Solved

Preventing Ransomware in Macro Docs?

Posted on 2016-09-29
15
73 Views
Last Modified: 2016-10-14
I have implemented a quarantine mailbox for email with attached documents that is managed by 2 trained staff. The intent is to prevent ransom-ware infection through macro enabled documents. I have been informed that this process is not well liked and it takes too long to get documents. Typically docs are forwarded on within an hour or less but sometimes can be a couple hours depending on staff availability.

Current Security in place

1. Barracuda Spam Firewall

2. Webroot Secure Anywhere (Previously Vipre Enterprise which did not catch the Ransom-ware)

3. Vipre Email Security for Exchange

4. KnowBe4 security training and phish testing regularly. (We still sometimes get 1-3% of people clicking on phishing links)

Am I being overly cautious? Should quarantines be managed by each end user instead of I.T.? (End users are the weakest link)

This came about because of a zero-hour locky outbreak a few months ago that took 12+ hours to clean up.

Any opinions appreciated. I do not like being the gatekeeper for everyone's docs in email and do not want our quarantine process to be a hindrance to business.
0
Comment
Question by:jonf805
  • 4
  • 4
  • 3
  • +3
15 Comments
 
LVL 13

Assisted Solution

by:John Tsioumpris
John Tsioumpris earned 250 total points
ID: 41822367
The simple and plain truth is that this method is the best... I know because i was responsible for some time in my company...guess what when i stopped monitoring the mails...locky striked....
There a lot of guides and tricks for avoiding the ransomware menace but it is always the human factor the weakest...
What can you do...backups...backups...backups...
Do you remember obsolete methods of backup like DVD-Bluray...or even tapes..as long HDDs are writable the disaster can happen at any time by everyone...even the guardians can be tricked by a well formed email....
So try to keep as many backups as you can,,,,deploy a backup strategy that involves apart from the usual backup methods backing up to device that is connected to your infrastructure by protocols that aren't accessible to locky and its friends ...like a big NAS that has ONLY FTP access..and if you want more then a VPS server again could be a the last fortress as long is accessed only by  a single under a single process....(e.g. a Backup program that uploads backups...)...
And yes burning a DVD-Blue Ray maybe seems prehistoric but better a month's old recovery than no recovery...
1
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 41822775
I see that great emphasis in securing and inspecting the network exchanges. The same vigilance should be emphasise in endpoint which education is also covered already. It is baseline for Enterprise posture.

Consider the following:

-Least privileged principle in whichvuser are not given ANY Administrator rights. This is fundamental basis to avoid exploit gaining escalated rights easily.

- Enforce application whitelisting with allowing only running authorised appl. Disable macro and ActiveX by default in Office and browser. This also stop scripts running though not foolproof. Look at Applocker (Windows), Cryptoprevent (foolishIT) or SecureAPlus.

- Employ Anti-malware and Anti-Ransomware to deter and prevent cryptoware attacks and exploit kit penetration. Look at Malwarebytes Anti-ransomware, Anti-exploit or Winantiransom (Winpatrol). They augment the host intrusion suite (AV, FW) already on the user machine.

- Restrict use of portable thumbdrive and managed interfaces with by default use of issued extwrnal device and on approves enabled wireless to enterprise wireless. Advise danger of hotspot and unknown USB drives plug in.. Disable RDP or remote access where possible to prevent the malware spread to other peer machines.

- Verify your backup and exercise diligence that backup is not stored in the local machine as ransom will encrypt it too. Likewise not in mapped network drives, Ransomware can encrypt even unmapped drives. Be careful of those by default cloud mapped drive.

Run exercise to check the above and regime of vulnerability scanning and penetration test against online asset like website are good cyber hygiene check practices.
1
 
LVL 53

Expert Comment

by:McKnife
ID: 41823111
If you manage to deploy software restriction policies or applocker in whitelisting mode (I hope you are famailiar with these terms?), then you don't need to worry about macros any more.
1
 
LVL 23

Expert Comment

by:Eirman
ID: 41823228
Also consider installing the paid for version of CryptoPrevent
You just pay a small once-off fee per machine (No recurring fee).
It's great for setting up white/black-listing policies Etc.

This screen also modifies the PCs Group Policy.
Advanced Options
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41823252
@Eirman
Does CryptoPrevent even offer whitelisting? Looks like blacklisting.
0
 
LVL 23

Expert Comment

by:Eirman
ID: 41823506
It does whitelisting.
It seems good to me - What do you think McKnife?

CryptoPrevent2.JPG
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41823573
I don't see the point in using a 3rd party product in the first place when windows' own features allow the same. FoolishIT tried to help users by spreading their software together with a set of blacklistings back then. It proved to be better than nothing of course, but nowhere as effective as true whitelisting (anything is blocked but the whitelisted stuff). So to judge the product, one would have to look at their default setting, which defines "how to treat executable that are neither white-, nor blacklisted". How about that? (I don't use the product)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 61

Expert Comment

by:btan
ID: 41823760
graylist should not run if we take by stringent rule of whitelisting - kinda of like anti-spam graylisting e.g.  The idea behind graylisting is that any sender who has not previously sent a message to
the recipient, and who is not listed on a whitelist or a blacklist, is graylisted. This means that the sender
is not trusted until the message is proven to be trustworthy, but the sender is not immediately
blacklisted either.
0
 
LVL 23

Expert Comment

by:Eirman
ID: 41823870
Hi McKnife. This an extract from this article (Read on down for W10 Anniversary Ed. info)
Confusingly, the Professional edition of Windows 10 will allow you to create AppLocker rules using the Local Security Policy editor. However, these rules won’t be enforced unless you’re using an Enterprise or Education edition of Windows, so rules you create on a Windows 10 Professional PC won’t do anything unless you upgrade. This feature is was also found on Windows 7 and 8. On Windows 7, you could get it as part of the Ultimate edition.

I only hove Win10 pro, so what do you recommend?
--------------------------------------------------------------------------
@jonf805 - Sorry for semi-hikacking your question!
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41824216
Pro has software restriction policies, the predecessor of applocker. It is what foolish IT uses, too with their ruleset.
0
 
LVL 23

Expert Comment

by:Eirman
ID: 41824344
thanks
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 41836072
i assume disabling macros altogether or expecting the users to allow selectively the useful ones is not an option...

as far as locky is concerned, it usually commes as a jscript easily-identifiable file in the first place. jscripts are hadly ever found in conventional email, so if you can simply clean jscripts by file type, you'll get rid of a huge part of the locky problem. now this is obviously nowhere next to a complete security policy to prevent such threats but should help on the short term.
0
 
LVL 61

Expert Comment

by:btan
ID: 41836310
Locky had recently evolves with its variant, like previous variants, it is being spread through WS, JS, etc email attachments attached to SPAM emails. If a recipient double-clicks on one of these script files, it will download an encrypted DLL installer, decrypt it, and execute it using the legitimate Windows program called Rundll32.exe. Once executed, Locky will encrypt a victim's files, rename them, and then append the .ODIN extension.
So application whitelisting will be preferable to managed running only trusted scripts and DLL. Best not have user having admin right..
http://www.bleepingcomputer.com/news/security/locky-ransomware-now-uses-the-odin-extension-for-encrypted-files/
https://technet.microsoft.com/en-us/library/ee460947(v=ws.11).aspx
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 41836646
yes. additionally, the files ( at least the js ones : i did not get to analyse samples of other ones ) always contain words that should  be easily detected by any decent antispam software and should also be blocked by clam if PUA is enabled. note that clam won't block the downloaders otherwise as they legitimately consider them to be non-viral. commercial vendors will block the downloaders but tend to have a hard time to produce a generic signature for all loki versions so they will leak occasionally.

zero day prevention can only be achieved by whitelisting allowed applications. this can be done using GPOs and builtin windows security, with personal firewalls, and probably a bunch of dedicated commercial software. unfortunately it usually comes with a bunch of annoyed users.
0
 

Author Closing Comment

by:jonf805
ID: 41844290
Thanks all for chiming in. We have put in place insurance to cover us in the event of Ransomware or another attack. Backups are solid. Priveledges are not as tight as I would like due to AutoCAD requirements but the network shares are fairly tightened.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now