Ransomware Survival Guide

Ransomware is all the rage in the news as more and more people are hit by this particularly tough form of malware. I thought I would walk through one of the more prevalent attack patterns and provide some suggestions on how to combat this.

Let me start off by saying that the ransomware attack is advanced and designed to get through most of the existing security products that are on the market. But since it’s in the news, every security vendor is talking about how they stop ransomware. It’s a common problem in the computer security industry. Everything is good for something and nothing is good for everything. It’s our job to find solutions for the broadest range of problems as possible.

So let’s break this down. The most common form of ransomware attack looks like this:

1. A phishing email with a word attachment is received
2. The word attachment has a macro that puts a downloader on the machine to pull down the actual malware
3. The malware executes and encrypts everything it has write access to

One step at a time:

A. Email

1. Users should be trained to avoid phishing scams. This obviously isn’t 100% but it helps.
2. Your email filter won’t see any malware because at this point it’s just a macro. There are some products that strip macros out of mail attachments, those would work here.
3. Firewall, IPS, Anti-Virus? Sorry, no malware signature to find here, none of this will help you.

B. Word Macros

1. Office should be configured to distrust macros forcing the user to specifically enable them. Again, not 100% effective but helpful.
2. What about sandboxes? Nope, most of them will not find this.
3. Firewalls, Anti-Virus, IPS? Again, nope.

C. Malware Execution

1. This is a good reason to look again at rights management. Maybe not every user needs write access to that key windows share.
2. Now that there’s a bona fide piece of malware coming down to do damage, now will my anti-virus, IPS, firewall, etc. catch it? Nope, sorry. Remember, this is advanced malware and will not be caught by anything looking for a specific signature.
3. What about proxies? This executable has to download the software; doesn’t something in the perimeter security see it? Sorry, but again, a no here. It’s very easy for the downloader software to encrypt or obfuscate the download to get it through your perimeter.
4. How about the new advanced malware end point products that don’t rely on signatures? Depends. There’s some effectiveness here, but again, these pieces of malware are very advanced.
5. A good solution here is whitelisting. Rather than try to catch things that might be bad, you authorize known good executables. This is a good strategy, but hard to maintain if you don’t have control over your desktops.
6. Another good solution involves something called User Behavior Analytics (UBA). These technologies watch user behaviors and automatically disable users when they start to act wonky. A user that opens every file in every directory they can get to and tries to change them as fast as possible is a good working definition of wonky.

In summary, here is your ransomware plan. It starts with things you can do now for free and moves on to some products you could consider:

1. Backups! The most useful tool you’re going to have after a ransomware attack is a good archival strategy. Make sure you’ve got one.
2. User Training. In a properly configured environment, the user will have to make three bad decisions consecutively - open an untrusted email, open the document, and then enable the macros. Good training should minimize this chain of mistakes.
3. Make sure the default settings are to not trust. Cut back write access to shares.
4. Consider products that will strip macros from documents that are emailed from external sources.
5. Consider white list products that only allow known good applications to execute.
6. Consider User Behavior Analytics to minimize the damage a single account can do.

As we work to protect our network with broad solutions, attackers will run to the cracks like cockroaches. Ransomware is challenging, but I think there are still good broad spectrum defenses we can raise. Good luck.