Practical ransomware protection tips
by Maciej Makowski
Last week brought a global spike in ransomware attacks – with the most impactful being the DarkSide ransomware attack against Colonial Pipeline in the US.
Ransomware has been an emerging threat in the last several years and it seems that now its popularity amongst cyber criminal has peaked. Ransomware operators often hide in jurisdictions that put them outside of the international law enforcement cooperation framework – like Russia, Iran or North Korea, to name just a few.
This week many businesses braced for impact, with some receiving direct hits from various strains of ransomware. Meanwhile, various government bodies and public officials scrambled to give well-intentioned, yet often outdated or impractical public safety advice on how to prevent ransomware attacks.
A lot of this advice is getting regurgitated throughout the last number of years – and clearly it’s largely worthless, since the numbers of victims affected by ransomware are increasing each year and the ransomware operator gangs also grow in strength.
So before talking about measures that actually might work, let’s take a look at some commonly repeated myths about ransomware prevention and the generic advice that might give you a false sense of security.
Things that won't protect from ransomware:
- Backups – backups are great to have and they can save your ass when your systems are compromised by ransomware. But having backups will do absolutely nothing to prevent a malware infection – ransomware does not care if you made backups or not. And hand on heart, we all talk about making backups of data – how many of us actually schedule and follow through with regular OS and data backups that we store externally to our systems, with multiple versions available? How many of us test and restore our backups during simulated data loss or system compromise incidents?
- Not clicking on links and attachments – great piece of advice, in theory. Especially when given by non-technical bureaucrats who need to fill some space on their Powerpoint slide. In practice, anybody who works in any type of a business will tell you that external communication relies heavily on those things. How are you meant to process payments or invoices without opening PDF attachments?
- Antivirus software – 20+ years ago antivirus software was regarded the gold standard and a must-have for every operating system. Now it’s often seen as glorified snake oil, especially since current operating systems come with a built-in suite of security products (see Windows Defender). Most ransomware victims have some sort of antivirus protection, yet they still suffer from data and systems loss due to rogue encryption? That’s because many antivirus products are useless against ransomware.
Practical things that might actually work:
Starting with some less technical and easier to implement steps:
- Transition into the cloud environment – ransomware is directed at traditional endpoint-based infrastructure. It needs hard disk space to set a foothold and to download the malicious code that will proceed to encrypt your data, also stored on the same hard disk. To mitigate that, you could move towards the “thin client” model – nothing is stored on your machine, everything is in the cloud, with automatic backups and increased redundancy. Even if you are a small business, this model allows you to outsource security and stability of your operations to a cloud provider, which is much more resilient to ransomware infections.
- Switch to third party infrastructure for working on files – similar to the abovementioned point, this means moving all you day-to-day operations to something like Google, without moving everything into the cloud. This also means changing your digital habits and how you work with files. No more downloading and uploading Microsoft Office documents or spreadsheets with macros – choose Google Docs or Sheets instead. Google is often criticised for being privacy adverse (and rightly so), but their security features are second to none. It also allows utilities like attachment preview – you might be able to take a quick peek at a document first before you download it.
- Switch your email infrastructure to Gmail – you can keep your company’s domain name on your email address and nobody will know any different if you are using Google Gmail on the back end. Google offers enhanced inbox security features, from physical 2FA key integration to scanning attachments and detecting spam and phishing. Also, Gmail might do a good job at identifying malicious documents and isolating them, or even completely dropping the emails it identified as malicious before they hit your inbox.
OK, some more technically demanding tips now:
- Carry out hash value comparisons of downloaded files – even if downloading files and programs from trusted sources. Trust, but verify. Turning this into a standard practice will help you avoid unpleasant surprises like downloading ransomware disguised as a software update pack.
- Use Shodan – to see what is publicly visible in terms of your network and what type of information can be found by an attacker conducting passive recon.
- Conduct an inventory check – find out what exactly is connected to your network. You don’t always know what constitutes a potential risk – including printers or older legacy devices. To do this yourself if your small business does not have an admin (and if you use a Windows machine), run the following commands in the terminal: net view (it will list computers and devices on the network with the same OS) and arp -a (it will show MAC addresses of the devices present on the network). Identify what you recognise and need and remove the other unrecognised or unneeded devices (especially older IoT ones – digital asbestos!) – they only add to what is referred to as your attack surface.
And some even more technically demanding solutions include:
- Employ virtualisation – a certain level of technical skills is required here, but if you are worried about emails with links or attachments being a serious attack vector, and for whatever reason you don’t want to switch to Google, you can essentially run your email clients in a virtual environment. In the event of a compromise, it’s the virtual machine that gets affected, not the host OS. This could work particularly well for smaller businesses – virtualisation at scale might cost you.
- Conduct a penetration test – ransomware operators nowadays like to style themselves on corporate services and adopt some of the lingo, often referring to their criminal activities as “unsolicited security audits”. So beat them to it – order or conduct an actual penetration test to identify gaps in your defences, or devote some time and money to “red teaming”, which means having dedicated employees tasked with running simulated attacks against your company. Yes, this is not always possible due to budgetary constraints – but who knows, it might prevent you from having to pay ransom one day.
- Harden your workstations – this is particularly relevant to places like schools and public libraries, where multiple unverified users access publicly available workstations. Hardening means identifying and disabling non-essential services and resources on those machines. This might include USB ports – the control settings can be changed to allow usage of only previously whitelisted devices via USB, or to disable USB altogether.
- Conduct network segmentation – don’t just operate everything out of one IP address, with everything connected to everything else. A segmented network means that devices and resources belong to certain groups and are limited to what and how they can connect to. This can be achieved by creating virtual LANs or subnets for different departments or sections of your organisation. For example, a payroll database should not be accessible to devices in a warehouse – and so on.
- Use canary tokens – this solution is a digital version of a canary in a coalmine, warning against the presence of toxic gas. It can be a blank Word document or another file that when it’s opened or interacted with (like getting encrypted), it sends an early alert warning about the activity. These Word documents can be left on share drives or in places on the network that contain what appears like lucrative targets for ransomware – usually databases.
- Configure ransomware protection in Windows 10 – not everybody knows this, but Windows 10 actually comes with some ransomware protections in place – albeit turned off by default, so need to configure them. The feature can be found in Windows Security Center > Virus & threat protection. There you can select the “Manage ransomware protection” option. More details can be found here.
* * *
That’s it then. Thoughts and feedback on the above are welcome, don’t hold back :).
About the Author:
Maciej Makowski - information security specialist with a strong background in criminal investigations and online safety. Spent nearly 13 years working as a police officer and cyber crime detective in An Garda Siochana, Ireland’s National Police and Security Service. Graduate of University College Dublin, also received professional qualification in data protection from the Law Society of Ireland. Experienced Axiom, Encase and FTK digital investigator, certified Cellebrite forensic mobile examiner. Author of osintme.com, a blog on open source intelligence and digital privacy.
The article originally published at: https://www.osintme.com/index.php/2021/05/13/practical-ransomware-protection-tips/
- Blog2022.08.29Disk-Arbitrator | by Aaron Burghardt
- Blog2022.08.22code-forensics | by Silvio Montanar
- Blog2022.08.15Sherloq | by Guido Bartoli
- Blog2022.08.08TCPFLOW 1.5.0 | by Simson L. Garfinkel
Backup is not preventive, but a recovery measure