Proactive defense against common ransomware delivery
We as security practitioners often remind others, good cyber hygiene and best practices in security controls will go a long way in effectively defending against ransomware and malware in general. In this follow up post, we analyze several key delivery techniques utilized by most ransomware variants and provide “best bang for your buck” counter measures that can often be implemented relatively quickly and cheaply even if your environment lacks a “next-gen” security product or service.
First, let’s dive into some common delivery methods and tactics. To deliver the initial exploit, an attacker often uses bait to launch the attack; this can be achieved by sending the payload to the victim via phishing emails, malicious links, infected attachments, malicious ads, or a compromised website. The following are the most common techniques ransomware has been observed to leverage and find its way onto a victim’s computer.
It is far easier to trick someone into clicking a malicious link in a seemingly legitimate email than trying to break through a computer’s defenses. Typically, a victim would receive a message that appears to have been sent by a known contact or organization, containing an attachment or a link. They often use financial-themed subjects to create a sense of urgency which trick a user to open without thinking.
FW:Expenses Report # xxxx
RE: Additional information needed # xxxx
These emails may also include a file attachment. Typically purporting to be documents or spreadsheets, but weaponized to compromise the computer when interacted with. The most common approach is embedding macros into the Office document, which is a payload written in Visual Basic for Applications (VBA) that will execute once an unsuspecting victim allows the runtime. To encourage the victim to allow macros, the document may advise that macros are needed in order to correct the text encoding. Once allowed, instead of correcting the text encoding, an executable is downloaded from a remote server and executed, completing the infection.
Another common file attachment technique is file extension hiding. A bad actor may try to deliver an executable file inside of a compressed archive attachment such as a ZIP file. Renaming the executable inside the ZIP file to something like “deposit.pdf.exe” to trick the user into thinking it is safe. Another variation is obscuring the real file extension by using numerous spaces before the “.exe” in the filename, like: “deposit.pdf .exe” — so the “.exe” does not appear on the screen and tricks the victim into thinking it is a PDF file. In this scenario, once the executable file is run, infection is complete.
This variant of ransomware delivery relies on the user clicking a link from the phishing email. The link then may take the user to a website that infects the system via a series of redirects (such as an exploit kit or malvertising-induced drive-by download) or downloads the malware directly with the click of the embedded link (such as embedded link to http://website.com/evil.exe).
Drive-by downloads focus on un-patched vulnerabilities in Windows and other installed software to silently infect your machine with little to no user interaction required, this malware “auto-installs” without the usual prompts about saving or running downloaded files. Even when visiting a legitimate website, users must remain vigilant as legitimate websites can be compromised to host malicious scripts or ads that redirect to exploit kits and malware payloads.
Similar to visiting a compromised website, malvertising is executed by hiding malicious code within online advertisements. These ads include active scripts that are built to download malware or force undesirable content to the victim’s computer when once page is loaded with ads. Malvertisers often rely on Adobe Flash, Adobe PDF, and Java vulnerabilities to spread malware because these browser plugins are highly prone to security vulnerabilities.
Defenses that can be implemented to defend against such common delivery methods:
- Spam Filters — Enabling filters won’t catch every malicious email, but can stop a significant number of malicious emails, especially if the filter rules are tuned and updated.
- External Tags — If your mail server allows such functionality, configure email messages received from external systems to be marked with a tag in the subject line (such as “[External]” and “[Attachment]” to make users aware that the message originated from an external party and to treat anything contained in or attached to that message with caution. Accordingly, if an employee receives an email purporting to be from another employee, but with an [External] tag, that should raise a red flag.
- Block High-Risk File Types — Block email messages with commonly abused file formats attached to the message such as executable, ZIP, RAR, 7z, Office documents with macros, scripts, and other high-risk file formats. Check out this list of high-risk file types to block based on extension. As extensions can be easily manipulated or obfuscated, blocking file formats based on content inspection (e.g. file headers) is more effectively than blocking solely based on extension.
- Always Show File Extensions — Windows Explorer hides file name extensions by default, however you can make file name extensions visible by following this simple solution.
- Training — Focus on user awareness and training. Because end users are often targeted, employees should be made aware of the threat of ransomware and how it is delivered, and trained on basic information security principles and techniques including how to spot phishing emails and other social engineering techniques.
- Configure Ad Blocker — Install and configure an ad blocker plugin in browsers, which can help disrupt malvertising and other drive-by download vectors.
- Disable/Uninstall Flash -– find “Adobe Flash Player” in the “Programs and Features” and bring up the uninstall dialog. Google Chrome provides a built-in (and arguably more secure) version of Flash Player which can be disabled by accessing the Chrome plugins page by typing chrome://plugins in the address bar.
- Disable Java Browser Integration — This will prevent malicious websites from loading the Java browser plugin to silently install malware. In Java’s settings on the Security tab, uncheck the “Enable Java content in the browser” checkbox. This will disable the Java plug-in in all browsers on your computer.
- Disable PDF Reader plug-ins — Disabling the PDF Reader plug-in will result in your downloading PDFs to view in a PDF Reader application rather than viewing it in your browser, saving the user from loading a page with code that attacks PDF Reader vulnerabilities. Alternatively, there are non-Adobe PDF Reader software such as Sumatra PDF, which is not as commonly targeted as Adobe.
- Maintain Up-to-Date Patch Management — Patch all endpoint device operating systems, software (including web browsers), and firmware as vulnerabilities are discovered. The danger is that patches have already been released, which means the attackers know exactly what’s vulnerable with an unpatched machine.
- Enable AppLocker — Allows the organization to specify which users or groups can run particular applications based on unique identities of files. This allows to create rules for your desktops to prevent execution of unknown executables. Windows AppLocker
- File and Share Permissions — Least privilege access should be enforced for users’ ability to run and install software and access network shares. Users should not be allowed to run or install software as local admin by default. Permitting users to run their web browsers and any downloaded or attached files as local admin facilitates malware such as ransomware executing unimpeded as local admin. Similarly, share permissions should be as granular as possible. For example, if an infected user is restricted to read-only permissions for critical network shares, ransomware will be unable to encrypt or delete the files in that share from the infected user’s workstation.
- Anti-Virus Protection Software — Maintain up-to-date antivirus, but do not rely on antivirus as it is trivial for ransomware to evade detection, hence the best malware and antivirus tool is prevention.
Understanding the individualized ransomware delivery tactics, allows us to determine what countermeasures and defense techniques can be put in place to obscure the delivery process.