Techniques to detect & mitigate Crypto-ransomware?

Backups, backups, backups.

Have a good backup and restore strategy. You should be able to restore any server, network fileshare or desktop client to exactly the state it had yesterday, last week or last month (adjust these time increments according to your business needs). When you notice a malware infection, just nuke the affected system and restore it from backup.

Backups should be on a physically separated system. Backups should be pull, not push, i.e. the backup system should have permission to read from the backed up system, but the backed up system should not have permission to write to the backup system. This ensures that a ransomware doesn't overwrite the backups.

Also, test your recovery strategy regularly. I've heard too many horror stories from organizations which thought they had backups, but when the day came where they actually needed them they found out that there was an error in their backup routine for years and they couldn't recover anything.

To prevent the hassle from being necessary too often, you should also improve the security of your workstations:

  • Give the user accounts on your workstations limited privileges. They should only be able to run those programs required for their work.
  • Do not give users the privileges to install software. Have the IT department install software remotely when it's required.
  • Also update all software remotely as soon as there is an update available.
  • Have a malware scanner on all workstations.
  • Also run a malware scanner on all email you receive.
  • Having your workstations browse the Internet through a proxy server also allows you to implement additional filtering on that proxy.

But all of that is really just auxillary to a proper backup and restore strategy which is always your final safety net when everything else fails.

Detailed instructions for how to implement each of these measures would be far too long and detailed to describe here, especially because the most appropriate solution also depends heavily on your IT infrastructure and business needs. But it should give you a place to start.


There's no absolute barrier, but you can make it quite hard for malware, and do a lot more than just filter and backup.

Think about what crypto-ransomware has to do, to succeed - it must:

  1. reach the system with the data (which includes getting past 3 hurdles - technological, policies and people)
  2. remain undetected
  3. execute (run) successfully
  4. put you in a position of substantial lost data if you don't pay.

All of those are hurdles you have some control over.

The exact methods and tools depend on the platform, so this is in Windows terms but the principles should apply to other systems.

Reaching the system

(note: includes reaching writable file shares of that system, may not need to reach the system itself)

This is the area of "boundary protection". It has three broad aspects - technological methods, policies, and human knowhow.

The first part of boundary protection covers use of properly set up firewalls, malware filtering on the gateways, separation of sensitive and "public" sections of your network.

Policies covers having and enforcing good policies and practices about IT systems management (how the systems work, how modifications to security and testing/configurations happen, permissions, and so on) and also policies applicable to staff uses, such as USB stick discipline, mobiles/notebooks/bring-your-own-device, and other pluggable devices. If you allow remote access is it secured. Do you ever get vulnerability assessments carried out and are the results followed up? Are security logs kept and suitable alerts set (and are they actually tuned so they aren't just an annoyance people ignore). All of these are the kinds of things policies cover.

The third part of boundary protection is good understanding by users (or staff). Are they educated and trained in what they need to know? Do they follow your policies or do they "work round them" because they get in the way? Do they understand that phishing links and emails are a major way malware is received, and do they know what to check? If the computer shows an unfamiliar message (could be a valid one or not) do they know what to do and who they can ask if not sure, or will they click first ask later? Do they know that legitimate trusted websites and emails from colleagues or contacts email are frequently used by malware exactly because "everyone will trust them"? Do they feel safe from pressure and criticism if they feel something's wrong, and that they can check it out with someone named, without being made to feel stupid or obstructive or putting business at risk? (This is the area of social engineering and it thrives on "you have to do this now, there isn't time to check properly!" and fears or pressures like "You'll look bad/X will get angry/don't mess me round/I'm important!") Get staff involved, don't just "dictate from on high", to have a better chance that the result has high levels of "buy in" and they understand how important it is.

Detection

Antivirus/antimalware software that watches for suspicious activity and "known bad" files.

As of 2016 specific anti-ransomware software is also starting to exist, which watches for the characteristic signs of encryption activity on unusally-unencrypted files. Examples include "CryptoDrop" (an academic project worth googling), and beta products by companies such as Kaspersky.

Execution

Most systems have administration capabilities able to prevent software running. Look at packages like "cryptoprevent" (FoolishIT inc) which has free versions on windows and simply tells windows "don't allow code to run from files in these locations or with these names" and so on, for a lot of commonly used by malware locations. Other systems probably have similar abilities.

Data loss prevention

Backups have been mentioned, but other ways to prevent data loss if all the above fail, also exist. A warning though - cloud backup and "copied to another machine" is not always "backup" for this purpose. If malware is able to get to your cloud data or other machine, it might be able to overwrite it (depending on how your storage works).

There are three extra methods worth considering, as well as backups, to protect data from loss/overwriting:

First, windows (and I imagine most systems) can keep "snapshots" of old versions of files, when they change. In windows its "vss" - the volume snapshot service" ("system restore" is built on that). Ransomware tries to call these to delete existing "memories" so you can't go back to a pre-encrypted version. Cryptoprevent has a setting that prevents the vss program running in this way, result: the attempt to delete old version data won't work if you have such versions. It won't foil all ransomware but should foil some.

Second, use something like FreeNAS for your valuable storage and backups. Free, very reputable, designed for data integrity. Malware might delete files, but it's very unlikely to be able to delete your hourly or 1/4 hourly snapshots of previous states of the file store, if it's configured properly. A valuable bonus feature is storage integrity because it uses zfs as its filing system, which is designed specifically for robust data protection.

Third, use file system permissions to restrict what users can do, and system credentials (login security/device certificates/etc). Don't put all your eggs in one basket. Don't give permissions that people don't need, or access to write to data folders they don't need and revoke these when they leave or the permissions aren't needed any more.

AND LAST: General comment on remote systems/access and security generally

As I've said above, malware does not need to be on a machine to harm that machines saved files. Your antivirus detects malware but won't normally be able to tell if malware elsewhere is maliciously writing its files. Software execution restrictions have the same issue. So while those add a lot, remember you need to consider malware running on any device connected to your data files, not just the device holding them.

That means thinking quite far out - "what if my remote workers home gets hacked through his kids notebook, and that person works from home and logs in?" Or "what about my B2B apps and virtual server host?" I think it was Target that got their customer database hacked, where the hackers got in through their vulnerable heating controller which was networked, and from there could reach the main network. Gives you an idea doesn't it?

So "what is my data connected to by wires or WiFi" goes a long way. That's why good security is 'layered' - it uses several/all of these together, not just one or two.

As you can't protect everything, your planning needs to consider what your fallback protection is - that is, how malware threats will be countered if you can't prevent whatever was the infected system from getting infected, or detect its infection, or stopping the malware running, or its spread to machines allowed access to files. Its a good mental exercise and will help you think "what should be stopping it".

Tags:

Cryptography

Ransomware

Related

Advertisement on Skype tried to download a file to my computer using Javascript Challenge/response authentication for garage door opener What's the down side of a dynamic numbered radial keypad? Can a computer virus be stored somewhere else than on the hard drive? How can I safely view the code of a VBA macro? Do the most common ransomware programs delete the original files as they go, or in a big bulk delete at the very end? Benefits of a wildcard vs per-subdomain certificates Are services who offer to pay you a rent for your unused hard disk space a scam, and how do they work? Does HTTP Strict Transport Security (HSTS) make any sense in server to server communication? Would limiting write access to a backup directory help protect it from ransomware? Making database code open source HTTPS web service switched to HTTP. What can go wrong?

Recent Posts