Though it is just the latest incarnation of a long, long list of ransomware that goes back to the late 1980s, WannaCry has done a ‘great’ job of raising awareness among people who would never otherwise have any interest in anything related to computers and security.
And that’s a good thing for businesses of all sizes who all need to take this latest threat, those that came before it, and the new ransomware that will follow it, very seriously indeed.
Dealing with the threat posed by ransomware is a tricky affair which, like every other aspect of information security, requires a three-pronged strategy, though in this instance, one of them is more important than the others.
More than any other ransomware, the WannaCrypt data hijacker-cum-worm has highlighted the importance of having certain processes in place.
While not every strain of ransomware will leverage vulnerabilities in the Windows operating system that were allegedly discovered by the US National Security Agency, old and unsupported operating systems, such as Windows XP – which appears to have caused such a headache for the NHS – certainly don’t help businesses defend against any modern threat.
That said, running a more up-to-date operating system only gets you so far – if an organisation’s deployment of Windows 10 clients has not been updated in ages, it will potentially be vulnerable to ransomware and other forms of attack, too.
Thus, it is imperative that businesses of all sizes have processes in place to ensure that legacy operating systems are upgraded as soon as possible, or isolated via separate VLANs or air gaps if still essential to the company’s workflow.
Equally, a patch management process is hugely important. While there are legitimate concerns around deploying patches on day one, in case they break essential business systems, there really is no excuse for not testing them in a non-production environment before swiftly pushing them out across the entire network once verified as stable.
For Windows XP users, Microsoft Security Bulletin MS17-010 will patch the vulnerability exploited by WannaCrypt.
Another vital part of the defence against ransomware is the use of appropriate technology.
While antivirus and internet security software is not, and never has been, a silver bullet, no business worth its salt would connect any of its devices to the internet without it in place.
Antivirus with real-time scanning can identify and block known ransomware before it has a chance to infect your system. Even on infected systems, antivirus can help remove ransomware, although it cannot decrypt files.
Many of these services are cloud-based, so they do not require additional infrastructure and simply run as an extension of your current email service.
Email clients should be set up to always show full file extensions (ransomware.jpg may actually be ransomware.jpg.exe), and executable files should be filtered out altogether.
Email Filters Whitelist and blacklist websites and apps
Maintaining good white and black lists can ensure known bad domains are blocked. Whitelisting, which only allows specified websites to be accessed and apps to run, is more secure but less practical. Blacklisting allows any program to run except those you have explicitly stated should not run, which is less secure but more flexible. Which you decide to use and how depends on your company’s needs. If certain workstations are only used for specific tasks, then perhaps whitelisting is the way to go. If you issue laptops to employees to use on the road, blacklisting might be more applicable.
Whitelisting and blacklisting websites can be done through a number of means ranging from a layered software suite to parental controls to simple browser extensions.
Windows 10 Pro and Enterprise editions have built-in support for whitelisting and blacklisting apps in the Secure Policy Editor tool. Here’s how to use it:
How to create a whitelist in Windows 10:
- Simultaneously press Windows Key + R to open the run box, type secpol.msc, and hit Enter
- Under Security Settings, right-click Software Restriction Policies and select Create a new policy or New software restriction policies
- Double click on Enforcement. You can leave these settings as default or change them as needed. Press OK.
- Double click Designated File Types. Here you will find a list of file types that Windows considers executable. You can add extensions known to be associated with ransomware including PS1, SCT, JSE, VBE, WSF, and VBS. When finished, press OK.
- Double click the Security Levels > Disallowed > Set as default to prevent block all the applications that use the file extensions in our list from step 4. Then press Apply and OK.
- Now if you try to run any program, you will get a message that they are blocked. To whitelist the programs you want, in the left hand side of the policy editor window, go to Security settings > Software restriction policies > Additional rules
- Right-click an empty space in the right pane and select New path rule…
- From here you can select the folders of the programs that you want to allow to run. This can be your entire Program Files folder or specific application folders. Add a rule for each whitelisted folder and hit Apply, then OK.
How to create a blacklist in Windows 10
- Simultaneously press Windows Key + R to open the run box, type gpedit.msc, and hit Enter
- In the left pane, go to User Configuration > Administrative Templates > System
- Double click Don’t run specified Windows applications and select Enabled
- Under Options, click Show
- In the window that appears, enter the path of the app you want to block
To disable Windows Installer, which will prevent the user from installing anything, disallow msiexec.exe
Related: What’s the best VPN for Windows 10?
Email Filters Least Privelege
Restrict the administrative privileges that employees have on workstations. “Least privilege” is the principle that end users should have the minimum amount of permissions needed to do their jobs. On Windows, administrators can create secondary accounts with fewer privileges to be used by staff. Some actions you may consider restricting include:
- Installing and uninstalling programs
- Stopping and starting services
- Remote desktop connections
- Changing network and sharing settings, particularly barring users from modifying remote access preferences and settings
In Windows, many of the settings in the latter two points can be set by the administrator in the group policy editor. To access it:
- Simultaneously press Windows Key + R to open the run box, type gpedit.msc, and hit Enter
- In the left pane, navigate to User Configuration > Administrative > Templates > Network > Network Connections
Though the use of a firewall, along with certain rules, could have been more of a hindrance than a help with the first iteration of WannaCry, it too is an essential technological barrier than can go a long way in preventing attacks ever crossing over to the business’ network.
Lastly, and perhaps most importantly, every ransomware attack ever has encrypted all the data it could find on a target machine, attached disks or networks.
NAT firewalls prevent unrequested inbound traffic on wifi routers and some VPNs. Personal application firewalls are built into a device’s operating system, such as Windows Firewall. Firewalls also exist on servers to only allow traffic on certain ports or from trusted IP addresses. All of these can help stop ransomware.
Some experts have pointed out that Windows users should create a Server Message Block (SMB) traffic on port 445 using either the router or personal firewall.
The lesson to be learned here is that a successful infection could instantly take down an entire business if it is unprepared.
The number one technological defence therefore is to have all sensitive or important data backed up at all times. More than that, though, those backups need to be regularly tested for integrity, else they could prove to be worthless when required, and kept off-site to guard against local disasters, such as a fire ripping through the business premises.
Businesses can use cloud, local, or hybrid backup to protect their digital assets, depending on their needs. Regular backups can significantly reduce the loss of data as well as downtime in the event of a ransomware attack. Affected systems can simply be reset and restored to their previous state. But businesses dealing with a ransomware attacks will require more than just backups to get back to resume normal operations. We recommend creating a full disaster recovery plan tailored to your business.
The final part of a good anti-ransomware strategy is by far and away the most important: people.
The truth of the matter is the fact that ransomware almost never finds its way onto a system or network without a little help from a human.
That help comes in many ways too, from errors made in the aforementioned updating and patching routines, to the opening of email attachments sent by strangers to the clicking of links in equally questionably messages.
To compound matters, ransomware often relies upon social engineering techniques to trick the unwary, so even those people who don’t make obvious mistakes are susceptible to its charms – you can hardly blame a member of staff who opens a Word document marked “urgent” and sent to them by their ‘boss’.
Thus, security training and awareness is a key tool that must be leveraged if a business is to lessen the risk of an attack that is especially adept at avoiding technological defences. When it comes to ransomware, phishing is used to trick staff into downloading an attachment or clicking a download link by impersonating a trusted party.
When staff receive any email asking them to download an attachment, click on a link, or divulge sensitive information, they should look for the following warning signs:
- Don’t trust display names. This is the name that often appears first in email clients, but they are easily spoofed. Instead, always check the actual email address.
- Look for a fake domain. The domain is the text in an email address that comes after the @ symbol. These can be disguised to look similar to the official domain. For example, a phishing email impersonating Paypal might come from email@example.com instead of the real firstname.lastname@example.org. Paypal-bank is a fake domain created to trick unsuspecting victims.
- Always check where a link goes to before clicking on it. You can do this on a desktop browser by hovering over the link with your mouse, and the destination URL will appear in the bottom left corner of the browser window. On mobile, long-press the link to view the destination URL. If you don’t recognize the URL, don’t click on it.
- Do not download or open attachments under any circumstances unless you absolutely trust and can verify the sender. Preview them before downloading if possible.
- Check the authenticity of digital signatures used by your email client and provider. If your company does not use digital signatures, consider setting them up.
Staff should be communicated to in a manner which fits in with the existing corporate culture and with a firm eye on changing their behaviour, not simply highlighting the latest attack. By highlighting what ransomware is, the damage it can do and, most importantly, how it can affect them on a personal basis, the message will really take a hold in their minds and stick with them into the future.
Of course, it’s not a one-shot wonder – one of the most important points about awareness training is that the message should be constantly reinforced over the long-term and in a variety of ways.
Depending on the nature of the business, the message could be delivered via email, through strategically placed posters, via swag (mouse mats and pens displaying a short and sharp message work well and are also cheap), through video or any number of other inventive means. Other than just mass emailing your team with links to Youtube videos and blog posts about ransomware, here are a few other ways to raise awareness:
- Phishing simulators send out mock phishing emails to staff. If the staff member clicks the link in the email (which they shouldn’t), then they will be directed to a site informing them of their error.
- Add signage around workstations reminding staff to properly vet emails and their contents before clicking on links or downloading attachments.
- Limit the work-related information that employees can post on social media, such as job titles, to help prevent certain staff members from being targeted by spear phishing
- Conduct in-person bi-annual training sessions to inform employees of the latest threats
Get awareness training totally on point, and staff will become the eyes and ears of the business, spotting ransomware before the security department – if such a thing even exists – which has extremely obvious benefits.