Unless you’ve been completely off the grid for the past several days, you’re probably aware of the global havoc caused by the outbreak of the “WannaCry” ransomware variant. The initial outbreak was stalled by an “accidental hero” who spotted a very strange, nonsensical domain name buried in the code, checked to see if that domain name was registered anywhere, found that it wasn’t, and registered it himself to find out what would happen – thus inadvertently activating a “kill switch” that had been built into the malware. But it’s already starting to spread again, this time without the built-in kill switch.
This particular ransomware variant is different from any seen before, in that it includes some worm-like functionality that allows it to spread across a network to infect multiple machines, rather than being confined to the computer of the poor soul who clicked on the wrong thing. That makes it quite a bit more dangerous.
In my discussions with IT professionals, ransomware tends to be one of the things that worries them the most, because there is no “magic bullet” that can guarantee that you’ll never get infected with it. But there are some things that you can do to reduce the likelihood of infection, and potentially limit the damage if you do get infected: Read More
Don’t Run Obsolete Software
If you’re running anything older than Windows 7 on the desktop, you’re putting your business at risk. Yes, I know that there are a few applications out there – industrial control systems, etc. – that require Windows XP. If you are forced to run an older system because of an application dependency, take steps to isolate that system from the Internet, and from the rest of your network: unplug it or firewall it.
Keep Your Patches Up to Date
Yes, there are “zero-day exploits” that can blind-side us before the anti-virus vendors get a chance to incorporate them into their signature files, and before Microsoft has time to develop and issue a patch. But the majority of malware infections could have been avoided if the infected system had been fully patched, with current anti-malware software running.
Keep Your Anti-Virus Software Up to Date
See previous point. Note, however, that according to the research firm IDC, signature-based tools are only effective against 30 – 50% of current threats. Moreover, for as little as $30/month, a cybercriminal can get access to a “crypter” tool that will automatically test malware code against the latest signature files of all the leading AV software vendors, and continue to automatically modify the code until it passes. The slang term for this is “FUD,” or Fully Un-Detectable code.
Use a Firewall with Advanced Features
Modern firewalls, such as Fortinet and WatchGuard, can be purchased with advanced protection features such as an additional layer of AV detection, and the ability to block access to known malicious Web sites. Some can even intercept executable code that is attempting to transit the firewall, quarantine it, “fingerprint” it, and check that fingerprint against an existing database, first on the appliance itself, and then in the Cloud. If it has never been seen before, a copy can be sent off to a cloud-based service where it is loaded into a system emulator and executed to see what it does before the decision is made to let it through.
Unfortunately, some crypters are capable of making malware that can detect when it’s being run in a virtual machine or a sandboxed environment, and not execute in that situation…so that’s not a foolproof approach either.
Consider Additional Desktop Tools
Software tools such as CryptoPrevent (from www.foolishit.com) and WinPatrol Enterprise (www.winpatrol.com) can add value by doing things like:
- Not allowing executables to run if they’re in a folder where you wouldn’t expect to find executable code.
- Providing an easy interface to help you build a “whitelist” of permitted programs, and blocking any executable that’s not on the list.
- Preventing executables with disguised filenames (e.g., malware.doc.exe) from running.
- Creating a secure folder on your PC that only specifically-authorized programs can access.
And, speaking of disguised filenames, one of the worst ideas in the history of bad software ideas is the “hide extensions for known file types” option in Windows, which seems to be enabled by default. This is one of the first things I turn off in any system I build. If you have it enabled, and I send you an email attachment named “mymalware.pdf.scr,” Windows will hide the “.scr” from you, and all you’ll see as the attachment name is “mymalware.pdf.” Even though it won’t display the Acrobat icon (because of the concealed “.scr” extension) all too many users will still assume that it’s a benign Adobe Acrobat file and open it to see what it is.
Consider a DNS Filtering Service
One thing that almost every piece of malware has in common is that it “phones home” to a command and control server after the initial infection takes place – either to get instructions on what to do next, such as download additional malware, or to get the encryption key it’s going to use to encrypt your files. That phone-home operation typically involves a DNS query. DNS filtering services, such as Cisco Umbrella (formerly OpenDNS) maintain farms of DNS servers around the world that handle tens of billions of DNS queries daily, and build a database of known – or suspected – malware sites or IP address ranges. By pointing your systems at this service for DNS resolution, you increase the chances that any attempt by malware on your network to communicate with command and control servers will be blocked, thus limiting the damage even after an initial infection has occurred. In many cases, these services can also block attempts to click through to a “malvertising” Web site. For more details on this, see http://sidherron.com/beating-malware-by-disrupting-command-and-control/.
Make Sure You Have Good Backups
…and, preferably, off-site backups that cannot be encrypted if your on-site systems get tagged with a ransomware infection. Because, if all else fails and you get a ransomware infection, your choices are going to be to either pay the ransom or restore from backup. Advanced SAN technologies such as “Continuous Data Protection” may also let you quickly and easily roll back to a point before the infection occurred. And enterprise file sync and share products like eFolder’s Anchor product can protect user data in a similar fashion. Anchor will allow you to set up a continuous Cloud backup process for specific folders on a client PC, and will retain prior versions of changed files for an administratively-configurable length of time, or until you go in and clean them out. So, if the client PC gets infected with ransomware, and files are encrypted, the encrypted files will be replicated to the Anchor cloud…but, the previous, unencrypted versions of the files will still be available, and you can create a point-in-time snapshot of that repository that pre-dates the infection, set that snapshot up as a new folder in the Cloud repository, and use it to bring the user’s files back. For more information on this, see http://sidherron.com/using-file-sync-share-to-help-fight-ransomware/.
Educate Your Users
If you’re an IT professional, it’s part of your job to worry about security stuff. But your users have other jobs to do, and will inevitably get busy and distracted, and click on the wrong thing. User education needs to be an ongoing process, not just a “one and done” thing. And we’re here to help you. Xiologix partners with KnowBe4 to provide affordable subscriptions that not only give you access to excellent training resources for your users, but also allow you to set up simulated “phishing” attacks that will reveal whether the training has been effective, and help your users understand the nature of modern cybersecurity threats and why they need the training. Just reach out to your Xiologix account representative for more information.