Ransomware Prevention for Business

Education is key.

Inform all your staff the importance of not clicking on random links, not opening up unknown attachments, only go to websites that are for your business, don't allow USB etc etc etc.

Regards

Alex

Hey Alex

Agreed, but there is always someone who doesn't listen, clicks without thinking etc.  Need a stronger means, to prevent.  zone alarm makes something for desktops and home users. I hear Checkpoint might offer a software solution but waiting to hear back.  We use Trend Worryfree or Business security but not trusting it when it comes to ransomware.

Education far and aware is #1. User awareness training goes a long way.
Written policies defining appropriate usage AND actually enforcing them also helps tremendously.
Technical controls are good complements. So ensure that you have a good mail filter and keep your rules tune. Also keep your EDR and AV tools updated. Web proxies, IDS/IPS, firewalls, etc. are other things that you should have in place.

But bear in mind that NOTHING is 100%.

0) Education is for sure the best way.

1) Pentest your users and show them how they failed (https://media.ccc.de/v/36c3-11175-hirne_hacken).

2) Backups, backups, backups. Or in other words: a good and tested disaster recovery plan. E.g. just using a 24/7 connected NAS for backups won't work. Never having tested or planed for reimaging some servers and clients in parallel is also a problem.

3) Update! Update the OS and all applications used as fast as possible.

4) Depending on the exposition of the users and machines: You need to limit break-outs by network segmentation, user permission restrictions, 2FA, separate machines for doing e-mail, disabling macro-execution as well as script execution, consider limiting the number of applications which can be started (whitelisted).

5) Use a Unix/BSD system for machines facing the net.

Most of this successful attack are only possible if we have the human firewall failing as the last (or even first) line of defence. 

People & Process - We done continuous phishing campaign exercise to keep all vigilant and conducted tabletop exercise taking on the "assumed breach" mindset so that everyone knows who to call, what to do, how to manage risk and when to make the right call for actions. It have thus far, gotten greater visibility with the top management and they are not spared too. The cybersecurity culture grows and matures. We are going into more scenarios and include dropping of "innocent" USB drive to entice the more lax or careless folks. The PA of the Senior leadership are targeted for a good reason as they are pivot to key personnel. 

Technology - it need more augmentation than just the AV, and yes it is still new to stakeholders to get their buy in to invest. Support the CISO in their awareness of anti ransomware but more importantly is to verify, verify and verify backup regime is followed through and relevant to the business workflow. That is part of the tabletop exercise. We learnt that assumption of data recovery is going to have false sense of security till it can be proven otherwise. Backup need to be validated to be recoverable and BCP need to be exercised and not just discussed (and keep them back to drawers).

There is also recent step by step guide which is useful as it draws out partners that is savvy in handling such risks.

https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/identify-protect

https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/detect-respond

If I may also share EE has relevant articles in ransomware and you should check them out.

https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware-Infected.html

https://www.experts-exchange.com/articles/21199/Ransomware-Beware.html

Can not pull the URL, there was a GPO that helps mitigate by disallowing executable launches from tmp space %ppdata%
User appdata space ...

As others noted an errand user ... And education ...

Using any form of fully disabling user actions not related to work, in my case my favorite (Software Restriction Policy)), I'd say, is at least 95% less worry on your mind.

https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies

I added some real time push message reporting on what users click, and luckily I can smile every time the executable wasn't allowed to run.

The time that users being users (no admin rights) being safe, went out the door when the first cryptoware was released.

And while backup is in place, and several antivirus packages, and mail filters are in place, SRP still caught enough, so it is NOT unnecessary luxury to have a third or fourth level of protection.

See discussion, and possibly extrapolate from that..

https://www.bleepingcomputer.com/news/microsoft/windows-10-1909-drops-exploit-protection-from-security-baseline/

I'm reposting ste5an post from above.  This applies NOT ONLY to ransomware but common computer usage.  Ransomware is just one form of computer disaster.

2) Backups, backups, backups. Or in other words: a good and tested disaster recovery plan. E.g. just using a 24/7 connected NAS for backups won't work. Never having tested or planed for reimaging some servers and clients in parallel is also a problem.

A backup is not a backup, unless in three different places!

Businesses and individuals will likely continue to fall victim to ransomware because of they either fail to exercise good habits of Internet use, or because their anti-malware solutions are out of date or ineffective. The answer key is to perform frequent data backups. I recommend to use good infrastructure and education to deal with it. Take these points into consideration:
• Users training and awareness a must.
• Increase the awareness of cyber-security issues for users.
• Users should exercise good habits of Internet use.
• Deactivate unnecessary components on the main servers.
• Disable unused user accounts on the main servers.
• Implement patch management.
• Restrict servers access.
• Restrict shell commands per user or server for least privilege purposes.
• Apply DNS Filtering.
• Your networks should be segmented.
• Make secure offsite backups of your data on a regular basis.

Andrew is correct. Backups must be air-gapped -- they cannot be accessible when not in use, because the ransomware will then also encrypt the backups.

Daily backups.  Full backups, not incremental, because if an infection occurs on the 31st it is a drag and an unnecessary delay to roll in the full back from the 1st, then 30 days of incrementals ... and then find that the infection was also there on the 30th, so you have to go back to the 29th, etc.  Rolling in one full backup is easier than rolling in a full plus many incrementals.  Disk is cheap; time is not.

Hey there

Thanks for the response, agreed.  By air-gapped you mean NOT attached physically to the server/network so they too are not encrypted I would think.

What I was looking for, is a tool, similar to AV that can stop the encryption process in it's tracks.  Trend is supposed to look for patterns of 3-5 files being renamed within a second or fraction of a second and stop the process, but I am not trusting of it.  I hear a company called check point may make a product that be run possibly on servers/clients that can do the same - but you can't get a human when you reach out to them, which is a huge strike against them.

Is anyone familiar with such an application or checkpoints ransomware offering?

Nothing is perfect against ransomware. Even CrowdStrike has to wait until a particular point before it can identify potential things. You're better off trying to prevent getting mixed up with it in the first place. A product like Netwrix or Varonis would identify changes to a considerable number of files in a short window. However, that doesn't eliminate the need for everything else named.

How much does it help if the user is not in the local admin group?  Trying to be proactive in preventing large amounts of data fro encryption on servers.

Limiting the access that users have should be a practice that is followed to begin with. However, if a user has read/write access to files on a file server (which is normal), those files are still at risk the moment that they execute a piece of ransomware. Files on a connect external drive would be at risk still also. Doesn't matter if they're a local admin or not. Lack of local admin rights would prevent subsets of system files from getting encrypted, but certainly won't protect everything.

All said, there is need for pre and post infection measures. EnSilo has something for this calling. Most infection bypasses AV easily with newer footprint, so needed a more deliberate agent on the machine to identify anomalies  https://www.ensilo.com/faq/#how-does-ensilo-provide-automated-post-infection-protection-in-real-time

It will help if you educate employees on current events and how not to fall victim to cyber-attacks. Implementing your phishing campaigns are a great way to evaluate and formulate a security awareness program for your company. Also, routine employee security training will play a vital role in isolating weak points to identify where employees can make better decisions. All personnel, regardless of cyber-security expertise, should be trained according to their roles.  

https://www.experts-exchange.com/articles/33451/Building-a-Robust-Security-Awareness-Program.html

for example. Beyond user education and proper patch management, the application of controlled folder access is also recommended to prevent ransomware from successfully executing its encryption intentions. Any ransomware mitigation advice would be lacking were it not to mention that the three, two, one rule of backups should also be in place. That means that backing up your files regularly isn't optional folks, and those backups should ideally be onto two different types of storage media and one "offsite" location.

Source
High-Impact Windows 10 Security Threat Revealed As App-Killing Malware Evolves

I just found there is yet a new type of Ransomware out there, these guys are really sharp.  What they do is it will remain dormant and unnoticed on a server for 3-6 months even, so that way it ends up in your backups. So in the event you get infected with ransomware because they trigger it to encrypt and you think you are in good shape because you have the ability to restore, you are restoring the ransomware, which is triggered yet again.


A  good backup strategy is important, but not always going to cut it.


Sophos may have something that looks interesting, but not sure of the cost yet.

how does it execute.....???? after 3-6 months....?

it must execute under an OS... even if it's delayed....it must be sitting in an OS waiting for a scheduler....

our data is separated from are OS.... and in our backups....

so I'm not sure how this works.... we also run heuristics on payloads and executables, Malware can only execute based on an executable.

Hey Andrew

Here is one example - let me know what you think.  Not difficult to accomplish.  I actually found a product or two that stops it in it's tracks.
Sophos looks awesome actually.

https://www.youtube.com/watch?v=L3Q6UJUzEhA

I am a STRONG advocate of a backup strategy, however if damage can be prevented, that looks even better to me.

The idea *sounds* interesting. Does it live up to its claims? (I wouldn't be able to answer that either way)

But let me ask this: What is it about Sophos that you're finding so interesting?

Did you watch the little video discussing dormant ransomware - scary stuff.
Can you imagine, it takes you 24-72 hours to restore, only to find out, all of your backups are infected.

As for Sophos, (Doing a meeting with them on Tuesday), I want to understand the architecture more, but it appears to backup all files when there is an open request to change/encrypt.  My concern would be latency, BUT I think it just (and I need confirmation), caches it to RAM, then writes a backup, should a file be encrypted it can restore immediately, and will stop encryption processes from what I understand immediately based on behavior rather than sigs.

I want to prevent not have to deal with recovering.

Good Marketing to Sell Software. PARANOIA!

This is new Trend Micro has always had scanning at the Network TCP level.... so to scan restores and backups is relatively easy.....

Biggest issue if the Malware Writers is as good as they say they are is how quickly they can generate a new Malware which is unknown to Scan Engines.

How it Explodes......is a question and how ? and on what ? It would require someone to execute the code....

e,g a virtual machine that's infected....

and as AV is every changing in signatures, the likelihood if it does explode it will be caught by current AV and tech.

How does *.exe/*.com execute in a backup...

Backup DATA and not OS and Data.

Can you imagine, it takes you 24-72 hours to restore, only to find out, all of your backups are infected.

That makes a lot of assumptions. You'd have to have something running or attached to the OS that would allow for the checking of a timer to explode.

But that said, unless Sophos has something truly amazing, a product more along the lines of Varonis or NetWrix might prove more helpful. Varonis I know for sure will detect when a lot of files are being changed rapidly, which should help you identify which system was hit with ransomware.

Yes, we use BitDefener, and it also pops up and warns me if files are changing, and stops files being written to My Documents....

in fact I find BitDefender overly sensitive... but hey ho!

it had me scrathing my head the other day because something was not working because it was also blocking the app...

and that's for Linux, Mac and Windows... and cost...

£20.20 for 20 devices for 12 months!

Ask Sophos HOW MUCH there offering is.....say hello to Dr Soloman!

masnrock

I will have to take a look at what you are suggesting.  We useTrend, but at the same time, they are looking for patterns of rapidly encrypted files, They originally told me something like 5-6 files within a second or a few milliseconds.  But I see nothing documented. I LOVE their support, but at the same time, I hate to say it, I do see Trend miss a lot.  To be clear that is Officescan and Worryfree, their Cloud alternatives could be more advanced.

As for execution - it is my understanding the execution is carried out over the internet through commonly used ports.

Andrew - good point about data and OSs being separate.  Do you feel comfortable in Bit Defenders ability to prevent Ransomware?  I had started this thread/question trying to find out what would be the best to put in place to be proactive.  

I didn't like what I had heard about the claim of ransomware intentionally being left dormant to back it up, so once you restore it, you are going to end up with encrypted data again.  That is pretty much checkmate, and sounds like it could happen.
Prevention - would be the best way to go.

Execution needs to execute on Computer which is on an Intel Processor, on Windows, unless targetted for Mac or Linux OS.

Again we have multiple methods as described above.

We also have Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) on the Routers to the Internet, which are real time scanning packets and inspection this does slow down Internet throughput but we believe a necessary evil.

I didn't like what I had heard about the claim of ransomware intentionally being left dormant to back it up, so once you restore it, you are going to end up with encrypted data again.  That is pretty much checkmate, and sounds like it could happen.
Prevention - would be the best way to go.

I still don't understand this..... yes it's easy that if you have a virus/trojan/malware that is not found today, it will get into backups.... so big deal.

it has to execute to infect..... and if not found today, it will be found tomorrow.

The virus cannot execute on tape and run and start encrypting your data on tapes.

I would recommend you try this....

https://www.knowbe4.com/ransomware-simulator

A ransomware Simulator..... it's not ransomware but tries to do the functions, that ransomware delivers....

if you current AV does not pass, time to change it!

NIST recently released guidance for detecting and responding to ransomware threat. Quite detailed and good to go into the issue and use case that can be architecture for a holistic action plan. 

Table 5‑1 Example Implementation Component List

Product Vendor	Component Name	Function
GreenTec	WORMdisk	Secure, immutable hardware
Hewlett Packard Enterprise (HPE)	ArcSight ESM	Log analysis, correlation, management, and reporting
IBM	Spectrum Protect	File-level, disk-level, and system-level backup and recovery
Tripwire	Enterprise and Log Center	File integrity monitoring and database metadata integrity monitoring
Veeam	Availability Suite	VM backup and restore

This use case is resolved using a combination of several tools. The corruption testing component (Tripwire Enterprise) is used to detect changes in the file systems of various selected machines, specifically when files are modified or overwritten....

 The logging component (HPE ArcSight ESM) collects logs from various sources for analysis and reporting.... These two components work together to provide information about the files encrypted by the ransomware tool: the name of the program that encrypted the files, which files were affected, when they were affected, and which user ran the program. 

This information aids in removing the ransomware from the system and contributes to the identification of the last known good. However, it does not actually restore the availability of the user’s files. The backup capability component (IBM Spectrum Protect) is used to restore encrypted files.

https://www.nccoe.nist.gov/publication/1800-11/VolB/index.html#example-implementation

Thanks so much!

I have to say that is one thing I was liking about Sophos but need to do a POC,  supposedly - it can recover any/all files that are encrypted by ransomware immediately.  Don't know yet if that is reality but will be discussing with their engineers on Tuesday.

Any backup that includes versioning will provide recoverability to ransomware versus backups that only reflect the most recent version.

From what I am seeing - not anymore.  Take a look at this.

https://www.youtube.com/watch?v=L3Q6UJUzEhA

The other part of it is the amount of downtime it could take to recover, it costs a company $$$ so would rather avoid having to recover if we can.

As Andrew and others pointed out the task is to reduce the attack vector, prevention through user education, and scanning at the edge, .......and system, a GPO restricting running exe's from %userprofile%\appdata\local......


There are those that also attack the backups
Andrew's note of separating data from OS avoids one way of spread through a sleeper either compromised dll, or a scheduled task that ....

Andrew is awesome, User education important but too much room for error.  I have to back-track, I missed what was mentioned about GPOs and running EXEs, Will check.

We always keep data on separate partitions than OSs, will backtrack on what was mentioned about GPOs and executable.

Everyone thank you - it was a crazy week, lots of info to plow through you were kind enough to share.

Thanks!!!

it costs a company $$$ so would rather avoid having to recover if we can.

That is a given, and I just do not believe all this hype, but to be honest with you storage is cheap/internet is fast, and when a single one-man band business we know, has 6 backups in place, spread across different cloud providers.

has two servers replicating data, and another read only server, because his business needs to run 24/7/365... and he does this on a minimal budget...

and don't think there are any excuses for any other larger organisations!

My read for The point of data/OS is not the separation on the system but seperate backups.
I.e. Reinstall OS, restore only the data.
Share definition exports ...........that could be loaded on the new install.

https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/

Hey Andrew

Thanks for this!  I have seen over the years antivirus software disabling AV.  I am meeting with their regional sales rep tomorrow. Let's see what he has to say about this.  I guess as we have been discussing - you have to have a multi-tier approach.  
I have had that where a virus damaged Trend then infected the computer!

Sorry for the typo (it was early - and no coffee at the time.  What I meant to say a few years a go I have seen malware/viruses - take out antivirus software and then infect the desktops.   Thanks!

Yes, very common but this is a new approach because it installs it's owned Signed Driver into the OS!

Thanks everyone for the TONS of super helpful info.  It helps tremendously!  Be well