Crypto-Ransomware
- Date: May 18, 2016
- Author: Brad
- Comments: no comments
- Categories: Forensics, malware, ransomware
Ransomware as a Service?
Yes, cyber criminals are using this technique because it is easy, and has a good 'ROI'.
Even cyber criminals are time conscious and use techniques that work. Ransomware will continue to get worse, become more stealthy, and recently the cybersecurity community has continued to see cyber criminals improve their coding instructions making it near impossible to decrypt. The Locky malware that is targeting millions of computers is an example of this crypto-ransomware. Ransomware is not new and has been around for a few years targeting hospitals, local governments, small/large businesses, and even law enforcement agencies. This is a very serious threat to your business and it should be prioritized.Email and Web-Browsing
So how is ransomware targeting your business and your users? Email and the web browser. Your user receives a spear phishing email (i.e. targets a specific user and looks legitimate) and will either, open the attachment, or click on the URL. Either action will cause the user's computer to download the malware and the encryption files begins, which hold your files ransom. The FBI does not recommend paying the ransom. Email and web-browsing habits should be constantly communicated to your employees. Your users are your human firewall and last line of defense when a phishing email makes it to the email inbox, or web filtering doesn't block a particular malicious website.IT Admins
Recently, you've more than likely been frantically researching processes, configurations, and technologies to implement in your infrastructure to protect your IT assets from ransomware. There are pros & cons with many of the implementations. Remember, if a phishing email makes it to your user, they are clearly the last line of defense, so it starts with training and educations of your user base. Consider any of the following in your layered security approach:- How-To Disable Windows Script Host: YMMV, but we tested this a Locky malware sample. If you have a server assigned the WSUS role, this may cause an issue, so test in your environment beforehand. However, we would recommend pushing GPO out to all or a select OU for multiple endpoints in your environment for testing.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings > Create a new DWORD value named "Enabled" and set value data to "0".
- Software Restriction Policies via GPO: restrict executables (i.e. prevent from running from %TMP% directory). Yes, a software restriction policy may break legitimate applications. Consider whitelisting applications. If you are a GPO expert you can be really creative here with limiting what can run in your environment and monitoring.
- Block Remote Use of Local Accounts: Disable the "Administrator" and any Guest accounts. Create an administrator account with a unique name to your environment. Microsoft has a document here on limiting these critical local accounts on your endpoints (workstations).
- Spam Filtering: Whatever solution you have implemented right now, turn it on HIGH!
- Filter File Extensions (Email & Web): filter inbound email attachments and consider blocking multiple file extensions from being downloaded by users via web browsers.
- Country Blocking: If you are a business and do not have international customers, block those countries! Yes, many cloud technologies leverage data centers globally, but separate policies should be in place to limit egress/ingress connections to these services by certain internal resources.
Open Letter to our Clients
- Never open an attachment from a person you do not know. When in doubt, delete the email.
- Never open an attachment that is suspicious or unexpected without first contacting your systems administrator. When in doubt, delete the email.
- Never click on hyper-links in emails that were sent by people you do not know. When in doubt, delete the email.
- Never click on hyper-links in emails that are suspicious or unexpected without first contacting your systems administrator. When in doubt, delete the email.
- Most importantly, remember that your single click could cripple a company and cost your employer thousands of dollars.
- Be aware that the person that opened an infected attachment will be easily identified, as their username will be on the properties of the encrypted files.
No Comments Yet.