How to Manage Ransomware
Matt Anthony VP, Incident Response
Many organizations are victims of an emerging and surging category of malware. Generically called ransomware, it is also known by the names Cryptolocker or Cryptowall. Ransomware evolves and changes, but the result is the same. You start your computer and get a message like: “Your files are encrypted” along with an invitation to pay a ransom, usually in BitCoin, to get them back. The success of paying the ransom is mixed, but most reports do show that if the ransom is paid promptly, and you haven’t removed the malware, you do have a chance of recovering your files. However, paying ransom is a last resort, as it puts money in the hands of the criminals, who will invest it in expanding and improving the racket.
Ransomware does not necessarily encrypt all of your files. It leaves Windows running and working, but your content – the files you create and are therefore the most important and critical to you – are targeted. It will encrypt your content on the local computer, and on any network drives that are mapped. If a privileged user with wide access to your company’s data is infected, the results can be devastating.
How do you become infected with ransomware?
Herjavec Group sees two main patterns of infection. If one or two infections occur over a broad timeframe, it is likely that the infection came as the result of web browsing, and likely an ad, a Java exploit, or a compromised but otherwise trusted site. If a number of infections start simultaneously, or nearly simultaneously, the most likely source is a phishing email campaign. An email shows up in the mailbox, and the user clicks a link which downloads the malware. Often ransomware is a secondary infection, and the primary infection, sometimes called a “dropper”, may download and install other malware on your computers as well.
How do you deal with an active infection?
- You can pay the ransom. It sometimes works, but this isn’t recommended by Herjavec Group, or any law enforcement. It puts money in the hands of criminals, both enriching them and encouraging them to do more, and to invest in better and harder to defend variants. It isn’t guaranteed to work. There are a number of things that can disrupt the decryption, including the idea that you’re dealing with criminals who may not deliver on their promises. Decrypting large infections, especially on network volumes, may be slower than restoring from backups.
- If possible, restore your data from backups and re-image the infected computers. Cleaning the computers is possible, but the gold standard is to re-image the computer from known-good images, to eliminate not only the ransomware, but any other malware that may have been downloaded at the same time.
- In some cases, Windows will keep “volume shadow” copies of important files, and a program like “Shadow Explorer” may be able to recover some data. However, some newer variants of ransomware, like Cryptowall0, encrypt the files in the volume shadows as well.
- If you suspect that the malware came in with email, it may be useful to try to find the source email and delete it from all mailboxes to prevent reinfections.
- Disrupt any active infections by removing the infected machine from the network until it can be re-imaged or cleaned. Unplug the network cable or turn the machine off.
- Communicate with your end-users about phishing emails.
How do you prevent infections?
There are a number of ways to prevent ransomware and other malware from gaining traction. To begin to understand how to protect, it is useful to understand how the infection happens. In order to begin, the ransomware must first be able to run on a local computer. It must then be able to communicate to its command-and-control (C2) server to get the unique encryption keys that will be used to lock your files. Finally, it must be able to modify the files it finds if it succeeds in running.
It is feasible to prevent an active infection at all stages. While many of these actions may, by itself, keep most ransomware from successfully infecting your computers, defense in depth is a best practice in information security, and you should implement as many protections as you can. As a side benefit, many of these will stop a lot of other malware and prevent other problems.
- Deploy advanced web and email gateway protection.
- Use web content filtering appliances or firewall features to block categories such as adware, known bad domains (blacklists for C2 servers), and unknown/unclassified domains. There may be minor business impact, so caution must be exercised, but generally these are tolerable restrictions.
- Implement advanced endpoint protection that examines traffic for behaviors rather than file-matching.
- Deploy a Microsoft Group Policy to restrict software’s ability to run from %appdata% and “temp” folders. These are generally used by malware because all users have the ability to write to these locations predictably, and that permission cannot be restricted without affecting system function. However, there are few-to-none reasons why software should install or have to run from these directories. If the malware can’t run, it can’t do any harm.
- Restrict web browsing and email use by privileged users such as administrators. Have separate accounts for administration and day-to-day computing.
- Minimize the permissions to network file shares. Give the ability to write/modify files only to the users that require it, and only to the necessary locations.
- Implement a policy that no corporate information should be stored – or at least only stored – on local hard drives, USB drives, or other local storage. Files stored on the network are normally backed up, and can be restored with minimal disruption to the business.
- Educate the people using your computers on how to recognize SPAM and Phishing emails.
Herjavec Group’s own Mike Kolasa spoke with City News about the prevalence of Ransomware.