Extra care needed

February 2017

Hand protecting facePeter Wenham MBCS, Director of information assurance consultancy Trusted Management and committee member of the BCS Security Forum strategic panel, examines ransomware and discusses how individuals and organisations can keep themselves safe(r).

Ransomware and the question ‘can we protect ourselves from it?’ is currently a major area for discussion. The answer is a qualified ‘yes’ and that is because no protection can be 100 per cent effective. All platforms are at risk, not just Microsoft ones, with Android attacks first identified in June 2014 and, in early 2016, the first occurrence of specific attacks on Apple Macs.

In October 2015, Kroll Ontrack published a blog identifying that small to medium sized business (SMB’s) were the target for criminals using ransomware to encrypt key files. Their blog was based on research undertaken by Trend Micro. SMB’s are targeted in the main because of their (generally) poor security practices.

Ransomware variants

There are many variants of ransomware but as a general rule they fall into one of two types: One type locks the computer screen with a ‘pop up’ message that cannot be bypassed thus preventing access to the PC system and files, while the other type encrypts predetermined files, generally of the ‘Office’ type (e.g. .doc, .dot, .rtf, .xls etc.).

How the ransomware advertises itself to a user and how the user can recover files is down to the particular ransomware variant. It could be a ‘pop up’ giving the user instructions or it could be a ‘readme’ file placed in a folder that contains files that have been encrypted.

Ransomware delivery

There are a number of routes for a ransomware infection including USB sticks that have been found in a car park or other public areas to ‘watering hole’ attacks where the ransomware software is hosted on a legitimate website that has been compromised. In watering hole attacks, any one browsing the infected site is a likely victim.

However the main route for ransomware infection is via email using one of two techniques. One is where the body of the email contains a URL link to an internet site that will ‘serve’ the ransomware. The URL link might point to a legitimate site that has been compromised or it might be obfuscated, e.g. a shorted URL or a word or URL in the email body that has a hypertext URL pointing to the site serving the ransomware.

The other email infection mechanism is through the use of an attachment. This could be an attachment masquerading as a PDF file, an Office document (Word or a spreadsheet) with a malicious macro or more recently a zip file that contains malicious JavaScript that will execute on opening the zip file. Often the malicious file is nothing more than a Trojan that will ‘phone home’ i.e. contact the internet site where the actual ransomware software is located and download it.

One of the latest ransomware variants of the ‘Locky’ strain and identified as ‘Zepto’ uses JavaScript in a zip file to carry the full software, though the actual working software is not written in JavaScript. This ransomware is known by security researchers as Zepto because the files after encryption have the ‘.zepto‘ extension.

Technical protection mechanisms

On the technical side, we can have spam, malware and bad URL detection engines or services that can be installed in our networks - generally as part of an internet security appliance or firewall - rather than individual boxes installed in front of email servers.

The reason we would want such protection as part of the general internet connection is to provide protection for email, browsing and other internet-related operations such as file transfer and remote access.

There are also a number of very good commercial cloud-based email spam, malware and URL detection services available. These are well worth a look for smaller enterprises that must consider costs of ownership, support and overall effectiveness.

Patching and particularly security patching of the IT estate (or home PC) should not be ignored, but sadly many companies are not that good at patch maintenance. Even where Microsoft products are maintained fully, other non-Microsoft products are often forgotten about or only updated on an irregular basis. It goes without saying that security patches should be deployed with the minimum of delay with patches deemed as critical installed first.

Running antivirus software both at the server and PC level is a good supplementary security measure but the AV must be current. Remember, however, that even the best AV cannot detect a zero-day attack (i.e. a brand new variant of malware).

Backup of the IT estate (and home PC) is yet another crucial security practice that should allow for offline backups to be additionally maintained. The backup regime should be both comprehensive (e.g. daily, weekly and monthly) and regularly tested for effectiveness. It is the availability of a backup that has not been compromised by malware or ransomware that will become the ultimate ‘get out of gaol’ card.

Another mechanism often forgotten is the ‘rule of least privilege’. That is a user should only be able to access the files necessary for their job and indeed only carry out actions on those files commensurate with their job. Note here that a senior manager, director, CEO etc. is not exempt from this rule, they do not need or require access to all the files in a company.

Only system administrators should have ‘system administration’ rights. Users should not have elevated rights even on their own PC. Additionally, system administrators should have two accounts, one with elevated rights for system administration and one with standard user rights for day-to-day activities such as email, report writing etc.

The above is all good security ‘motherhood and apple pie’ mechanisms, but some elements may be missing, in which case a business case needs to be made to management for a budget to improve the defenses. The budget needs to identify the costs of a ransomware infection, both in terms of actual correction, but also for lost revenue and for the potential for a public relations disaster. Part of this process will identify the company’s risk appetite and the risk appetite will help determine any corrective measures to be additionally deployed.

Non-technical protection

With the technical side sorted out according an enterprise’s risk appetite and agreed budget, what else can be done to help protect against a successful ransomware attack?

Staff awareness training and regular follow up initiatives are the final fall back. It is important to make staff aware that unexpected emails - even from known sources - are suspicious and particularly those that require a URL link to be activated or where the email has an attachment. Staff also need to know what the symptoms of a successful ransomware attack might be and what to do should they feel something is wrong.

If all else fails

If all else fails and a ransomware attack is successful, then having access to good, well-tested backups, with at least one copy that is held off network, will be vital in service restoration.

Note that when restoring service, the source of the ransomware should be identified first, isolated and restored. Even though the identified source of the ransomware is believed to have been removed, care should be taken to ensure that the backup being used is protected in order to prevent it being compromised by an undiscovered ransomware source.

Image: iStock/Ransomware24

Comments (1)

Leave Comment
  • 1
    William Wright MBCS wrote on 22nd Feb 2017

    A great article, with really good advice on improving protection.

    In addition to the technical mechanisms described:

    Windows platforms have very powerful features that seem to be routinely overlooked when mitigating against ransomware, namely “AppLocker” and “Software Restriction Policies”. They allow an administrator to restrict which executables are permitted to run.
    Why would the ‘standard user’ - performing the day-to-day activities described in the article, such as email, report writing etc. - possibly need to execute programs from a “Temp” folder?
    Sometimes developing executable whitelists can be a challenge, and sometimes it isn’t possible to restrict _every_ possible scenario, but at the very least preventing files in the web browser cache folder from being executed goes a long way to reducing risk.
    (And don’t forget the anti-virus / malware benefits - restricting executables from running in the first place means that you have a more effective strategy against zero-day attacks: they only work if they can be executed!)

    Report Comment

Post a comment

Blueprint for Cyber Security

Our vision is a world properly protected from cyber threat. This blueprint sets out how we can deliver that solution, starting in health and care.