UPDATE on PetrWrap: The most recent analysis of this malware shows that it isn’t really ransomware but a virus designed to wipe the infected machines. Eventhough PetrWrap displays a note asking for $300 in ransom, the malware cannot restore the machine. The virus was designed to wipe computers outright.
Only a few weeks have passed since WannaCry and its devastating attack made the news and now another type of ransomware has made headlines. PetrWrap, is a derivative of the Petya ransomware, but which circumvents any protections which were put in place to stop Petya.
PetrWrap has already infected major networks such as the Ukrainian power company, the Ukrainian central bank and Kiev’s international airport. Pharmaceutical company Merck, shipping company Maresk and the Chernobyl power plant have also been at the receiving end of these attacks.
The problem with ransomware is the many entry points it has, and how many different layers of defense are required to keep it from destroying data. Ransomware is a growing threat to businesses of all sizes as well as consumers, and at no time is a layered defense more important. There is no one thing you can do to protect against ransomware, so let’s go through the layers of defense you need to ensure you and your users are protected.
Almost all ransomware comes in through email. A strong messaging hygiene solution that filters out spam, phishing, and malware is critical as the first line of defense against ransomware. Scan everything. Block executable and encrypted content unless that’s a critical need for your business. Stop everything you can at the border so you don’t have to worry about the rest. But since you cannot stop everything make sure you have the other layers in place!
Every system, EVERY. SYSTEM. must run antimalware software. Ensure it updates frequently throughout the day, that real-time scans are enabled and check every action, and that no user has the ability to disable antimalware. Things will get through every other protection you have, so make sure that every endpoint…and by that we mean every PC, Mac, tablet, and phone, has antimalware software installed and running 100% of the time.
Reduced user rights
Malware, including ransomware, can only run in the security context of the user who tries to run it. Most malware can be stopped, and much of the damage can be limited, by simply not giving end users administrative rights to their machines. This is not always possible, or even practical, I know, but if you can do it in your environment, take advantage of that fact and you will greatly reduce the risk, and minimize the damage, should any ransomware make it through to the point where a user runs it.
Also, don’t give users CHANGE permissions to network shares they don’t need CHANGE permissions to, especially if they map network drives to those shares. Ransomware isn’t just going to try to encrypt local files…it will try to encrypt everything the user has access to. Least privilege is key to reducing the potential damage. Of course, users have to have CHANGE to some data, and that is why you have to have…
Backups-they’re not just for archiving. Having backups of data ensures that if anything happens to that data, you can restore it. What would you do if a user was infected with a piece of ransomware that encrypted their My Documents and their H: drive, but you had a full backup of all that data from last night? You’d format and reimage their workstation, delete all the content in their H: drive and restore it from backup, and they’d be up and running in a few hours. No ransom paid, no work lost…just a bit of downtime. Now, what would you do if that same user had no backups at all? Often, you’d have to pay up. Whether you use disk to disk, disk to tape, or workstation to cloud (OneDrive for Business, Dropbox, Google Drive, etc.) having copies of critical data is a great way to protect against ransomware. For fileshares, Volume Shadow Copies are a great way to increase your protection, especially when users have to have CHANGE permissions.
When you back up to tape, those backups are typically offline. When you back up to the cloud, they aren’t. That means a piece of ransomware that encrypts the local copy will result in the encrypted local being synched to the cloud, and the cloud backup is now encrypted too! If you use versioning though, you can recover the previous version, which won’t be encrypted, and you’re back in business. Practically every cloud based backup solution on the market offers versioning, so turn it on and make sure you have another layer of defence in place.
While most ransomware takes advantage of user action and user rights, some of the most recent variants have, once a user launches them, attempted to exploit unpatched vulnerabilities in other systems in order to spread. Keeping up with all the patches and updates may seem like a lot of work, but a patch management application can greatly reduce that workload, and also greatly increase the likelihood that all of your servers and workstations, operating systems and applications, are fully patched. This is a great way to reduce your exposure to ransomware and other malware.
Whether you want to enforce your acceptable use policy, restrict user access to inappropriate websites, or just protect your users from the worst the web has to offer, a web filtering solution is a critical part of a defence in depth approach to network security. While a lot of ransomware comes into environments by way of malicious attachments in emails, there are still plenty of infected downloads that carry ransomware in from websites all over the Internet. Web filtering can check lists of known malicious or compromised websites, as well as scan downloads for infections before they get to the user’s workstation. It’s the last technical layer of your defence, and it’s a critical one. But we saved the most important for last.
Never, ever, underestimate the importance of user education. They are your last line of defense against ransomware, malware, phishing, or any other attack since it’s they who are the targets, and they are the ones who click, or double-click, what they should not. If a user is fooled by a phishing email that you can tell at a glance is fake, then you have failed to properly educate your users. If a user fills out an online form asking for their account information, and you didn’t block the phishing message that sent them there, or the website when they clicked the link, then you failed to make them aware of the risks, and to question those things that are not right. You have to educate your users, and do it repeatedly, because at the end of the day, when all is said and done, something is going to get through every other layer of defense you have and whether or not they click comes down to whether you taught them well, or not.
Ransomware is a threat that isn’t going away, and if you haven’t been impacted by it yet, consider yourself to be very lucky. But don’t count on your luck to hold. Take action now to ensure you have a layered security approach in place to protect your users, your data, and your customers from the threats ransomware presents.