By: Lucas Zrelak, CISSP
. 3
How does it work?
Crypto ransomware generally affects a computer after a user
downloads and runs an attachment through email.
These attachments can be word documents with embedded macros, javascript
files, zip files, hidden executables, etc.
Once the files have been downloaded and executed the encryption of files
on your computer begins. The files that
are encrypted vary by the flavor of ransomware that you have executed, but are
generally TXT files, Microsoft Office files, PDF files, picture files,
etc. Once the file is encrypted it is
then generally renamed and the extension that is appended is what helps
identify the type of ransomware that you have been hit with. The problem is, it doesn’t stop with just
your local computer. Most crypto
ransomware will then find any drives attached to your system and also begin to
encrypt files there as well. These
drives can be direct attached external storage or network shares. As if that weren’t bad enough ransomware is
now getting even more sophisticated.
LOCKY Ransomware, for example, introduced the ability to scan your
entire network and begin to encrypt files on any share that may be available to
the user that has executed the ransomware.
This can make it extremely difficult to identify all of the locations that
have been hit by the ransomware and can extend the damage far beyond what was
previously possible.
What to do when your files have been encrypted?
First you need to identify which locations have actually been
hit by the ransomware. This can be a
difficult task, but there are tools that can assist in an automated search. A tool such as LAN Search Pro which,
when used by a Domain Admin, can search your entire network or specified IP
address ranges for any files with identified extensions, such as .locky. The identified files can be exported to a CSV
file where they can then be sorted by location to help better identify what
shares have been compromised.
Now that you have identified the compromised locations and
files you can begin the restore process.
This is where your backup solution and schedule plays a large role. I cannot stress enough how important it is to
have proper backups of important data.
It’s always good to have a weekly full backup as well as incremental
backups that are performed each night that there is not a full backup
scheduled. This can help limit the
amount of data that is lost. The frequency
of the backups depend on the importance of your data, of course, but that is
something that must be determined by the business unit that accesses the data. Any data that cannot be restored from a
backup location will be lost unless you pay the ransom requested as the
encryption used tends to be very strong and very hard to break.
Thankfully, there are also organizations and individuals out
there that are constantly working on breaking these encryptions. For example, recently the PETYA ransomware,
which worked by encrypting your master boot records and essentially rendering your
computer useless, has been cracked. You
can now get the password to decrypt your hard drive without having to pay, but
this is more the exception than the rule unfortunately.
How can I prevent ransomware from happening in the
first place?
Of course the number one answer to the question of “How can
I prevent ransomware from happening?” is going to be awareness. Awareness is always the best answer. Train yourself and train your users. Do not open attachments that you are not
expecting. If you think the attachment
may be legitimate, contact the person that sent it and make sure that it truly
is something that they intended to send to you.
If you can stop it from ever being downloaded and executed then you’re
already a step ahead.
However, no matter how many times you raise awareness, there
will be times when that awareness goes out the window and the attachment is
downloaded and executed. Standard virus
scan solutions such as McAfee or Norton cannot always catch ransomware as it’s
not really a virus. It’s a program that
is executed and is simply just encrypting your files. Malware protection with up to date DAT files
can block this as well, but with how quickly these ransomware packages are
being created and introduced into the world it can be tough for them to keep
up.
That doesn’t leave a lot of options available to you,
however, there are other ways to prevent ransomware. Local computer security policy can play a
large role in preventing ransomware and even other types of malware from
running even if it is downloaded and executed.
By disallowing execution of files from locations such as %appdata%,
%programdata%, %userprofile%, and startup folders, which is where the majority
of ransomware and malware execute from, we can stop it before it starts.
The challenge this can introduce, however, is that there are
some legitimate applications that can execute from these locations. We don’t want to cripple our users by
applying these policies even if it does save our data. That’s where software like CryptoPrevent
from FoolishIT.com can come into play.
This software allows an easy way to implement the required local
security policies, but also provides a way to whitelist any specific locations
that are valid so that programs that are legitimate can be executed when
needed. To identify such programs
CryptoPrevent utilizes the Event Viewer to log any blocked executions so that
you identify where the program is being blocked from so that an entry can be
made to allow it.
Where should software like CryptoPrevent be
installed?
CryptoPrevent should be installed on any endpoint where
users may access their email and download attachments. You may wonder if it should be placed on
servers. While I don’t necessarily see a
problem with this, it won’t help server shares from being compromised by your
standard user that has executed the ransomware from their workstation. The shared location just sees this type of
activity as copying a file, renaming a file, etc. This is all considered normal activity. There are, of course, solutions that can help
detect mass file changes and prevent them after so many occur, but those
solutions can be very expensive.
Conclusion
There are, of course, other options than CryptoPrevent for
preventing execution and LAN Search Pro for finding locations that have been
compromised, however, these are the solutions that I have tested and found to
be very good at what they do and that is why they are highlighted here. The more research we all do in preventing the
execution of these types of ransomware and/or providing solutions to mitigate
the damage and quicken the recovery should that damage occur, the less
effective ransomware will become. If
ransomware becomes less effective and those that were making money off of it
stop getting paid then perhaps we will see it drop-off. Until then, we must raise awareness, block
what we can block, and ensure that our data is properly backed up should it
become compromised.