Security company CyberArk has published its latest research into Ransomware. The report is entitled Analyzing Ransomware and Potential Mitigation Strategies and can be downloaded free from their website (registration required). It concluded that there were strategies available to companies that would significantly reduce the risk of a ransomware attack.
Chen Bitan, general manager, EMEA & APJ, CyberArk said: “By analyzing how ransomware typically behaves, we’ve been able to gain critical insight into how to help protect against these attacks. Moving beyond traditional anti-virus solutions, which are not effective in blocking ransomware, and adopting a proactive approach to endpoint and server security is an important step in protecting against this fast-moving and morphing malware.”
What strategies did CyberArk look at?
CyberArk looked at five different strategies to prevent a ransomware attack. It applied these to 23,000 ransomware samples from over 15 different ransomware families. Two of the strategies, the use of least privilege and effective backup and recovery should be part of existing security policies. What was surprising is that least privilege was only successful in preventing ransomware 10% of the time. This is because ransomware does not rely on elevated privileges to encrypt users data. It only uses privilege escalation when it is looking to spread across the network.
Backup and restore is not about preventing an infection but providing a solution to an infection. Daily backups of servers and key corporate data sets is commonplace. User data is often down to individuals and this is where the problem lies. Networks cannot cope with users backing up all their computers during working hours. Companies do not provide cloud or other storage mechanisms to help users backup from home. The result is that while this is a good recovery strategy it is unlikely companies will implement it to the extent where it can be fully effective.
BYOD and cloud-based apps create other problems
The others have been proposed as solutions to malware before. They are application whitelisting, blacklisting and greylisting. Often seen as difficult to implement and maintain they deliver serious security benefits. By using whitelisting IT teams can be 100% effective against ransomware. This is because it only allows known apps to run. Unfortunately in a world of BYOD and personal cloud apps used for business it would be almost impossible for most companies to implement. Blacklisting is also 100% effective but assumes that you know the app spreading the malware.
Greylisting gives the benefits of both whitelisting and blacklisting while allowing BYOD and other apps to still function. What it does is restrict what those apps can access. This is especially important for ransomware as the majority of families require access to a command and control (C&C) server before encrypting the data. Interestingly CyberArk found it 99.97% effective in their tests. Security teams should give greylisting serious consideration.
Recommendations to mitigate ransomware
There are six recommendations that CyberArk is making for customers who want to mitigate the risk of ransomware:
- Apply application greylisting on user endpoints to prevent unknown applications, such as new ransomware instances, from accessing the Internet and gaining the read, write and modify permissions needed to encrypt files
- Apply application whitelisting on servers to maximize the security of these assets
- Remove local administrator rights from standard user accounts to reduce the attack surface
- Automatically elevate account privileges for specific authorized tasks to keep users productive without providing unnecessary privileges
- Use anti-virus tools to protect against common and known malware
- Frequently and automatically backup data from endpoints and servers to allow for effective disaster recovery
None of these are likely to increase IT workload significantly. Importantly, they are all things that small to mid-sized businesses could achieve with help from their IT partners. The question is how many will actually move forward and implement them?
Conclusion
Ransomware is a lucrative business for cybercriminals. Poor coding and the publishing of encryption keys has mitigated some ransomware. This is just a partial solution to the issue. A new campaign to attract distributors for the Petya/Mischa ransomware was discovered last week. It offered rewards of over £40,000 per week for successful distributors. This will attract more and more criminals and lead to an increased likelihood of a company falling victim.
Effective backups do ensure that data can be restored but this is just a small part of the time and cost associated with an attack. There are other costs such as cleaning infected machines, reinstalling apps and restoring the data. Putting into place strategies that will also strengthen security and governance is something every CISO needs to approve.
