This advice has been collated by EMSOU and is intended for wider distribution within the East Midlands Region to raise awareness among businesses and the public.
If you require any further information, assistance or guidance please contact the EMSOU Protect Team.
Today’s topic is: Ransomware - Part 1
Crypto ransomware is used by cybercriminals to scramble an organisation’s data with a ‘key’ so it is no longer readable. This type of ransomware affects servers, mobile devices and any additional storage devices that is attached to the infected machine - such as USB sticks, SD cards and external hard drives. To add insult to injury, modern ransomware attacks include a countdown timer to prevent the user trying to fix the problem and induce panic.
Should I pay the ransom: Whilst this is possible, consider:
What type of criminal organisation are you funding by paying the demand?
Insurance companies will not usually reimburse you given that it is ethically suspect.
What guarantees have you that the encryption process has not permanently corrupted files or that the attacker will even bother to provide you with the decryption key? Moreover, are you confident that the attacker hasn’t installed other malware on your system and doesn’t intend to commit further offences?
How I got infected: Research conducted by IBM in 2017 concluded that 59% of ransomware attacks come via phishing e-mails. Other big sources include users plugging in infected USB thumb drives, or visiting a malicious website which will download an encryption algorithm on vulnerable machines. Most people find themselves at such sites by clicking on malicious adverts (malvertising) or clicking links in emails.
Another popular attack vector is RDP. RDP permits an administrator or IT support staff to log into systems from home or whilst on the road. However, these channels can also be exploited by attackers to access your network. Finally, ransomware can also be delivered by a malicious actor gaining physical access to your system.
The anatomy of an attack: The first illustration shows that when a user falls foul of a phishing email, the email installs malicious software on the victim’s computer. This software allows an attacker to access your system from a remote computer, which we call the C2 infrastructure. The hacker will then use this platform to launch further attacks, including the downloading of the encryption program.
Preventing malware: Mitigation involves using a collection of different strategies to give ‘defence in depth’. Think of this as multiple concentric barriers to your prized data. If one barrier falls, another takes its place to catch the attack.
Don’t Become a Victim of Ransomware
Buy antivirus software: or an anti-ransomware product from a reputable vendor. You should not be able to disable these without an alert being sent to the end user or administrator.
Use a free vulnerability scanner: to check if systems are fully patched and hardened against attack. Patches and updates fix security vulnerabilities which attackers exploit to get a foothold into your network (consider OpenVas and CyberAlarm services, for example)
Use AppLocker: (for Windows) to prevent the unauthorised installation of software on your systems. Technically, this is called creating an ‘application whitelist’.
Deploy DNS filtering or a ‘net nanny’. There are many cloud providers that will redirect your internet traffic through their systems to detect malicious websites and block access. This does not require any additional hardware or software. A browser’s settings can also be configured to prevent harmful downloads; to stop pop-ups and malicious redirects.
Use email filtering: to strip our suspicious emails with harmful attachments (such as; executable files, compressed/encrypted files (which will slip past your antivirus), macro enabled documents and files containing images (or ‘iso’s). Encourage your business partners and stakeholders to use DMARC too - this allows them to check that the emails they receive come from your network.
Have good physical security: to prevent unauthorised access to your place of work. You should also divide your network into different ‘zones’ or segments using routers, switches and firewalls to stop infections spreading. For example, HR might be on a different network to the Finance department.
Provide end user training: on the dangers of USBs; leaving terminals unlocked whilst not in use, and using the internet for personal purposes. Staff also need to know how to spot the tale-tell signs of phishing and how to respond to security messages sent from the antivirus software or the browser. Finally, they must understand that it is essential to report threats as quickly as possible because time is of the essence. Remember, ‘they are the victim not the criminal’.
Have a strong policy on access controls: and the allocation of privileges. Network users must have a strong password, which should never be shared. The organisation should also make every effort to determine what privileges each user needs to perform their job role and allocate these. Additionally, systematic reviews should check:
There are no defunct accounts
There are no default accounts
There is no privilege ‘creep’ whenever an employee changes job roles and access is removed when they leave.
If an attacker is able to compromise an account with excessive privileges the opportunities to do harm are exponentially increased. For this reason, administrators’ accounts must undergo extensive checks:
Never give full administrator rights if further granularity is possible
Never log in with full administrator rights if there is no need to – especially if the system is online
Always use a credential manager so passwords are unique and complex and multifactor authentication for privileged actions (such as using RDP).
Have a comprehensive backup strategy: to save critical data and system configurations. These should be stored separately and securely from the network to minimise the chances of them becoming infected with ransomware.
Next week: Incident Response – Dealing with a Ransomware Attack.
Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).