You are a security professional and you have just arrived at work, bright and early on a Monday morning. What could ruin this otherwise beautiful day more than a report of ransomware on a computer?
Answer: A worm-enabled ransomware making its way through your unpatched network. If ransomware is bad, then wormable ransomware is pure evil.
Malware is determined to be a worm if it contains the feature of replicating itself to other computer systems, usually through the network. So while ransomware will encrypt the files of one user’s computer, worm-enabled ransomware will encrypt files of one user, then replicate to other computers on the network and encrypt files on those systems as well. And the process just keeps going and going.
As a security professional in this environment, you are faced with multiple challenges:
1. How do I stop the spread of the worm?
Because the ransomware is replicating via the network, you are looking at the very real possibility of shutting down the network until you can get everything patched.
2. How to I identify the already-infected machines?
Some of the infections might not be readily apparent yet, but don’t worry, you will find out about them eventually. The sooner you identify impacted systems, the more options you have to mitigate and stop the spread.
3. Do I have backups for every machine that got infected?
With a worm, it is possible that both servers and workstations are impacted. You probably use different backup and recovery strategies for servers and workstations. These differences can make recovery work slower, or not possible for some types of systems.
4. How much effort will there be in reimaging or rebuilding workstations that were locked?
Sometimes the easiest way back to full productivity is to swallow the loss of files and reimage the workstations. If the worm has infected dozens or hundreds of systems, that might be very time-consuming.
5. Do I pay the ransoms for encrypted files?
Now you are looking at multiple workstations and servers, each of which has a separate encryption key. Paying ransoms becomes a much more expensive proposition.
By adding the ability for ransomware to replicate to other machines on the network, the impact to the organization goes up exponentially.
So, what can you do to prevent this nightmare?
- Patch all your systems – Worms replicate through the network via exploiting unpatched systems, typically operating systems. If your systems are patched, the worm has nowhere to go. LANDESK and Shavlik will give you the ability to patch workstations and servers against this kind of worm replication.
- Invest in application whitelisting technology – AppSense Application Manager lets you configure which applications are allowed to modify which files. This stops the ransomware encryption dead in its tracks.
- Control the use of admin privileges – If your users run with privileged accounts, the ransomware has more ability to encrypt files–even on the network. Reducing privileges limits the damage that ransomware can create. AppSense Application Manager software will help limit the extent that ransomware can encrypt files.
- Invest in recoverability – When a system gets compromised, your ability to restore to a known-good configuration is key to recovering from the attack. AppSense Environment Manager will allow you to easily and quickly restore infected systems.
While ransomware is becoming a significant issue for many IT shops, the augmentation of worm delivery of ransomware could completely upend your business, unless you are invested in the proper technologies and capabilities to deal with the threat before it enters your environment.
See how LANDESK Security Suite (LDSS) can protect you from wormable ransomware and check out our free white paper below.