense, AV should be your second line of defense. By now, it is well-known (at least to security researchers) that most ransomware attacks cannot be stopped by traditional, signature-based AV solutions. However, you do not want to fall victim to malware threats already identified and tagged by your AV vendor.

However, you do not want to fall victim to malware threats already identified and tagged by your AV vendor. Ensuring that your AV virus definition database is always up to date on all your workstations is the most important element of an effective AV strategy. LANDESK security management software can automate this process for you. Our software can efficiently (bandwidth wise) distribute the latest virus definition file to all your endpoints (in any size of

Ensuring that your AV virus definition database is always up to date on all your workstations is the most important element of an effective AV strategy. LANDESK security management software can automate this process for you. Our software can efficiently (bandwidth wise) distribute the latest virus definition file to all your endpoints (in any size of

LANDESK security management software can automate this process for you. Our software can efficiently (bandwidth-wise) distribute the latest virus definition file to all of your endpoints in any size environment. We support most AV vendors, so most likely it will work with your AV vendor. If you choose to use our AV solution—which is based on the Kaspersky AV engine—we will also automate scanning and AV management from one console.

  • Manage the use of privileged accounts

Minimizing privileges is an important tactic to protect against many types of malware, including ransomware.

For example, a recently discovered ransomware attack called Petya requires administrator privileges to run, and will do nothing if the user does not grant those privileges. Removing administrator rights is easy, but balancing privileged access, user productivity, and enterprise security is not. Thus the need for privilege management solutions.

The LANDESK security team believes in the importance of privilege management, which is one of the reasons we acquired AppSense, providers of a great solution in this space (among other great tools). The solution will help you to define policies that limit administrative privileges to those authorized users need to do their work.

However, one thing to consider when protecting against ransomware is that many ransomware attacks are just executables that users are tricked into running. Once executed, those ransomware instances run inside the current user space, and do not require any administrator privileges to do their damage. An updated version of the Petya ransomware attack (mentioned above) has a fallback mechanism that allows it to encrypt files without the need for administrator privileges.

  • Access control

An effective access control solution will help organizations protect against ransomware. However, access control that focuses primarily or exclusively on user access rights will likely prove less than effective.

Access control can be highly beneficial for protecting files located in shared drives. That is because at least some users will likely always have legitimate rights to access and modify at least some files on every shared drive. After all, most of those files are document files created by legitimate users.

This means that a ransomware attack that successfully infects the system of a user with legitimate access rights can encrypt and hold hostage all of the files on all connected, shared drives and folders.

LANDESK security solutions offer a different type of access control—one that focuses on the data you want to protect, and not rights of the users of those users. Using LANDESK software, you can define rules that will prevent any program other than those you specify to modify critical or sensitive documents or files. A rule that, for example, allows only Microsoft Word to modify .doc and .docx files will defy any attempt by successfully installed ransomware to encrypt any such files.

Adding similar rules to protect all Microsoft Office, Adobe PDF, and other frequently used and shared file types will provide the best defense against most ransomware attacks. With such rules in place, even if ransomware gets onto a user’s system, the ransomware will not be able to encrypt protected files. Users will retain access to those files and be able to continue working with minimal to no disruption, and with no need to revert to older, potentially out-of-date backup versions.

(Note that some ransomware attempts to add itself to system startup routines in order to appear as legitimate software. The LADNESK solution also prevents ransomware from doing so successfully.)

Compared to traditional access control, the LANDESK method of focusing on data protection is a more effective defense against ransomware. It relies on understanding the behavior of ransomware, and does not require creation and management of user-specific (and ever-changing) rules. It is therefore also easier to implement and maintain than access control based on user rights management.

  • Software restrictions

LANDESK software also makes it easy to define, implement, and enforce rules that govern how other software behaves. Rules can restrict the ability of designated software to execute, or to create, modify, or read any file, or files located in specific folders, including the temporary folders used by browsers and other programs. Those rules can be applied either globally or to specific users or groups.

However, before implementing such rules, it is important to consider the user experience degradation such rules can introduce.

For example, when installing new or updated software, legitimate users are sometimes required to decompress (“unzip”) or execute files directly from their browsers. Users may also rely upon the ability to create or invoke macros to do their jobs. Software restriction rules may block these otherwise legitimate activities.

  • Disable macros from office files

This is highly practical advice as it will block many types of malwares including ransomware.

For example, Locky, a relatively new crypto-ransomware, spread primarily via spam with attachments enticing users to enable macros in Word documents that download the malware onto machines. LANDESK security suite allows IT administrators to set a policy to disable macros. Deploying this policy to users that do not require the use of macros will effectively block those types of ransomwares from running.

Other considerations

The FBI issued additional recommendations intended to increase protection of your environment. Those recommendations are meant to defend against multiple types of malware and other attacks, but if used correctly, they will protect against ransomware as well.

  • Applications whitelisting

This solution ensures that only known applications designated as trusted can run on any endpoint. This effectively eliminates the ability of any ransomware to run, since no ransomware is trusted. The biggest challenges to whitelisting success are creating the initial list of trusted applications, and keeping that list accurate, complete, and current.

LANDESK solutions, including AppSense Application Management, offer multiple options for comprehensive, flexible, effective, straightforward whitelisting. And LANDESK makes it easy to create and maintain your whitelists.

For example, the LANDESK solution will automatically “discover” all applications running on “clean” system(s) and will validate application integrity against its own application reputation database. Adding rules to trust applications based on their owners (e.g., authorized admins) and vendors (e.g., Microsoft, Oracle) further reduces the amount of configuration required to create those trusted application lists.

  • Isolated environments

In most cases, ransomware is distributed as an email attachment. Restricting users to virtualized or containerized environments will ensure that any ransomware that gains access to a user’s system will do no harm to the user’s primary work environment. LANDESK ONE partner, offers an elegant threat isolation solution that integrates with LANDESK security solutions. You can find more information about

BUFFERZONE, a LANDESK ONE partner, offers an elegant threat isolation solution that integrates with LANDESK security solutions.

  • Backup

The FBI paper recommends using timely, frequent backups of critical files as a business continuity consideration. I warned about the shortcomings of backups in my previous blog, but if done right, backup will save your day if you are attacked by ransomware.

However, if you implement the defenses suggested above, especially the access control features offered by LANDESK solutions, you won’t need to rely on backups alone to combat ransomware.

Blog-CTA-Whitepaper-527x150