Mitigating the risk for a successful ransomware infection

Question

The company I work for has been getting hit with loads and loads of frightfully sophisticated ransomware spam lately, people masking as consultants, customers, very specific company requests, etc. Even though we do daily offline backups, and even though we have Enterprise Endpoint protection by Kaspersky, im worried that one of those days one will slip through the cracks and severely damage us. Here are some steps we have already taken to mitigate:

Tell people they should never open suspicious email attachments, and err on the side of caution.
Restrict access to all network shares to a need-to-know basis
Automatically strip .exe .rar and .zip files in our exchange server

Still, despite all this, the spam emails are getting better, and our Kaspersky has to stop infections almost daily. Our staff are mostly office people, so most of them have understandably little idea of whats going on. What else can we do to mitigate our risks?

This is too short for an answer, but using a very frequent versioning backup will allow you to quickly recover from a ransomware attack. This will reduce the damage (and therefore the risk) from an infection — ztk, Apr 19 '16 at 16:53
Perhaps you may find useful the information contained in this questions [Link] (http://security.stackexchange.com/questions/124356/is-there-now-an-increased-risk-of-ransomware-in-pirated-software/124363#124363) — Nick C., May 27 '16 at 12:49

score 2 · Accepted Answer · edited Jun 16 '20 at 09:49

There are different ways to approach this, including:

Mitigation of the infection
Filtering emails better
Educating users

As your question regards the mitigation of a infection, I will keep the other parts short.

Filtering emails

The problem are not only attachments but also html emails that could directly attack the email client - or contain fraudulent links.

Depending on the business, this method may or may not be applicable:

Deploy greylisting in conjunction with an attachment check and SPF and/or DKIM. E.g.

That sender is new to me - it has an attachment. If the DKIM signature cannot be verified, I'm not letting this through.

Mitigating the risks

Again, this depends on your business. If there isn't loads of data being used (and written to), this might be a possibility:

Have a "staging area" for each login session - e.g. the "Documents" directory being the only directory with write access for users.

Then, they may write new files (or open read-only old files and edit them) there - the sandbox get's then migrated to permanent storage with a logout script, changing permissions to read only.

The problem with this is: if the malware uses priviledge escalation, there is a chance it changes permissions and encrypts anyhow.

There is also another question (by me) here that has higher demands on the write access, maybe that helps you.

The key point is to rescrict write access as much as possible - maybe introducing some organizational overhead with manually requesting rights from the sysadmin, but minimizing the damage that can be done.

As FerryBig pointed out in the comments: of course all software should be kept up-to-date at all time (with verified updates) and no software should be used that is discontinued or known to have unfixed vulnerabilities (looking at you, flash!).

User education

Basically, even not-suspicous looking file attachments are a bad idea.

The general rule of thumb would be to not open attachments that are not expected. Cross reference this answer on malware infection, also - unfortunately, also by me.

You forgot keeping all the software up-todate and making sure those updates are malware too — Ferrybig, Apr 19 '16 at 10:23

score 1 · Answer 2 · answered Apr 19 '16 at 13:40

The standard solution to crypto ransomware on Windows (which is admittedly a PITA) is to block execution from the user %APPDATA% directory tree and system %TEMP% location by group policy (Software Restriction Policies or Applocker). After setting up a default deny rule, you'll need to whitelist legitimate apps in your environment that use these directories.

At least to date, all four major crytpo ransomware families execute from %APPDATA% or %TEMP%, which makes blocking execution from there the easiest, most effective solution. I've yet to see a piece of crypto malware get through these policies, and it's been several years.

Filtering email is a hit-or-miss strategy for dealing with ransomware, as the primary attack vector for these campaigns these days is malvertising. For what it's worth, when ransomware first become a big thing about 5 years ago, I was working for a large corporation that did the same things you're doing now - email filtering, proper backups, endpoint AV, and even a webfilter/proxy, but we were still getting hit by one of these every couple of weeks or so. The only thing that worked was blocking execution by default from %APPDATA%.

This does not work if vulnerabilities in otherwise legitimate products (such as Acrobat Reader) are exploited. But generally, thas seems like a reasonable aproach to stop at least the execution. — Tobi Nary, Apr 19 '16 at 13:46
@SmokeDispenser It does, generally, because the exploits are only used to download and trigger the ransomware executable. — Xander, Apr 19 '16 at 14:09
One other potentially useful mitigation to prevent ransomware from being downloaded in the first place, is to set up GPOs to limit (or block entirely) Office macros. — Xander, Apr 19 '16 at 14:11

Fiksdal · Answer 3 · 2016-04-20T10:46:05.297

I can see from your question that Windows is currently the dominant operating system used in your company.

You can change to GNU/Linux as the running operating system on all of your companies computers. There is very little successful ransomware for GNU/Linux, and neither is it likely that there will be much of it in the future. The same goes for viruses and malware in general. Developers of malware are likely not very interested in the platform. Moreover, the platform is generally more secure than Windows. If your colleagues have Windows software (Microsoft Office, etc) that they have to run (or even prefer), you can install it for them through Wine or VirtualBox. I myself installed Microsoft Office on Ubuntu 14.04 for a non savvy friend recently, it runs perfectly. The Wine frontend PlayOnLinux makes installing many programs a dream. Other software I have installed in this way includes Adobe Photoshop and Adobe Lightroom. Moreover, VirtualBox can run a perfect virtualization of Windows with perfect compatibility with Windows software. VirtualBox is free, and your company already owns the Windows licenses you will need to use Windows legally in it.

This will also save you much money. For maximum security, you can still take many of the general precautions you have previously taken.

There are now several very user friendly GNU/Linux distributions that are very user friendly, and perfectly suitable for non savvy users, such as normal employees in a typical office environment. One of many possibilities would be Linux Mint, as its GUI is somewhat similar to Windows, which the employees may be used to.

An arguably slightly more user friendly alternative is to switch to OS X. However, there would be a massive expenditure in buying all that Apple hardware for the whole company. Running OS X on your current hardware is in a gray area of the law, so don't consider that without first consulting a legal expert. Moreover, the installations themselves require technical expertise and is likely to be riddled with challenges. Also, even this would be somewhat expensive, as you'd legally still have to buy a copy of OS X for each computer. Moreover, OS X has had a confirmed case of ransomware lately. Malware authors are more likely to target a platform the higher the adoption rate of the platform. Anyhow. OS X is slightly more user friendly and has a larger software ecosystem (of mostly paid apps, again increasing your expenses).

To sum up, I suggest you move your whole office over to GNU/Linux. Or, if you don't care about the downsides I described, OS X.

I appreciate the suggestion, but we have several outside constraints (including our owners) that will not allow the use of any operating system for anything that is not windows. We even have to use windows servers, and some of our old hardware can only run windows 2000 (barely) — Magisch, Apr 20 '16 at 10:45
@Magisch You mean your owners won't allow you to use Linux? Too bad. As for the old hardware, that doesn't sound much fun :) — Fiksdal, Apr 20 '16 at 10:51
Thats what I mean. Windows only. Our main application is also bound to windows only frameworks, and that is absolutely required to work with anything here. — Magisch, Apr 20 '16 at 10:52
@Magisch I know the point with your owners, so this suggestion is likely void, but wouldn't it be possible for you to run your main application and other software in a VirtualBox Windows? Any viruses that infect the virtual machine will be unable to spread further. Your servers can still run Windows, as they are not used by the normal office workers and therefore less of a risk. Anyway, I know this is all pointless, since your owners won't allow you to anyway. — Fiksdal, Apr 20 '16 at 10:57

Mitigating the risk for a successful ransomware infection

3 Answers3

Filtering emails

Mitigating the risks

User education