Recommendations for Combating Ransomware – May 2016

Kivu Consulting, Inc. | 04/29/2016

1. Backups

  • Kivu recommends backing up your data frequently. How often? Data that’s not been backed up is OK to lose. Also it’s critical to test your backup system on a quarterly basis to verify that backed up data can be restored – and anytime you switch to a new backup application.
  • Backups should be done on a weekly or daily basis to keep up to date with any new changes.
  • The stored backups need to be physically and logically disconnected from your production system – if you can navigate to them from a workstation, then ransomware can reach them too!
  • Using offline backups, if a system is infected with ransomware, it can easily be rebuilt, without needing to worry about paying a ransom or losing data.

2. Disable Macros

  • Microsoft Word macros are a set of commands that help a user easily access or automate frequently run tasks.
  • Many types of ransomware (including Cryptolocker and Locky) use macros to infect systems – thus disabling this feature is highly recommended.
  • Kivu recommends disabling all macros in all documents. With this measure taken place, macros will be automatically blocked and will not produce any notification, thus making software not being able to execute in most cases.
  • This will prevent “clickers” from accidentally activating macros.

3. Emails

  • Do not open unsolicited emails, train employees on an annual basis of staying vigilant and identifying suspicious looking emails.
  • Most phishing attacks are opportunistic rather than targeted, which expects end users to open malicious attachments or URL’s in order to execute malware or to redirect to website to download potential virus software.
  • Create an email account where employees can send suspicious email for further analysis. Have a dedicated team to monitor the email account, investigate and respond to future suspicious email attacks.
  • Regularly (preferably quarterly) train employees to send or forward suspicious looking emails to the newly created email account for review and analysis.
  • Reach out to Email Service Provider and discuss and test setup of SPF/DMARC email security standards. Example: If SPF is set to “fail” then DMARC needs to list the action items to send the email to either a “Quarantine” or “Junk” folder, but NOT the “Inbox” folder.
  • Distribute virus infection emergency procedures. Most likely, your employees will get scared and lost during infections. Distribute email fliers with emergency procedures to help employees act quickly and minimize any damage.
  • Security Awareness Training - Instead of annual security awareness, provide mandatory monthly flyer emails on current security threats (confirm everyone opens them), and provides monthly testing with malicious phishing attacks.

4. Operating System

  • Ensure operating system is up to date. Ransomware mostly targets known vulnerabilities in operating system rather than utilizing Zero Day (not known threats or no patch has been developed) vulnerabilities.
  • Use Windows update to make sure your system stays up do date.
  • Do not utilize Local or Domain Administrator account.
  • Ransomware elevates the level of the current user, and thus the resources that the current user is able to access (e.g. the standard user cannot modify system files, while administrator accounts can). To prevent this, install two separate accounts – one is regular and one is when you need to perform administrative tasks – or disable administrative access unless absolutely necessary.
  • Enable Shadow Copies – these allow a system to keep track of changes to files and enable restoration. This will not save you from Locky Ransomware (because Locky deletes Shadow Volume Copy), but it will save you from other types of common ransomware.
  • Use appropriate antivirus (AV) solution and consolidate AV programs when appropriate. Most leading brands of AV solutions can identify and stop ransomware from infecting your computer.
  • Kivu recommends solutions with Host Intrusion Prevention System (HIPS).
  • Intelligent analysis will learn user behavior over time and will stop unknown attacks if actions do not match normal computer usage behavior.

5. Network and Active Directory

  • GeoIP Blocking. Kivu recommends blocking IP address ranges with countries that you do not have current business with. For example, you can download to popular IP Geolocation databases such as https://ip.ludost.net/ (<= have legit https certificate) or http://www.ip2location.com/free/visitor-blocker or use Registry for Internet Numbers to block different networks such as China, Pakistan, Poland and Ukraine. This will not make it fail proof but will make attackers work a little harder to deliver ransomware to your domain.
  • Filter outgoing traffic and use outgoing port filtering on your firewall and allow only known ports to be reached by internal users.
  • If your company uses Windows Server 2012 R2 as your domain controller, take advantage of AppLocker within Group Policy Object. This policy will allow you to run only default windows binaries and packages and allowed programs in your domain. This also can be setup to prevent running software from unusual directories such as: C:\Users\USERNAME\AppData\Local\Temp\ C:\Users\USERNAME\AppData\

To read more, please log in