Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Tips for Stopping Ransomware InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tips for Stopping Ransomware

Published: 2016-04-01
Last Updated: 2016-04-01 22:05:52 UTC
by John Bambenek (Version: 1)
5 comment(s)

In the past few weeks, the rate of ransomware attacks has increased dramatically. Even in the popular news, we've seen several hospitals report major infections and both the United States and Canada issuing warnings.  Here are some quick tips to prevent ransomware infections.

Prevent Execution of Files in %AppData% Directories

Generally, most large-scale ransomware runs rely on either exploit kits or spam engines.  In both cases, for the malware to execute it usually resides in various temporary directories in Windows (%AppDada%).  It is possible to disable the ability to execute binaries in these directories via Group Policy or Security Policy which means when a user double-clicks on Invoice.exe, the malware will not run.  This is accomplished with Software Restriction Policies and an example is shown on this blog in how to enable this.

The advantage of doing this is that it also can prevent some other forms of malware from executing also.

Fully Patched Systems, Java, Shockwave, Flash (et al)

Exploit kits rely on vulnerabilities on the client machine to get malware to execute. Usually this involves vulnerabilities in Java, Shockwave, Flash, and Adobe Reader. With Windows Update, many systems are now automatically configured to get updates.  It wasn't until recently, for instance, that Flash integrated an auto-updater.  Making sure these are updates will prevent exploit kits from being successful.  That being said, occasionally exploit kits do use 0-day exploits but it is a relatively rare occurrence.

Disable E-mails with Executable Attachments

Many ransomware emails use attachments with executables, simply disabling e-mails with executables will prevent users from receiving.  Also look for emails with "double file extensions".  Another common trick is attachments with a zip file that may include an executable or an html document (using other tricks to download an executable).  Teach users to spot these abnormal e-mails so they do not execute them is key.

Maintaining Strong Backups

Lastly, the importance of strong backups is key.  If a ransomware infection happens, there are only two choices for the organization: restore from backup or pay the ransom.  If backups are available, it may be a hassle but the eye-popping ransom demands are no longer the only path to a full recovery.

Use of "Vaccines"

All ransomware families need some mechanism to ensure that a victim machine is not encrypted using multiple keys.  A typical mechanism is to store the public key in registry (or other artifacts) so subsequent infections (or executions of the same malware binary) only use the original obtained key.  There have been attempts to create vaccines that abuse this need of the attackers to otherwise inoculate victim machines.  These may warrant investigation on a case-by-case basis to see if they provide value.

Chime in with comments if there are other techniques you've used to help stop the spread in your organizations.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity

Keywords: ransomware
5 comment(s)
Diary Archives