Given recent high-profile attacks like WannaCry, Petya (NotPetya) and CryptoLocker, ransomware has matured from a niche IT concern to a more mainstream one. While there is no shortage of seminars, articles, and vendor solutions outlining best practices to mitigate the threats of ransomware and new cyber extortion threats like malware based crypto-mining, there is no single solution to protect against all of these threats. If there was, wouldn’t we all be implementing it and the manufacturer be the most profitable vendor?
The fact is that there are multiple steps and best practices that can mitigate this growing problem. Rather than going out and buying the latest and greatest security solution available on the market, we would be well served to stop, listen, and master basic security hygiene. To that end, consider these three recommendations that cover all of the families of ransomware and modern cyber extortion tools. If you can do these three well, you can mitigate the vast majority of risk from these escalating attack vectors:
End User Education
The average user may not be able to tell the difference between a regular email, phishing, or spear phishing attack. They do however understand that if you click on the wrong thing, you may lose all your work and files or infect your computer. If you can translate the threat of ransomware into terms that the average user can understand and remember, then the human element of social engineering can have some definable mitigation strategy.
The vast majority of ransomware comes via phishing attacks, and the training needs to cover the threat, identification of phishing emails, the hard lesson of what happens when you click on one of these emails. A simple phone call to IT can verify if the email is legitimate and we need instruct team members how to check the source before continuing. It is not hard to do—just like looking both ways before crossing the street—but we need teach all users about safe computing practices.
The worst-case scenario is you do become infected with cyber extortion-based malware. If you follow law enforcement recommendations, you should not pay the fine. So how do you recover? The answer—Secure Backups.
While this recommendation is not preventative, it is the only one that can help you when all else fails. All data should be backed up, and most importantly, secured such that the infected assets cannot compromise the backup via mapped drives or network shares. The backup should also be tested on a periodic basis to ensure it can restore all files in an uninfected state. A common mistake that organizations make is to attempt a restoration before the ransomware infestation is cleared and the process repeats itself until the environment is genuinely purged of the malware.
Standard User Privileges
Ransomware spreads by leveraging the users’ privileges to infect files that are within scope. If the user only has standard user rights, the only data visible are the ones they may have locally or via a network share. While the scope of this may be broad, it can be much worse if the user has administrator privileges. Then, potentially every file visible to an administrator is in scope and therefore the entire environment is potentially susceptible to infection.
The fact of the matter is that most cyber extortion malware requires administrator privileges just to launch and embed itself in a system. If you reduce a users’ right to a standard user, a ransomware that tries to install a persistent presence is thwarted because it does not have the privileges to install files, drivers, or even access the registry unless it leverages an exploit to escalate privileges. This is a sound mitigation strategy for the vast majority of malware that needs to own a system to begin infecting files for ransomware and cyber extortion threats.
As we see a disturbing increase in cyber extortion malware, basic cybersecurity hygiene is the best defense to protect your organization from becoming the next victim. Defending against an attack requires a blended approach to the removal of administrative rights to handling use cases that leverage social engineering, macros, and vulnerabilities and their corresponding exploits. To be successful, the onus is on every organization to take the necessary steps to prevent malicious software from threatening the network. There is no magic button, no simple tool, nor anyone strategy that can stop this escalation of threats. However, if you can follow these three necessary security recommendations, your organization can greatly minimize the risk of being the next victim.
About the author: Morey J. Haber, Chief Technology Officer, BeyondTrust