The latest attack seemingly took the world by surprise. However, most of the affected users were using unpatched and unlicensed versions of Windows. How do we take a stand against ransomware and avoid being sidelined by these attacks? Here are a few things that I do and am happy to share in an effort to help strengthen your resistance against these attacks.
Update: Assuming is never a good idea! Of course, your need for data backups is critical in ransomware attacks. But, it's not enough to have backups. You must also validate that they are usable and that the process works through testing.
- File Integrity Monitoring
- Monitoring your files for things like changing file extensions, moving of files, and authorization. Log & Event Manager (LEM) is vital in this to help protect your businesses information.
- Group Policies for Windows
- Cryptolocker prevention kits that do not allow ransomware to install in their most common locations.
- Make sure the Users group does not have full access to folders. I see this a lot, where a user group has full access to numerous folders.
- Make sure that users do not have rights to the registry!
- Static Block List
- Block known Tor IP addresses example: 188.8.131.52/23
- Limit network share access
- If they are able to penetrate and get to a server, you do not want to freely allow the ransomware full access to network shares. You also do not want a general user to have access to network shares that hold mission critical data. Think about this. Make sure you are applying policies and not giving users access to things they shouldn't. Allowing such gives attackers the same level of access.
- Update patching on servers
- If you are not patching your servers, you are not up to date on the malicious vulnerabilities that are already known. Stop being low hanging fruit and start being the insect spray to keep these attacks to a minimum. Patch Manager will help you schedule and push these out so you are not worrying about being up to date.
- The lab environment is key to making sure your third-party software is easily able to receive a patch. We all know that when a software or application is released, it is not aware of what's coming in the future. That is why installing a lab environment to test patches is a great way to help you patch and not be worried about breaking an application in the process.
- For the love of everything great, update your spam filters. This is key to helping you keep malware from getting to people that are not aware of these attacks, which results in them being blamed. Preventing these emails of destruction helps keep your teams aware. You can even use them as user education.
- Test your plan
- Test out a fake ransomware email with your business. See who reacts and within what departments. This will help you to train people within their areas to not react to these type of emails.
- You may be surprised at how many people will click and simply give away their passwords. This is an opportunity for you to shine as an IT organization by using this information to help get funds and user training for the business.
- Web filter
- Control the sites that users can access. Use egress or outbound traffic filtering to block connections to malicious hosts.
- Protect your servers and yourselves
- Have a companywide anti-virus/malware program that is updated and verified. Patch Manager will help you determine who is up to date and who is not!
- Web settings
- Verify that your web settings do not allow for forced downloads.
There are lots of ways to protect ourselves at work and at home. The main reason why I focus on the home in my user education is because we can prevent these from work -- to a point. However, when the user goes home, they are an open door. So including user education to go over ways of protecting home environments is as much of a responsibility for the IT team as it is for the users themselves. Once home, the ransomware could decipher that blocked call and take over your machine.
We can try to protect ourselves with things like LEM, which alerts you when users come online, and see if their files have changed or are being changed. However, NOT clicking the "click bait" email is what will ultimately help end-users be stronger links in the equation.
I hope this prompts you to raise questions about your security policies and begin having conversations about setting in place a fluid and active security plan. You never know what today or tomorrow will bring in bitcoin asks...