Ransomware threats such as CryptoLocker or CryptoWall are becoming more prevalent in enterprises. The purpose of these threats is quite simple; they are attempting to extort money from their victims with promises of restoring encrypted data.
We have seen a sharp rise in requests from customers with respect to Ransomware and it’s important to understand these risks, what to do, not to do and how to best prevent yourself from becoming a victim.
My data’s been encrypted by Ransomware, what now?
Do not pay the ransom!
Paying the ransom may seem like a realistic response, but it is only encouraging and funding these attackers. Even if the ransom were paid, what guarantees do you have that you will actually regain access to your files? Remember that these are the same aggressors that are holding your files hostage in the first place.
Remove the impacted system from the network and remove the threat.
With a multitude of variants it is unrealistic to list the exact steps, but most security vendors have detailed write-ups for the threats that include removal instructions. Removal is best done with the system off the networks to prevent any potential spread of the threat.
Restore any impacted files from a known good backup. Restoration of your files from a backup is the fastest way to regain access to your data.
Can I regain access to my files without paying the ransom or restoring from backup?
The answer is most likely no. There are earlier variants of these threats that simply hid the ransomed files, left copies of the original files with the Volume Shadow Copy service or left copies of the private encryption keys locally or in memory. It is certainly worth the effort of researching the details of the variant you encountered to see if there are options for you, but for the majority of instances, these options are no longer the case as the threat writers have updated their methods using the funds from earlier rounds of extortion.
Can I “Brute-Force” my way into my encrypted files?
No, the current threats employ an RSA-2048 bit encryption key. Brute-forcing the key is simply not possible currently.
What can I do to protect myself from ransomware?
Install, configure and maintain an endpoint security solution
With the endpoint being the final line of defense from any threat, a multi-faceted security solution should be employed. This solution should have protections for not just file based threats (traditional AV), but should also include download protection, browser protection, heuristic technologies, firewall and a community sourced file reputation scoring system.
Symantec Endpoint Protection 12.1 (SEP 12) users can leverage the supplied “High Security” Virus and Spyware Protection policy that was generated automatically during installation of SEP 12 to provide protection for ransomware threats. As the default policies are often edited directly, the details on the specifics settings contained in the policy can be found here.
For additional protection from new ransomware variants, the “High Security” policy can be edited and the Download Protection feature can be modified to act on files that have not been proven to be good by the Symantec user base. The options that would need to be altered are located in the “Download Protection” – “Download Insight” - “Also detect files as malicious based on their use in the Symantec Community” section. Enabling the two check boxes next to “Files with:” and “Files known by users for:” and using the default values of 5 and 2 respectively will force the SEP 12 client to treat any file that have not been reported to Symantec by more than 5 users or have been reported for less than 2 days to be treated as unproven files.
The handling of these files is set on the “Actions” tab under “Unproven files” and the setting of “Specify actions for unproven files:” should be set to “Quarantine risk”.
People using another endpoint AntiVirus solution should refer to their vendor for information on how to configure their real-time scanning options to be in-line wherever possible with “High Security” Virus and Spyware policy and the prevalence of any files as determined by their user base.
User Education
One of the primary vectors of these threats is “Spear Phishing” attempts, where an unsolicited e-mail will come from an unknown sender with an attachment that is then executed. Educating your users as to proper handling of unknown or suspicious files is crucial.
Employ content scanning and filtering on your mail servers.
Inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat.
Maintain a current patch level for any operating systems and applications that have known vulnerabilities.
Exploit kits hosted on compromised websites are commonly used to spread malware. Regular patching of vulnerable software is necessary to help prevent infection.
Install and configure Host Intrusion Prevention
IDS or IPS systems can detect and prevent the communication attempts that the malware uses to create the public and private encryption keys required to encrypt the data.
The Symantec Endpoint Protection (SEP) client IPS system blocks this type of communication traffic by default.
Block your end users from being able to execute the malware
SEP users can leverage the Symantec supplied example Application and Device Control policies to prevent files from being run in the root and/or subfolders of the users %AppData% directory variable to prevent the downloaded threat from being launched. The policy prevents launch attempts of files that have been extracted from compression formats that the threat has been spreading in, blocks Auto-Run, access to script files and the execution of files from removable volumes.
Software restriction policies enforced via GPO can be created and configured to accomplish the similar tasks.
Limit end user access to mapped drives
The current ransomware threats are capable of browsing and encrypting data on any mapped drives that the end user has access to. Restricting the user permissions for the share or the underlying file system of a mapped drive will provide limits to what the threat has the ability to encrypt.
Deploy and maintain a comprehensive backup solution.
The fastest way to regain access to your critical files is to have a backup of your data.
The above information is provided to help you to avoid being taken advantage of by cybercriminals, and to prevent and protect against these types of attacks. This is in no way is a concise plan to protect you, but will certainly decrease your risk level.