The Ransomware Scare: A Tell-All Interview With CSO Phil Richards

As ransomware attacks continue to grow, we are asking our IT security experts to give us the lowdown on the cybersecurity crisis.

LANDESK’s Chief Security Officer Phil Richards began his career as a software developer in 1982. Since that time, he has worked as a development manager, software architect, security professional, technical support manager, and database architect.

Since 2002, Richards has been working as a security professional in a variety of industries. All of these experiences have given him a solid understanding of the role of IT within an organization.

Q: How big of a problem is ransomware today? 

A: New variants of ransomware are appearing daily. This indicates that there is a large number of criminals who are using ransomware as a primary means of generating income.

Ransomware is only going to become more sneaky as it catches more of our users, locking them out of their drives.

Q: Why is it such a large problem?

A: It is such a large problem because it is easy and low-cost to set up. The bad guys aren’t getting better; if anything, they’re getting lazier. Many of the ransomware variants are of such low quality that they are quickly unlocked. There are repair kits available for several of the ransomware variants because of this low-quality issue.

Q: What’s the number one way to protect against ransomware? 

A: Limiting it to one thing to protect against ransomware is difficult. Always, the most important thing you can do is to keep your systems fully patched. Patch all of your operating systems and applications. Ransomware gets on systems via exploits, and exploits usually happen because of unpatched software.

Since ransomware is delivered via email, another thing you can do is user education on how to identify email phishing attacks. In conjunction, you can deploy an email gateway that has the ability to identify email phishing and will move those emails to a quarantine environment. Also, to lower the chance of spoofed email messages, implement the Sender Policy Framework (SPF) by deploying SPF records in DNS and enabling receiver-side verification in mail servers.

It is also a good recommendation to remove or minimize the use of administrative privileges.

I recognize this isn’t one thing, but doing only one thing is never the right answer. It is better to handle defense in depth, by employing multiple controls.

On the recovery side, it is important to keep good, current backups and perform test restores. That way, if you are impacted by ransomware, you have the ability to restore and recover.

Q: How is ransomware generally delivered?

A: Ransomware is delivered through email. An email is sent to an unsuspecting recipient that contains either a file that contains malware, or points to a website that contains malware. The malware payload will attempt to exploit unpatched vulnerabilities on your system—which is why it is so important to patch.

If the malware is able to exploit a vulnerability, it will take control of your system and attempt to encrypt files that have extensions like .docx, .txt, .ppt, etc. Some ransomware will extend this behavior to network drives. At this point, the malware will change your desktop wallpaper to be the message that informs you that your files have been locked and directs you how to make a payment.

Q: How can LANDESK help companies prevent ransomware?

A: LANDESK has software solutions that protect customers from ransomware in many different ways. LANDESK Management Suite and Shavlik provide complete, robust patching solutions for operating systems as well as applications that can be targeted for ransomware exploits.

AppSense Application Manager provides advanced application whitelisting, which stops ransomware from running. Additionally, it helps minimize the spread of administrative user credentials, which limits the damage that ransomware can do.

Finally, AppSense DataNow provides full recovery capability for configuration data and systems that get infected with ransomware.