Ransomware is quickly becoming the bane of IT security professionals. Not only is it difficult to recover from, but is also invisible to the end-user. Most ransomware infections occur from drive-by downloads where users visit known and trusted sites only to have a compromised advertisement surreptitiously transfer the malicious code to a user's workstation. These sites may be banking institutions, news outlets or even partner organizations.
Ransomware is often discovered as a zero-day threat, meaning no patches or anti-virus software has been developed to recognize and protect against the infection. Patches and anti-virus software often prove ineffective at containing the damage. So how do IT security professionals protect an organization from this growing threat?
It is true that no threat can be completely eliminated. However, there are mitigating controls that can be implemented to minimize the impact.
First and foremost, implement a regular backup scheme that allows an organization to recover entire volumes of data. Ransomware-encrypted files are nearly impossible to decrypt and paying the ransom does not always result in recovery. Having recovery points at least every day is recommended to minimize lost productivity.
Secondly, the damage ransomware can inflict is dependent on the rights of the user logged on during the infection. Ransomware will only be able to encrypt files the user has the rights to modify. Provide only the minimum required security rights to users. A user with administrative rights to an entire network share can inadvertently cause serious damage.
The delivery mechanisms can be disabled, albeit at an operational cost. The most prevalent vector for delivering ransomware is Adobe Flash. Disabling Flash content through a web proxy or firewall can prevent that infection mechanism. The downside to this is that many sites still deliver content through Flash, including computer-based training and news media outlets. Permitting individual sites to operate Flash may prove a large burden for network administrators. However, many sites recognize the inherent vulnerabilities of Flash and are migrating away from the technology. One of the most prominent websites, Amazon, banned advertisers from using Flash to deliver content beginning on Sept. 1.
Lastly, the use of application whitelisting can be an effective tool at preventing ransomware damage. Application whitelisting involves installing software on end-user workstations to monitor how software behaves and interacts with the operating system. If, for example, an infected Adobe Acrobat file attempts to deploy malicious code, that behavior will be recognized and intercepted before any damage is done.
Application whitelisting technology is not an inexpensive solution. However, organizations with vital systems, such as an industrial control system (ICS), may decide that this technology is worth the investment.
In summary, ransomware is a new and complex threat. Still, with a coordinated approach, an organization can become well positioned to defend against it. Through routine backups and restricted user rights, the impact of ransomware is considerably lessened. Going a step farther, disabling ransomware vectors on the network and implementing application whitelisting will minimize the chance of infection.
The ransomware threat is showing no signs of abating and I encourage organizations everywhere to examine how they can prepare for the next wave of zero-day attacks.
Thomas Gresham is senior agency information security officer (SAISO) at the Unified Port of San Diego.
