Avoid Ransomeware Attacks by Removing Attack Vectors

Rook Security
SECOPS
Published in
3 min readMay 19, 2016

As seen on RSA, Dan Ford of Rook Security’s blog helps readers answer some important questions about ransomware attacks including if the victim should pay and how to mitigate future attacks.Please find a link to the coverage here. Below are his full thoughts:

ransomeware

To date, there are around about 54 different versions of ransomware, and each one has multiple variants. Every day there is a new ransomware victim, and unlike other malware that has come before, ransomware isn’t looking to steal your information or gain unauthorized access. It just wants your money.

Should I pay? Can my files be decrypted? How did this happen? These questions get asked a lot when a user or company gets infected with ransomware. I’ll share an introduction to ransomware that will answer these questions, followed by ways companies can avoid future ransomware attacks by ridding themselves of certain attack vectors.

Should I pay?

If it is business critical and you can’t afford to take any down time, then you might want to consider it. That is the problem with most ransomware — the attackers rely on hitting mission critical devices on your network so you have to pay.

Can my files be decrypted?

Most of the time the answer is no. Each type of ransomware uses an encryption algorithm that would take months — if not years — to decrypt. For most businesses, that just isn’t acceptable. But there is a silver lining. There are some older versions of ransomware malware that have fatal flaws in them in which they store the decryption key in memory or on the hard drive.

How does this happen?

Most ransomware that exists right now either relies on the user to click a malicious link or download a malware program that, in turn, downloads the ransomware. But recently, many of the ransomware malware out there — namely TeslaCrypt — use malvertising (which involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages) and use a javascript program to download the ransomware onto a computer. This means that if you visit a site where an ad runs a javascript program in the background, it can also download and run the ransomware without your knowledge.

How can I prevent this from happening again?

What many don’t understand is that most ransomware attacks out there can be prevented very easily. While it is never a sure thing, cutting down on the following attack vectors can prevent your company losing big money:

  • Avoid mapping network drives whenever possible, and ensure network shares are hidden if they are required. WNetOpenEnum() will not enumerate hidden shares. This can be achieved by simply appending a ‘$’ to the network share name.
  • Be vigilant and aggressive in blocking file extensions via email. While blocking *.js, *.wsf, or scanning the contents of *.zip files may be in place as basic filtering functions, there remain further avenues to explore. Consider screening and filtering *.zip files outright if there is no business requirement to allow them. Also, consider abolishing *.doc and *.rtf document extensions in favor of *.docx, which cannot contain macros.
  • Install ad-blockers and script-blockers as standard loadout for all workstations. Drive-by malware is increasing exponentially and is extremely prominent in today’s technology ecosystem. Blocker solutions help to cut off this vector of infection.
  • Make sure to keep backups of all critical assets (Domain Servers, File Shares, etc.) to ensure restoration capabilities should the aforementioned measures not prove adequate in preventing a future ransomware incident.

Finally, be sure to provide basic end-user awareness training regarding typical phishing e-mail campaigns and the “do’s and don’ts” of general web-surfing and corporate email. Ransomware, along with most other malware solutions, rely heavily on the average end-user’s lack of technical knowledge to facilitate their infiltration and execution. Arming personnel with critical knowledge, as well as implementing corporate policy governing web-surfing and email procedures may reduce the chances of a phishing scam or drive-by download being successful.

Daniel Ford is a Security Engineer and Forensic Analyst at Rook Security, a global IT security solutions provider.

- See more at: http://www.rsaconference.com/blogs/avoid-ransomware-attacks-by-removing-attack-vectors#sthash.weKa3hZE.dpuf

--

--

Rook Security
SECOPS
Editor for

Global provider of IT security solutions protecting against dynamic, emerging threats. -- Inc. 500 Company in 2014.