“Just pay the ransom.”
That what’s an FBI official said during a Cyber Security Summit 2015 in Boston several months ago.
However, since then, the FBI has published an official document that warns against ransomware and provides a list of best practices on how to fight it. Oh, and the new document specifically says: “The FBI does not support paying a ransom to the adversary.”
In this post, I will go over the FBI’s recommendations and explain what steps you can put into practice to implement them.
For ransomware, a “detect and respond” model provides little value, since once the ransomware is running, it is too late. That is why prevention is critical to combating ransomware.
The FBI suggests you implement the following prevention methods:
We know now that most ransomware is spread using phishing or spam emails. Just recently, users in the US House of Representatives fell victim to a ransomware campaign reportedly designed to trick users into opening an attachment sent to their Yahoo Mail accounts.
Increasing end-user education and awareness are always good ideas, but it is important to understand that the “bad guys” are professionals. They use many professional marketing and social engineering tools to improve their abilities to trick users into opening fraudulent emails and attachments.
This means that you should assume that even the most educated and aware user may be tricked. In fact, the latest Verizon data breach report found that 23 percent of recipients are opening phishing messages, and 11 percent click on fraudulent attachments. So the odds are against you.
Patch the critical operating systems and applications
Patching for most organizations should be the first or second line of defense against any attack. This holds true for ransomware as well.
Recently, a flaw in Adobe Flash was used by the Locky and Cerber ransomware attacks to distribute themselves to victim workstations.
Making sure each client system’s OS and required third-party applications are up-to-date will prevent many such attacks. A special effort should be made to ensure that all critical patches and updates for applications such as Adobe Flash, Java, Web browsers, and Microsoft Office are kept current. In addition, patch and update deployments should be prioritized based on business needs and policies, and executed in ways that don’t disrupt user or business operations.
Many organization fear that comprehensive, timely and consistent patching is too complex to execute and maintain, or that it may break critical business applications. However, using the latest patch management tools to scan for missing patches and deploy them to workstations or servers is a straightforward task—even in the most complicated environments.
LANDESK has many years of experience in delivering complete, flexible, end-to-end patch management solutions. Our experts can easily demo how you can efficiently use LANDESK solutions to automate patch management, and to deploy those critical patches with minimal to no disruption to your business or your users.
Ensure that antivirus (AV) software is up-to-date and that regular scans are scheduled
If patch is your first line of defense, AV should be your second line of defense. By now, it is well-known (at least to security researchers) that most ransomware attacks cannot be stopped by traditional, signature-based AV solutions. However, you do not want to fall victim to malware threats already identified and tagged by your AV vendor.
However, you do not want to fall victim to malware threats already identified and tagged by your AV vendor. Ensuring that your AV virus definition database is always up to date on all your workstations is the most important element of an effective AV strategy. LANDESK security management software can automate this process for you. Our software can efficiently (bandwidth wise) distribute the latest virus definition file to all your endpoints (in any size of
Ensuring that your AV virus definition database is always up to date on all your workstations is the most important element of an effective AV strategy. LANDESK security management software can automate this process for you. Our software can efficiently (bandwidth wise) distribute the latest virus definition file to all your endpoints (in any size of
LANDESK security management software can automate this process for you. Our software can efficiently (bandwidth-wise) distribute the latest virus definition file to all of your endpoints in any size environment. We support most AV vendors, so most likely it will work with your AV vendor. If you choose to use our AV solution—which is based on the Kaspersky AV engine—we will also automate scanning and AV management from one console.
Manage the use of privileged accounts
Minimizing privileges is an important tactic to protect against many types of malware, including ransomware.
For example, a recently discovered ransomware attack called Petya requires administrator privileges to run, and will do nothing if the user does not grant those privileges. Removing administrator rights is easy, but balancing privileged access, user productivity, and enterprise security is not. Thus the need for privilege management solutions.
The LANDESK security team believes in the importance of privilege management, which is one of the reasons we acquired AppSense, providers of a great solution in this space (among other great tools). The solution will help you to define policies that limit administrative privileges to those authorized users need to do their work.
However, one thing to consider when protecting against ransomware is that many ransomware attacks are just executables that users are tricked into running. Once executed, those ransomware instances run inside the current user space, and do not require any administrator privileges to do their damage. An updated version of the Petya ransomware attack (mentioned above) has a fallback mechanism that allows it to encrypt files without the need for administrator privileges.
An effective access control solution will help organizations protect against ransomware. However, access control that focuses primarily or exclusively on user access rights will likely prove less than effective.
Access control can be highly beneficial for protecting files located in shared drives. That is because at least some users will likely always have legitimate rights to access and modify at least some files on every shared drive. After all, most of those files are document files created by legitimate users.
This means that a ransomware attack that successfully infects the system of a user with legitimate access rights can encrypt and hold hostage all of the files on all connected, shared drives and folders.
LANDESK security solutions offer a different type of access control—one that focuses on the data you want to protect, and not rights of the users of those users. Using LANDESK software, you can define rules that will prevent any program other than those you specify to modify critical or sensitive documents or files. A rule that, for example, allows only Microsoft Word to modify .doc and .docx files will defy any attempt by successfully installed ransomware to encrypt any such files.
Adding similar rules to protect all Microsoft Office, Adobe PDF, and other frequently used and shared file types will provide the best defense against most ransomware attacks. With such rules in place, even if ransomware gets onto a user’s system, the ransomware will not be able to encrypt protected files. Users will retain access to those files and be able to continue working with minimal to no disruption, and with no need to revert to older, potentially out-of-date backup versions.
(Note that some ransomware attempts to add itself to system startup routines in order to appear as legitimate software. The LADNESK solution also prevents ransomware from doing so successfully.)
Compared to traditional access control, the LANDESK method of focusing on data protection is a more effective defense against ransomware. It relies on understanding the behavior of ransomware, and does not require creation and management of user-specific (and ever-changing) rules. It is therefore also easier to implement and maintain than access control based on user rights management.
LANDESK software also makes it easy to define, implement, and enforce rules that govern how other software behaves. Rules can restrict the ability of designated software to execute, or to create, modify, or read any file, or files located in specific folders, including the temporary folders used by browsers and other programs. Those rules can be applied either globally or to specific users or groups.
However, before implementing such rules, it is important to consider the user experience degradation such rules can introduce.
For example, when installing new or updated software, legitimate users are sometimes required to decompress (“unzip”) or execute files directly from their browsers. Users may also rely upon the ability to create or invoke macros to do their jobs. Software restriction rules may block these otherwise legitimate activities.
Disable macros from office files
This is highly practical advice as it will block many types of malwares including ransomware.
For example, Locky, a relatively new crypto-ransomware, spread primarily via spam with attachments enticing users to enable macros in Word documents that download the malware onto machines. LANDESK security suite allows IT administrators to set a policy to disable macros. Deploying this policy to users that do not require the use of macros will effectively block those types of ransomwares from running.
The FBI issued additional recommendations intended to increase protection of your environment. Those recommendations are meant to defend against multiple types of malware and other attacks, but if used correctly, they will protect against ransomware as well.
This solution ensures that only known applications designated as trusted can run on any endpoint. This effectively eliminates the ability of any ransomware to run, since no ransomware is trusted. The biggest challenges to whitelisting success are creating the initial list of trusted applications, and keeping that list accurate, complete, and current.
LANDESK solutions, including AppSense Application Management, offer multiple options for comprehensive, flexible, effective, straightforward whitelisting. And LANDESK makes it easy to create and maintain your whitelists.
For example, the LANDESK solution will automatically “discover” all applications running on “clean” system(s) and will validate application integrity against its own application reputation database. Adding rules to trust applications based on their owners (e.g., authorized admins) and vendors (e.g., Microsoft, Oracle) further reduces the amount of configuration required to create those trusted application lists.
In most cases, ransomware is distributed as an email attachment. Restricting users to virtualized or containerized environments will ensure that any ransomware that gains access to a user’s system will do no harm to the user’s primary work environment. LANDESK ONE partner, offers an elegant threat isolation solution that integrates with LANDESK security solutions. You can find more information about
BUFFERZONE, a LANDESK ONE partner, offers an elegant threat isolation solution that integrates with LANDESK security solutions.
The FBI paper recommends using timely, frequent backups of critical files as a business continuity consideration. I warned about the shortcomings of backups in my previous blog, but if done right, backup will save your day if you are attacked by ransomware.
However, if you implement the defenses suggested above, especially the access control features offered by LANDESK solutions, you won’t need to rely on backups alone to combat ransomware.