Ransomware

What is ransomware, and why should it concern me? 

Computers have long been the victims of malware of various kinds, and methods have been developed to counteract it. Ransomware is a different animal though, and the preventive measures we are used to taking may not necessarily defeat it. 

The vast majority of ransomware arrrives by email. It may also be acquired though visiting an infected website, or through unsecured network shares. 

Regardless of the delivery method, ransomware will almost always involve an attachment of some kind. This might be a program, a Word document, a PDF file, or a number of other more exotic file types. 

Except in a very few cases the ransomware attachment can do nothing on its own, but requires the help of a user to launch it into action. Thus, the email or webpage will almost always contain specific instructions to the user on what the attachment is for, or how to open it. 

Ransomware authors go to great lengths to make such instructions look genuine and convincing. A favourite has always been to disguise the attachment as a business invoice. 

If the user can be persuaded to open the attachment, then it will encrypt or delete any documents which it can find on the local disk. More sophisticated variants may also destroy documents on any accessible connected devices such as phones, tablets or USB memory, and even scan any network the computer is connected to, looking for fileservers with documents to destroy.  It will then present a ransom notice, demanding payment in order to recover the documents. 

-Why are existing defences of only limited use? 

Traditionally, the key protection against malware has been to do everyday work as a limited user. Windows UAE 'screen dimming' is an example of such an arrangement. The limited account does not have the rights to alter files in the computer's operating system, thus that used to be sufficient to stop the older kind of system-modifying malware. Ransomware does not need to modify system files, only documents, and an ordinary user can do that.  Hence, limited user working offers NO protection at all against ransomware.  

We are also told that to keep our computers secure we must update or 'patch' them, very regularly. This is a necessary action, however it's mainly aimed at stopping buffer overflow exploits in the system itself. Ransomware does not use this type of exploit, so patching makes no odds to it.

Antivirus software offers some protection against ransomware, but is not a very effective defence. The reason is that AV software relies on 'signatures' to identify known examples of malicious files. Ransomware is vary much a spur-of-the-moment thing, with a  typical distruibution doing the rounds for only a few hours before it is changed. That leaves the antivirus companies with a tough problem as to how to identify what is malicious, and what is not. Some have developed extensions that monitor the activity of programs in order to spot ransomware in action. This kind of approach is not a guaranteed solution, but can certainly limit the damage done by a ransomware incident. 

-Which protections are effective?
 

User Education

We've seen that in order to do the dirty deed, a ransomware message has to convince the user to launch an attachment of some kind. Therefore, the single most inmportant defence, and I simply cannot overstate this point, is USER EDUCATION. A user who does not understand what the various types of file attachment are for, who does not understand how to tell which attachments are present in a message, is basically a sitting duck. That said, even a clued-up user can still be caught out. The main thing to instil in users, is to BE SUSPICIOUS of any emails or webpages which don't look quite genuine for some reason, or which offer a file for which there is no reason to accept.  

Backups

There is, in fact, no perfect protection against ransomware. Therefore, the most fundamental requirement is to be able to recover damaged files. That means, backups. 

Backups are necessary anyway, to protect against disk failure or accidental deletions. So, hopefully you have backups. -you do have backups? Good. Only, where ransomware is concerned, you might need to have a rethink about where those backups are stored. During an incident, any backup which is visible to the ransomware, either on a local disk or over a network, is toast. So, backing up to a fixed disk, or to a USB disk which is always connected, is no good as a ransomware protection. A USB disk which is disconnected between backups, better. A set of tapes, though seen as antiquated by some, better still from this point of view. 

Key point: A backup which is constantly accessible to users is no protection against ransomware

Software Restriction Policies

We've mentioned that ransomware persuades the user to download an attachment and then run it. Downloads are typically stored in the user's profile folders. A SRP determines where, on disk, programs can be run from. If the download locations are included in the policy's banned list, then any downloaded program cannot launch, and that's the ransomware stopped dead in its tracks.  A SRP can be established with the Group Policy Editor, but the process is quite time consuming and complex. For smaller networks and standalone computers we have a readymade utility, Simple Software Restriction Policy, which cuts out most of the hard graft of the Group Policy approach.  

So, those are the Big Three. User Education, Backups and a Software Restriction Policy. Not too hard to implement, and if you do nothing else at all, make sure you implement these. There are several other precautions you can take though, which will substantially harden your computers against ransomware. 

A better antivirus program

It is no secret that antivirus programs differ considerably in their ability to detect malware. Some of the 'brand leaders' in this field achieved that status through pushy sales tactics, not through producing an excellent product. Choose carefully, and you may well end up with a far better degree of protection. That said, ransomware is notorious for its ability to evade antivirus defences, so do not rely on AV software alone.

Additional hardening

There are a fair number of additional changes you can make to systems which have a small benefit on their own, but when taken together add up to a substantial layer of extra protection:

Make file extensions visible

Windows hides the extensions of known file types. This has been the case since Windows 95, and every IT on the planet says it's a monumentally bad idea because it makes it oh-so easy for a malicious person to disguise a dangerous file as a harmless one.  Change the settings in Explorer to show all file types, and it's like taking off a pair of virtual horseblinkers.

Make email addresses visible

By the same token, many email readers only show the realname of known senders, not their email address. This again is just asking for a hacker to send you something purporting to be from  'John Smith' whom you know, but which is actually from 'John Smith <hacker[at]evilsite.com>' It isn't always possible to change this address-hiding behaviour, but if possible, do so. If the recipient can see that although the realname is known to them the email address does not match it, then a ransomware incident may be avoided. 

Block dangerous attachment types

If you control your own mailservice, then depending on the mailserver software used it may be possible to prohibit messages with certain attachment types from being sent to your users. Business users should not in most cases be emailing programs to and fro, so this should not be problematic restriction.  

Restrict macros in Office suites

This is one of the thornier issues to tackle. Even though you've blocked executable attachments at your mailserver, it is still possible for a malicious person to embed small programs inside Microsoft Office or Open Office documents. These small programs though not powerful enough to do the job of ransomware, can nevertheless download a larger program from the Internet which does the dirty deed of encrypting your files.  

You can change the settings in Office programs to completely bar the running of macros, and that is an effective remedy. However the main problem arises with spreadsheets, since some of these will not function with macros disabled. Thus, a compromise may have to be found. 

Specifically, the macro problem mainly arises with the older .DOC and .XLS formats used by Office 2003 and earlier. The later .docx and .xlsx formats cannot contain macros, and so are relatively (but still not entirely!) safe to email. Thus, it may be worth considering if you can arrange things so that most computers cannot receive oldstyle Office files, and that any such files from genuine sources are directed to a computer on which Office macros are completely disabled. 

By the way, and to bust a common myth, RTF files are NOT a safe alternative to .doc format. Reason is that any macro-enabled document renamed to .rtf, will be opened as a .doc by Word. (Renaming a .doc to .docx will not have this effect)  

In spite of their dangerous nature, we still find that clients receive vast numbers of oldstyle Word .doc documents. Why, is not sure. All of the recent Microsoft Office versions use .docx as the default. For that matter, Microsoft Office versions as far back as Office 97  -Nearly twenty years old- can be patched at no cost to save as .docx, so why on earth does this still go on when it places everyone at risk of macro virus attack? I'm sure I don't know. 

Limit write permissions to network shares

If ransomware does strike, all network shares visible to and writable by the compromised computer are at risk. Therefore, consider if every user does actually need full read/write access to every share. Most likely they only need write access to one or two where they store their work, and read access to those containing group work. There might have to be some changes in work habits to allow this, but a LAN with fewer write permissions is a LAN where ransomware can do less damage.

Reduce your attack surface

Microsoft Windows is host to numerous executable file types. In fact, I'm not sure anyone can put a finger on the exact number. Some of these are necessary for system operation, some are frequently required by application software. The vast majority though, are ideas which were thought-up somewhere along the way of the development of Windows, and which have since quietly slipped into obscurity. It's likely that 90% or more of these executable types are never required on a typical computer, yet if they remain registered they remain an attack vector for malware. 

The area of greatest concern is over the old Windows Scripting Host filetypes. WSH was offered as away of automating admin tasks in the early XP era, but did not gain all that much popularity. It has largely been superseded by Powershell and AutoIT, although you may still find some WSH scripts in use. The core scripting language in WSH looks a lot like Visual Basic, however someone thought it would be clever to allow the use of Javascript syntax instead. To this end, .js files were associated with WSH when launched from Windows Explorer. 

The issue here is that .js files are also, of course, used extensively on websites. When used on a website for the intended purpose, a .js file is relatively harmless as it can only alter the display of the page in the browser, nothing much more.  However, thanks to the .js extension being registered to WSH, any .js file which accidentally or intentionally ends-up on your local disk will be executed by WSH if clicked on. 

The .js files found on websites would typically do no harm in such circumstances since the syntax differs from that required by WSH, but a specially crafted one certainly will. The real danger here is that this situation gives the hacker an easy way to slip an innocuous-looking file onto your computer, which if clicked, will do major damage.

So, if you know that WSH is no longer used, you might be safer to disable it altogether. If you are unsure, then leave WSH enabled but definitely DO disable its ability to run Javascript files. I know of no examples of WSH Javascript ever being put to good use, so giving it the heave-ho is very unlikely to have ill effects. But, it might just save your data. 

Don't hand-out personal info to criminals

A point often overlooked is that in order to send malicious email, the criminal has first to find out a thing or two about you. At the very minimum your email address is needed. Though, since ransom attacks mainly rely on social engineering tricks, the more the criminal can find out about you, the more convincing the attack can be made.  

A message from an unknown sender claiming to be an invoice will probably be deleted on the spot. A message carrying your real name as well as your email address, claiming to be from a bank you use and carrying your company registration number will very likely be opened. Bingo, you've been owned. The sender doesn't know you. Those details were harvested from the company website.   
 
Now, whilst those of us engaged in selling our products can't very well implement CIA security standards over our pepersonal info since that would make business near-impossible, we can avoid some of the more careless exposures of personal info to criminals. If your business has a website, take a close look at just what personal info is being exposed on it. In particular, in this day and age it is extremely inadvisable to post email addresses on webpages.  

Monitor suspicious activity

A typical symptom of active ransomware will be very large numbers of file accesses, either on the local disk or on a server share. Developers are working on ways of identifying such activity and terminating the process responsible, on in the case of a server, blocking access to shares from the affected computer. 

A possible issue is that of false alarms due to legitimate copying or moving of blocks of data. One way of avoiding those might be to identify that the affected files have extensions associated with ransomware, or byte sequences associated with encryption methods. 

Such ideas are still in development, but show promise. 


Site: iwrconsultancy Thread: blog/ransomware.htm

Recently Visited