Ransomware

Ransomware WannaCry? – Not me, here’s why!

Ransomware Wanna Cry? – Not Me, Here’s Why!

By Destiny Berucci

We have all seen where this seemingly took the world by surprise.  However, you will also notice that a lot of the mostly affected users were unpatched and unlicensed versions of Windows.  How do we take a stand to Ransomware and not be sidelined by these attacks?  Here is a few examples of things that I do currently and would love to offer to help strengthen your stance against these attacks.

  1. File Integrity Monitoring
    1. Monitoring your files for things like changing file extensions, moving of files, and authorization.  LEM is vital in this to help protect your businesses information.
  2. Group Policies for Windows
    1. Cryptolocker prevention kits that do not allow ransomware to install in their most common locations.
    2. Make sure the “Users” group does not have full access to folders.  This I have seen numerous times where this user groups has full access to numerous folders.
    3. Make sure that users do not have rights to the registry!
  3. Static Block List
    1. Block known Tor IP addresses example: 146.185.220.0/23
  4. Limit network share access
    1. IF they are able to penetrate and get to a server you do not want to freely allow the ransomware full access to network shares.  You also do not want a general user to have access to network shares that hold mission critical data.  THINK about this.  Make sure you are applying policies and not leaving users the ability to have access where they should not.  As this will allow these types of attacks the same access level.
  5. UPDATE patching on servers
    1. If you not patching your servers then you are not up to date on the malicious vulnerabilities that are already known.  Stop being low hanging fruit and start being the insect spray to keep these attacks to a minimum.  Patch Manager will help you to schedule these out and push so you are not worrying about being up to date.
    2. Lab environment is key to making sure your 3rd party software is easily able to receive a patch.  We all know that when a software or application is released it is not futuristically aware of what’s coming.  That is why instilling a lab environment to test patching is a great way to help you patch and not be scared of if a patch will break an application.
  6. SPAM
    1. For the love of everything great update your spam filters.  This is key to helping to keep these from getting to people that are not aware of these attacks and letting them be the fault man.  Preventing these emails of destruction is a great step in helping your teams be aware and you can even use them as user education.
  7. Test your plan
    1. Test out a fake ransomware email with your business.  See who reacts and within what departments.  This will help you to train people within their areas to not react to these type of emails.
    2. You may be surprised how many people literally will click and give away passwords.  This is an opportunity for you to shine as an IT organization by using this information to help fund and get user training within the business.
  8. Web Filter
    1. Control the sites users can access.  Use egress or outbound traffic filtering to block connections to malicious hosts.
  9. Protect your servers/selves
    1. Have a company wide anti-virus/malware program that is updated and verified.  Patch Manager will help you to know who is up to date as well as who is not!
  10. Web Settings
    1. Verify web settings do not allow for forced downloads.

There are numerous ways we can protect ourselves at work and at home.  The main reasoning that I focus on the home in my user education is because we can prevent these from work to a point.  However, when the user goes home they are an open door.  So instilling the user education to cover home suggestions is as much of a responsibility on the IT as it is for the users themselves.  Once home the ransomware could make that blocked call out and take over their machine.

We can try to protect ourselves with things like LEM and allow us to know when they come online they have files being changed etc.  However, to prevent this by not clicking the “click bait” email is what will ultimately help the users to NOT be the weakest link in the equation.

I hope this helps to at least raise a question to your security policies and mainly, lets bite the bullet and make sure we have a very fluid and active security plan.  You never know what today or tomorrow will bring in bitcoin asks…

~Dez~

Source: solarwinds GEEK SPEAK

0

Like This