Ransomware as a Service?
Yes, cyber criminals are using this technique because it is easy, and has a good 'ROI'.Even cyber criminals are time conscious and use techniques that work. Ransomware will continue to get worse, become more stealthy, and recently the cybersecurity community has continued to see cyber criminals improve their coding instructions making it near impossible to decrypt. The Locky malware that is targeting millions of computers is an example of this crypto-ransomware. Ransomware is not new and has been around for a few years targeting hospitals, local governments, small/large businesses, and even law enforcement agencies. This is a very serious threat to your business and it should be prioritized.
Email and Web-BrowsingSo how is ransomware targeting your business and your users? Email and the web browser. Your user receives a spear phishing email (i.e. targets a specific user and looks legitimate) and will either, open the attachment, or click on the URL. Either action will cause the user's computer to download the malware and the encryption files begins, which hold your files ransom. The FBI does not recommend paying the ransom. Email and web-browsing habits should be constantly communicated to your employees. Your users are your human firewall and last line of defense when a phishing email makes it to the email inbox, or web filtering doesn't block a particular malicious website.
IT AdminsRecently, you've more than likely been frantically researching processes, configurations, and technologies to implement in your infrastructure to protect your IT assets from ransomware. There are pros & cons with many of the implementations. Remember, if a phishing email makes it to your user, they are clearly the last line of defense, so it starts with training and educations of your user base. Consider any of the following in your layered security approach:
- How-To Disable Windows Script Host: YMMV, but we tested this a Locky malware sample. If you have a server assigned the WSUS role, this may cause an issue, so test in your environment beforehand. However, we would recommend pushing GPO out to all or a select OU for multiple endpoints in your environment for testing.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings > Create a new DWORD value named "Enabled" and set value data to "0".
- Software Restriction Policies via GPO: restrict executables (i.e. prevent from running from %TMP% directory). Yes, a software restriction policy may break legitimate applications. Consider whitelisting applications. If you are a GPO expert you can be really creative here with limiting what can run in your environment and monitoring.
- Block Remote Use of Local Accounts: Disable the "Administrator" and any Guest accounts. Create an administrator account with a unique name to your environment. Microsoft has a document here on limiting these critical local accounts on your endpoints (workstations).
- Spam Filtering: Whatever solution you have implemented right now, turn it on HIGH!
- Filter File Extensions (Email & Web): filter inbound email attachments and consider blocking multiple file extensions from being downloaded by users via web browsers.
- Country Blocking: If you are a business and do not have international customers, block those countries! Yes, many cloud technologies leverage data centers globally, but separate policies should be in place to limit egress/ingress connections to these services by certain internal resources.
Open Letter to our Clients**Important** Please share with all your employees and be vigilant. Dear Client: We have seen a surge undetectable ransomware infections going around lately. Ransomware is an encryption virus. The virus silently encrypts data on not only your PC, but also your server and other devices on your network, rendering it inaccessible. Once it is done, you will no longer have access to your data, unless you pay the demanded “ransom” or have a means of data restoration that has remained unencrypted. The only solution to gain access to your data again, in the event of an encryption event like this, is to either pay the ransom, or revert to your backups. This being the case, we cannot emphasize enough the importance that your business have more than one backup method and more than one backup device securely in place. Something very disturbing that we are seeing is that zero-day variants of this virus are making it past many hosted SPAM filters, many gateway-level scanning engines, and are even going undetected by many popular antivirus packages. This being the case, it is imperative that you never open attachments from senders that are unknown to you. It is also imperative that you inform your staff that they never open attachments from senders that are unknown to them, and we recommend that they be forbidden to check personal email on company PCs. Subject lines such as “You have a Package from FedEx” or “Invoice for Services” often entice an end user to open the attachment. Other users will open the attachment thinking it must be safe because it is only a Microsoft Word file, not realizing there is macro code within it. The writers of the crypto-virus are becoming more and more clever in their attempts to lure you to execute or open the attachment or click on hyperlinks to websites that can deliver the payload. We are finding that there is also a delay from the time the attachment is opened to the time the payload begins encrypting data on the device and network, further complicating the matter because the end user does not associate the cause (opening the attachment) with the effect (encrypted, inaccessible data). We go to great lengths to ensure that our clientele have assets in place to prevent infections such as these; however, nothing in technology is bullet-proof, and zero-day viruses can infiltrate a network with one simple click of a single end user. We ask that you remind your employees to be hyper-aware of this threat by following these simple steps:
- Never open an attachment from a person you do not know. When in doubt, delete the email.
- Never open an attachment that is suspicious or unexpected without first contacting your systems administrator. When in doubt, delete the email.
- Never click on hyper-links in emails that were sent by people you do not know. When in doubt, delete the email.
- Never click on hyper-links in emails that are suspicious or unexpected without first contacting your systems administrator. When in doubt, delete the email.
- Most importantly, remember that your single click could cripple a company and cost your employer thousands of dollars.
- Be aware that the person that opened an infected attachment will be easily identified, as their username will be on the properties of the encrypted files.