[BreachExchange] The Best Defense for Ransomware is an Even Stronger Offense

Audrey McNeil audrey at riskbasedsecurity.com
Wed Nov 2 19:09:56 EDT 2016


http://www.drj.com/articles/online-exclusive/the-best-
defense-for-ransomware-is-an-even-stronger-offense.html

Ransomware is not new. In fact, forms of ransomware have been around for
over a decade; however, these earlier forms were largely ineffective. They
took on the form of "scare-ware" or "nag-ware" and simply popped up
messages on the screen in an attempt to convince the user that the system
was infected with viruses. Another approach was to show inappropriate
images on the screen and then demand payment to remove them. These early
forms did not permanently lock or encrypt files, and they were typically
fairly easy to remove or avoid. Criminals also had difficulty collecting
these fees anonymously. As a result, when those annoying infections popped
up occasionally, they were not the scourge that modern ransomware has
become.

Today, ransomware has rapidly become one of the most widespread and
damaging causes of downtime and data loss for IT systems. It has captured
the attention of the press and end-users with some pundits going so far as
to call 2016 "the year of ransomware." Ransomware has become so prolific
that it is no longer a question of if you are going to get hit with this
type of malware, but simply a question of when. For users and organizations
who are not prepared when ransomware attacks occur, there is little
recourse. In fact, at a recent conference, Joseph Bonavolonta, Assistant
Special Agent in Charge of the Cyber and Counterintelligence Program in the
FBI's Boston office said, "The ransomware is that good. To be honest, we
often advise people just to pay the ransom [if you haven't backed up]."

Numerous variations, copycats and versions have quickly become established
around the globe. The most popular variants include CrytoLocker,
TorrentLocker, CrytoWall, CBT-Locker, TeslaCrypt, Locky, plus many others.
They use a range of techniques for infection vectors and they employ an
assortment of execution methods. Worse, they all use strong, unbreakable
encryption, employ some form of online network communication, and require
anonymous electronic payment via bitcoins.

Each is typically delivered through spam messages, exploit kits or
malvertising. CBT-Locker and Torrent-Locker typically prefer spam email
campaigns as a delivery vector, while CryptoWall and TelsaCrypt prefer to
use exploit kits. Unfortunately, both approaches have been proven to be
highly effective ways to get into both end user and server-based systems.

So how does each work? The spam delivery vector requires interaction from
the user. However, it has the advantage of being able to affect fully
patched and up-to-date systems. They simply require a user to drop their
guard one time to click on the delivery package. Many ransomware variants
have been localized and are very convincing in order to dupe victims into
clicking on their payloads. Exploit kits rely on vulnerable software
packages installed on the victim's system. They have the advantage of not
requiring any interaction from the user in order to infect the system, and
utilize known security holes in existing software for penetration. Criminal
organizations are now so systematic in their hacking methods that lists of
vulnerable systems are now sold through coordinated efforts between malware
creators with profits being split among collaborators.

As ransomware has become more widespread, the advances in technology and
techniques used have also evolved. The first ransomware variants mostly
attacked Microsoft Windows based systems. However, in recent months we have
seen a new version that is now going after Apple Macs as well. Other
advances have included highly localized versions that only target specific
systems and/or geographic areas. These variants are so specific to
geography that the spam email message is often more effective because the
messages are grammatically perfect and they employ the vernacular typically
used in that region. Another feature of ransomware that has evolved since
the early days has been the addition of a feature to prove to the end user
that the ransomware provider does indeed hold the decryption keys. Most
ransomware variants now offer the ability to get one file decrypted for
free, which is used to verify that payment will result in the unlocking of
files.

However, for organizations that take the necessary steps, the disruptions
can be minimized and data loss can be avoided. In order to more completely
understand the steps that should be taken, organizations need insight and
guidance on protection, backup, and the types of recovery solutions that
organizations should implement.

Organizations protecting themselves from ransomware is a little bit like
putting together a sports team. A good team will be able to play both
defense and offense. The best teams will also have deep benches filled with
backup players who can step in at a moment's notice when needed. For a
strong ransomware offense, companies want to take some proactive measures
that will attempt to keep ransomware out of all user and server-based
systems. To get a jump start on potentially damaging ransomware attacks, it
is imperative that you and your organization:

• Keep all of your software and operating systems up-to date. Ensuring that
systems are up-to-date minimizes the chances that an exploit kit will be
able to find an opening to exploit and deliver a ransomware package.
• Use antivirus software for virus detection on all systems. This is just
good common sense to protect against ransomware at runtime. However, many
organizations claim that antivirus software was not sufficient to keep them
safe from ransomware.
• Educate users on security protocols. Make sure that your users understand
that they should avoid clicking on untrusted emails and attachments.
Untrusted websites can also be a source for ransomware so users should be
advised against running software, including macros embedded in Microsoft
office applications, from locations that may not be trustworthy.

For an impenetrable ransomware defense, it is important that the
organization deploy countermeasures that can block the execution of
ransomware and prevent it from encrypting data. This can be done by
adhering to the following guidelines:

• Disable ActiveX content in Microsoft Office applications as code embedded
in macros is a common infection vector.
• Have firewalls block TOR, I2P and restrict ports. Many ransomware
variants require contact with a command-and-control server in order to
encrypt files. Restricting access for unused IP ports and specifically
blocking TOR and I2P can prevent these versions from successfully
completing the required tasks.
• Block binaries from running from popular ransomware installation paths.
Many ransomware variants install themselves and run out of a temporary
directory. Blocking binaries from being able to run from these paths can
possibly thwart the execution of these versions.

Finally, and most importantly, it's imperative that the business implement
a good backup and recovery strategy. This is the surest way of guaranteeing
that you can always recover data regardless of whether data loss occurred
because of a hardware failure, human error, natural disaster, or ransomware
attack.

In general we want to follow the "rule of three" for backup and recovery.
The rule of three simply states that we want three copies of data, across
two different media types (e.g. disk and cloud or disk and tape), with at
least one copy off-site. This is good, sound advice but with ransomware it
is important to consider a few more steps due to the unique nature of this
type of data loss. For instance, make sure to backup data on all systems,
not just the mission-critical ones. Ransomware can attack both Windows and
Mac-based user systems and servers so be sure to protect all of your data
for users and for business processes. While multiple copies of data are
necessary, it's important to have some physical isolation between at least
one copy of that data as that will help make sure that ransomware cannot
spread across all copies of your data. After all, in the event of an
attack, you will want to be able to roll the clock back to a point before
being infected in order to avoid having to pay the ransom.
A good solution for ransomware protection will include both local and
cloud-based backups. A hybrid cloud implementation provides many benefits.
Using local backups, organizations can quickly recover infected systems
with backups stored on the local backup appliance. Cloud-based backups
provide an easy way to move copies of backups off-site. Cloud, unlike tape,
enables this process to be fully automated and still get the isolation
needed for maximum protection. Ideally, the backup solution will provide
the following capabilities:

• Flexible cloud deployment options. Each organization may have different
preferences for deploying cloud resources. Some may prefer a private cloud
they manage themselves. Others may want a hyperscale implementation that
utilizes a popular public cloud or perhaps a purpose-built.
• Instant recovery capabilities that provide the ability to spin up
workloads in minutes from backups using the computing capabilities of the
backup appliance to run those workloads while the production system is
cleaned. Instant recovery allows organizations to minimize downtime from a
ransomware attack and keep the business running.
• Linux-based backup software – not Windows-based. Most backup software
runs on Microsoft Windows; therefore, these solutions are vulnerable to
ransomware attack. In fact, having a Windows-based backup solution attacked
is a worst-case scenario for ransomware intrusion. Running your backup
software on Linux avoids this potential problem, because ransomware is not
frequently attacking Linux based systems.


A company's data includes its intellectual property, key customer
information, critical financial information and even the very ideas that
differentiate each organization from its competitors. As a result, we see
improving data backup and recovery and business continuity projects at the
top of most IT organization priority lists.Data is the lifeblood of most
organizations in today's digital world, and it is growing both in volume
and in importance for every company. This is why IDC predicts that by the
end of 2017, two-thirds of the CEOs of the G2000 will have digital
transformation at the center of their corporate strategy.

Organizations in the digital world are particularly vulnerable and staying
protected is more challenging than ever before with new threats like
ransomware, and new IT architectures and design patterns that increase the
complexity of the task. IT cannot rely on old methods of data protection in
this new era. They need to ensure business continuity for physical,
virtual, and cloud-based environments and shift their thinking for basic
backup and recovery to focus on complete business continuity. Companies of
all sizes should consider technology platforms that feature a
comprehensive, integrated portfolio of continuity services and solutions to
protect data, provide disaster recovery, and proactively test and assure
complete recovery of multi-tier applications. Today, business continuity is
paramount. When evaluating available technologies, be sure to examine
solutions that include integrated backup and recovery capabilities,
multiple cloud options, disaster recovery and recovery assurance
capabilities and services in one platform.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161102/abc072ec/attachment.html>


More information about the BreachExchange mailing list