Ransomware Prevention for Business
Thanks!
Education is key.
Inform all your staff the importance of not clicking on random links, not opening up unknown attachments, only go to websites that are for your business, don't allow USB etc etc etc.
Regards
Alex
Agreed, but there is always someone who doesn't listen, clicks without thinking etc. Need a stronger means, to prevent. zone alarm makes something for desktops and home users. I hear Checkpoint might offer a software solution but waiting to hear back. We use Trend Worryfree or Business security but not trusting it when it comes to ransomware.
Written policies defining appropriate usage AND actually enforcing them also helps tremendously.
Technical controls are good complements. So ensure that you have a good mail filter and keep your rules tune. Also keep your EDR and AV tools updated. Web proxies, IDS/IPS, firewalls, etc. are other things that you should have in place.
But bear in mind that NOTHING is 100%.
1) Pentest your users and show them how they failed (https://media.ccc.de/v/36c3-11175-hirne_hacken).
2) Backups, backups, backups. Or in other words: a good and tested disaster recovery plan. E.g. just using a 24/7 connected NAS for backups won't work. Never having tested or planed for reimaging some servers and clients in parallel is also a problem.
3) Update! Update the OS and all applications used as fast as possible.
4) Depending on the exposition of the users and machines: You need to limit break-outs by network segmentation, user permission restrictions, 2FA, separate machines for doing e-mail, disabling macro-execution as well as script execution, consider limiting the number of applications which can be started (whitelisted).
5) Use a Unix/BSD system for machines facing the net.
Most of this successful attack are only possible if we have the human firewall failing as the last (or even first) line of defence.
People & Process - We done continuous phishing campaign exercise to keep all vigilant and conducted tabletop exercise taking on the "assumed breach" mindset so that everyone knows who to call, what to do, how to manage risk and when to make the right call for actions. It have thus far, gotten greater visibility with the top management and they are not spared too. The cybersecurity culture grows and matures. We are going into more scenarios and include dropping of "innocent" USB drive to entice the more lax or careless folks. The PA of the Senior leadership are targeted for a good reason as they are pivot to key personnel.
Technology - it need more augmentation than just the AV, and yes it is still new to stakeholders to get their buy in to invest. Support the CISO in their awareness of anti ransomware but more importantly is to verify, verify and verify backup regime is followed through and relevant to the business workflow. That is part of the tabletop exercise. We learnt that assumption of data recovery is going to have false sense of security till it can be proven otherwise. Backup need to be validated to be recoverable and BCP need to be exercised and not just discussed (and keep them back to drawers).
There is also recent step by step guide which is useful as it draws out partners that is savvy in handling such risks.
https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/identify-protect
https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/detect-respond
If I may also share EE has relevant articles in ransomware and you should check them out.
https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware-Infected.html
https://www.experts-exchange.com/articles/21199/Ransomware-Beware.html
User appdata space ...
As others noted an errand user ... And education ...
Using any form of fully disabling user actions not related to work, in my case my favorite (Software Restriction Policy)), I'd say, is at least 95% less worry on your mind.
I added some real time push message reporting on what users click, and luckily I can smile every time the executable wasn't allowed to run.
The time that users being users (no admin rights) being safe, went out the door when the first cryptoware was released.
And while backup is in place, and several antivirus packages, and mail filters are in place, SRP still caught enough, so it is NOT unnecessary luxury to have a third or fourth level of protection.
https://www.bleepingcomputer.com/news/microsoft/windows-10-1909-drops-exploit-protection-from-security-baseline/
We also have Data Mirrors which are Read Only Mirrors on all data that cannot be changed of overwritten.
Backups in Google Cloud, AWS, Azure, Wasabi, Backblaze, and Secure Data in Tresorit.
All encrypted.
We also use Bitdefender on all clients and servers, ALL Employees are Educated, not to open email attachments, we also employ Anti-Virus, Scanning Email Feeds, Drop All SPAM, and Attachments before they enter the Microsoft Exchange server.
Email passes through two email scan/spam engines.
We also employ dedicated Packet Filtering and Inspection in real time on all inbound and outbound internet traffic, via Intrusion Prevention System.
2) Backups, backups, backups. Or in other words: a good and tested disaster recovery plan. E.g. just using a 24/7 connected NAS for backups won't work. Never having tested or planed for reimaging some servers and clients in parallel is also a problem.
Businesses and individuals will likely continue to fall victim to ransomware because of they either fail to exercise good habits of Internet use, or because their anti-malware solutions are out of date or ineffective.
The answer key is to perform frequent data backups. I recommend to use good infrastructure and education to deal with it. Take these points into consideration:
• Users training and awareness a must.
• Increase the awareness of cyber-security issues for users.
• Users should exercise good habits of Internet use.
• Deactivate unnecessary components on the main servers.
• Disable unused user accounts on the main servers.
• Implement patch management.
• Restrict servers access.
• Restrict shell commands per user or server for least privilege purposes.
• Apply DNS Filtering.
• Your networks should be segmented.
• Make secure offsite backups of your data on a regular basis.
Daily backups. Full backups, not incremental, because if an infection occurs on the 31st it is a drag and an unnecessary delay to roll in the full back from the 1st, then 30 days of incrementals ... and then find that the infection was also there on the 30th, so you have to go back to the 29th, etc. Rolling in one full backup is easier than rolling in a full plus many incrementals. Disk is cheap; time is not.
Thanks for the response, agreed. By air-gapped you mean NOT attached physically to the server/network so they too are not encrypted I would think.
What I was looking for, is a tool, similar to AV that can stop the encryption process in it's tracks. Trend is supposed to look for patterns of 3-5 files being renamed within a second or fraction of a second and stop the process, but I am not trusting of it. I hear a company called check point may make a product that be run possibly on servers/clients that can do the same - but you can't get a human when you reach out to them, which is a huge strike against them.
Is anyone familiar with such an application or checkpoints ransomware offering?
All said, there is need for pre and post infection measures. EnSilo has something for this calling. Most infection bypasses AV easily with newer footprint, so needed a more deliberate agent on the machine to identify anomalies https://www.ensilo.com/faq/#how-does-ensilo-provide-automated-post-infection-protection-in-real-time
It will help if you educate employees on current events and how not to fall victim to cyber-attacks. Implementing your phishing campaigns are a great way to evaluate and formulate a security awareness program for your company. Also, routine employee security training will play a vital role in isolating weak points to identify where employees can make better decisions. All personnel, regardless of cyber-security expertise, should be trained according to their roles.
https://www.experts-exchange.com/articles/33451/Building-a-Robust-Security-Awareness-Program.html
Source
High-Impact Windows 10 Security Threat Revealed As App-Killing Malware Evolves
A good backup strategy is important, but not always going to cut it.
Sophos may have something that looks interesting, but not sure of the cost yet.
it must execute under an OS... even if it's delayed....it must be sitting in an OS waiting for a scheduler....
our data is separated from are OS.... and in our backups....
so I'm not sure how this works.... we also run heuristics on payloads and executables, Malware can only execute based on an executable.
Here is one example - let me know what you think. Not difficult to accomplish. I actually found a product or two that stops it in it's tracks.
Sophos looks awesome actually.
https://www.youtube.com/watch?v=L3Q6UJUzEhA
I am a STRONG advocate of a backup strategy, however if damage can be prevented, that looks even better to me.
But let me ask this: What is it about Sophos that you're finding so interesting?
Can you imagine, it takes you 24-72 hours to restore, only to find out, all of your backups are infected.
As for Sophos, (Doing a meeting with them on Tuesday), I want to understand the architecture more, but it appears to backup all files when there is an open request to change/encrypt. My concern would be latency, BUT I think it just (and I need confirmation), caches it to RAM, then writes a backup, should a file be encrypted it can restore immediately, and will stop encryption processes from what I understand immediately based on behavior rather than sigs.
I want to prevent not have to deal with recovering.
This is new Trend Micro has always had scanning at the Network TCP level.... so to scan restores and backups is relatively easy.....
Biggest issue if the Malware Writers is as good as they say they are is how quickly they can generate a new Malware which is unknown to Scan Engines.
How it Explodes......is a question and how ? and on what ? It would require someone to execute the code....
e,g a virtual machine that's infected....
and as AV is every changing in signatures, the likelihood if it does explode it will be caught by current AV and tech.
How does *.exe/*.com execute in a backup...
Backup DATA and not OS and Data.
Can you imagine, it takes you 24-72 hours to restore, only to find out, all of your backups are infected.That makes a lot of assumptions. You'd have to have something running or attached to the OS that would allow for the checking of a timer to explode.
But that said, unless Sophos has something truly amazing, a product more along the lines of Varonis or NetWrix might prove more helpful. Varonis I know for sure will detect when a lot of files are being changed rapidly, which should help you identify which system was hit with ransomware.
in fact I find BitDefender overly sensitive... but hey ho!
it had me scrathing my head the other day because something was not working because it was also blocking the app...
and that's for Linux, Mac and Windows... and cost...
ÂŁ20.20 for 20 devices for 12 months!
Ask Sophos HOW MUCH there offering is.....say hello to Dr Soloman!
I will have to take a look at what you are suggesting. We useTrend, but at the same time, they are looking for patterns of rapidly encrypted files, They originally told me something like 5-6 files within a second or a few milliseconds. But I see nothing documented. I LOVE their support, but at the same time, I hate to say it, I do see Trend miss a lot. To be clear that is Officescan and Worryfree, their Cloud alternatives could be more advanced.
As for execution - it is my understanding the execution is carried out over the internet through commonly used ports.
Andrew - good point about data and OSs being separate. Do you feel comfortable in Bit Defenders ability to prevent Ransomware? I had started this thread/question trying to find out what would be the best to put in place to be proactive.
I didn't like what I had heard about the claim of ransomware intentionally being left dormant to back it up, so once you restore it, you are going to end up with encrypted data again. That is pretty much checkmate, and sounds like it could happen.
Prevention - would be the best way to go.
Again we have multiple methods as described above.
We also have Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) on the Routers to the Internet, which are real time scanning packets and inspection this does slow down Internet throughput but we believe a necessary evil.
I didn't like what I had heard about the claim of ransomware intentionally being left dormant to back it up, so once you restore it, you are going to end up with encrypted data again. That is pretty much checkmate, and sounds like it could happen.
Prevention - would be the best way to go.
I still don't understand this..... yes it's easy that if you have a virus/trojan/malware that is not found today, it will get into backups.... so big deal.
it has to execute to infect..... and if not found today, it will be found tomorrow.
The virus cannot execute on tape and run and start encrypting your data on tapes.
https://www.knowbe4.com/ransomware-simulator
A ransomware Simulator..... it's not ransomware but tries to do the functions, that ransomware delivers....
if you current AV does not pass, time to change it!
NIST recently released guidance for detecting and responding to ransomware threat. Quite detailed and good to go into the issue and use case that can be architecture for a holistic action plan.
Table 5‑1 Example Implementation Component List
Product Vendor Component Name Function GreenTec WORMdisk Secure, immutable hardware Hewlett Packard Enterprise (HPE) ArcSight ESM Log analysis, correlation, management, and reporting IBM Spectrum Protect File-level, disk-level, and system-level backup and recovery Tripwire Enterprise and Log Center File integrity monitoring and database metadata integrity monitoring Veeam Availability Suite VM backup and restore This use case is resolved using a combination of several tools. The corruption testing component (Tripwire Enterprise) is used to detect changes in the file systems of various selected machines, specifically when files are modified or overwritten....
The logging component (HPE ArcSight ESM) collects logs from various sources for analysis and reporting.... These two components work together to provide information about the files encrypted by the ransomware tool: the name of the program that encrypted the files, which files were affected, when they were affected, and which user ran the program.
This information aids in removing the ransomware from the system and contributes to the identification of the last known good. However, it does not actually restore the availability of the user’s files. The backup capability component (IBM Spectrum Protect) is used to restore encrypted files.
https://www.nccoe.nist.gov/publication/1800-11/VolB/index.html#example-implementation
I have to say that is one thing I was liking about Sophos but need to do a POC, supposedly - it can recover any/all files that are encrypted by ransomware immediately. Don't know yet if that is reality but will be discussing with their engineers on Tuesday.
https://www.youtube.com/watch?v=L3Q6UJUzEhA
The other part of it is the amount of downtime it could take to recover, it costs a company $$$ so would rather avoid having to recover if we can.
There are those that also attack the backups
Andrew's note of separating data from OS avoids one way of spread through a sleeper either compromised dll, or a scheduled task that ....
We always keep data on separate partitions than OSs, will backtrack on what was mentioned about GPOs and executable.
Everyone thank you - it was a crazy week, lots of info to plow through you were kind enough to share.
Thanks!!!
it costs a company $$$ so would rather avoid having to recover if we can.
That is a given, and I just do not believe all this hype, but to be honest with you storage is cheap/internet is fast, and when a single one-man band business we know, has 6 backups in place, spread across different cloud providers.
has two servers replicating data, and another read only server, because his business needs to run 24/7/365... and he does this on a minimal budget...
and don't think there are any excuses for any other larger organisations!
I.e. Reinstall OS, restore only the data.
Share definition exports ...........that could be loaded on the new install.
Thanks for this! I have seen over the years antivirus software disabling AV. I am meeting with their regional sales rep tomorrow. Let's see what he has to say about this. I guess as we have been discussing - you have to have a multi-tier approach.
I have had that where a virus damaged Trend then infected the computer!
Premium Content
You need an Expert Office subscription to comment.Start Free Trial