Saturday, 13 May 2017

The Anatomy of Ransomware - and How to Prevent from Impacting You

After the global cyber attack with ransomware, there is much advice out there suggesting the problem would have been prevented with point products, training or procedures.  I'm going to outline a generic ransomware attack below, so that the defences can be understood.  I'm going to outline what you can do as a home user, corporate user, or corporate IT team.


Delivery of Ransomware


Depending on the research you read, you can see that 93-98% of ransomware is delivered by email.  The remaining delivery methods can be via websites, whether a drive by download, malvertising or malicious website; or via removable media.

As a home user, a good quality endpoint protection solution would be recommended.  Try not to click on email attachments, dubious weblinks or using removable media you are unsure about.  Look to only have standard user profiles and not administrator rights on your everyday profile, and enter the admin credentials when needed.

As a corporate user, the advice is similar to a home user, try not to click on email attachments, dubious weblinks or using removable media you are unsure about.

As a corporate IT team, email and web gateway solutions should be protecting the email and web traffic.  The endpoint should have good quality multi layered protection.  Ensure that users do not have local administrator rights.  Sandboxing solutions on the network would analysis the unknown traffic coming into the network and ensure the email, web and endpoint vectors are covered.  Consider device control solutions if removable media is a big entry point into the network.  User education can help, but it needs to short and regular, and not many hours once a year.

Exploit the Endpoint


The ransomware's next task is to find a vulnerability on the endpoint, in order to exploit it and install the ransomware.  This is when the advice is to patch your operating system, or check and install the updates to your machine.  It's lesser known that the other software on your machine also has vulnerabilities, such as the third party software, like Java, Adobe Reader, etc, as well as the internet browsers and add-ons.

As a home user, change the settings on the operating system and software to automatically check and install the updates. Consider removing applications that are rarely used, as some may not check for updates until they are used.

As a corporate user there is typically little you can do, as this should be controlled by the administrators.  If you are able to run the updates, check regularly.  If you are able to install applications, consider what you are installing and switching on auto updating.

As a corporate IT team, ensure there is a robust patching regime.  Ensure patches are deployed to Microsoft operating systems as close to "Patch Tuesday" as possible, to prevent there being a "Hack Wednesday".  Ensure the patching regime goes beyond operating systems, covering off the third party applications, browsers and add-ons.  Consider Application Control solutions to limit the applications on the endpoints.  With the server environment, consider using IDS/IPS or "Virtual Patching" solutions in order to protect the servers until patch remediation can be carried out in a scheduled maintenance windows, allowing for testing of patches prior to deployment.


Installation of Ransomware


The installation of the ransomware will typically be disguised as a system process, so can go undetected by traditional or single layers of defence.

As a home user with the administrator rights removed as mentioned before, the software may not be able to install.  Again a good quality anti-malware solution may help prevent the ransomware from being installed.

As a corporate user there is typically little you can do, as this should be controlled by the administrators.

As a corporate IT team, look to Application Whitelisting, so unknown applications can't be installed.  Also giving the known good software will check fingerprints of applications, so even if the ransomware is masquerading as a system process, it will not be allowed to execute.  Again good multi layered anti-malware protection and limited local admin rights will help.  Sandboxing solutions should detect this traffic, and consider tools that can monitor file integrity, analyses the memory or offers memory injection protection.

Command and Control


Once installed, the ransomware will typically talk back to the "Command and Control" servers, communicate with the ransomware and customise what the machine will do, such as detect language settings of the computer and then get the correct interface installed in the matching language.  A Chinese demand for a ransom would not be very effective to a machine using Russian language.  There can be communication of the unique encryption key as well.

As a home user, beside the reliance on the endpoint protection having a good malware detection and possibly a host based firewall, there is very little that can be done at this point.

As a corporate user, the situation is much the same as the home user, as there is little that can be done.

As a corporate IT team, the use of Next Generation Firewalls and/or web gateway solutions should be able to see this traffic travelling to and from the network, and prevent the communication.  Logging or SIEM solutions should be able to take the feeds from various point throughout the network to detect this activity.


Data Encryption


The ransomware will now start to encrypt a portion of each of the files, allowing it to work quickly through all the files.  It will check for connected devices, so it will be able to encrypt network file shares and removable media connected to the machine.  It also knows to leave the operating system files, so the machine is still able to run and demand the ransom.

As a home user, beside the reliance on the endpoint protection having a good malware detection and possibly a host based firewall, there is very little that can be done at this point, aside from ensuring that there are system backups.

As a corporate user, the situation is much the same as the home user, as there is little that can be done.

As a corporate IT Team, the anti-malware solution may be able to detect this and stop it from running, or the use of application control could have prevent the application from executing as mentioned before.  Beyond that the the dependence will be on having system backups.


Ransom Demand


At this point, whoever you are, all is lost with out system/data backups.

The advice is not to pay as research currently shows that the payment of the ransom will to the decryption of the data around two thirds of the time, and increases your possibility of being targets again.


The Advice

As a home user, don't click on links without validating if they are legitimate, get a good quality endpoint protection solution and patch your computer regularly.  Remember to backup your data, whether to the cloud, portable hard drives or USB devices, and try not to physical devices connected when not in use.  Make your account a standard user, so the administrator password is required for tasks that are altering the configuration of your computer.

As a corporate user, don't click on links without validating if they are legitimate, but work with IT, if you think you have.

As a corporate IT Team, ensure the endpoints have good quality malware protection that can be centrally managed and centrally logs information.  Ensure there web and email gateways installed and configured.  If you don't have a NGFW, consider getting one and using the features available.  Patch the operating systems, applications and browsers on endpoints and servers.  Consider investing in Device and Application Control solutions, if you don't already have them.  Sandboxing solutions will help deal with the unknown and new threats, so are well worth the investment.  Review the rights the users have on their devices, as they typically don't need to be local administrations.  SIEM solutions with security features will help detect this early on.  End user training is important, but keep it short and regular for it to be effective.


Conclusion


Ransomware attacks will continue to happen, but stopping the chain of events as soon and as quickly as possible will minimise the damage.

I hope this guide has been useful in helping understand how ransomware works, and the measures that can be taken to prevent if from impacting you.  If you have any questions, please feel free to email me: blog@andytang.com

No comments:

Post a comment