What is Ransomware or Cryptolocker?
A particularly insidious type of malware that prevents or limits users from accessing their data, often by encrypting their files, and is typically delivered via email or drive-by-download attacks on compromised websites. Once you have it, there is no way to remove/fix it. Paying the “ransom” and hoping to get the restore key, or restoring a backup are the only avenues to resolution.
How CPI can help
- For our Managed Services customers: CPI will maintain existing systems to adhere to the suggestions below, and make recommendations where necessary
- For customers participating in our Data Center Fitness Program, CPI will ensure these items are incorporated into our ongoing assessments.
- For customers who utilize CPI on an as needed basis and for potential new customers, CPI can conduct a review of your systems to assess your posture in relation to these evolving threats.
The Best Defense
The best defense to these attacks is an approach involving layers of security, strong backup and recovery capabilities. The following list represents a mix of Systems Administration settings and technology enhancements that can improve your chances at fending off the attacks, or recovering if you are struck by one.
- Apply software patches consistently. Some ransomware arrives via vulnerability exploits.
- Lock down user privileges.
- Remove local admin rights. Users should not actively work with admin rights.
- Updated and properly configured anti-virus
- Block your end users from being able to execute malware.
- Symantec Endpoint Protection 12.1 (SEP 12) users can leverage the supplied “High Security” Virus and Spyware Protection policy that was generated automatically during installation of SEP 12 to provide protection for ransomware threats.
- Many other anti-virus solutions have similar capabilities.
- Show hidden file-extensions: One way that Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions. If you re-enable the ability to see the full file-extension, it can be easier to spot suspicious files.
- Filter EXEs in email: If your gateway mail scanner has the ability to filter files by extension, you may wish to deny mails sent with “.EXE” files, or to deny mails sent with files that have two file extensions, the last one being executable (“*.*.EXE” files, in filter-speak).
- Utilize Volume Shadow protect on Windows servers.
- Backup: A solid data backup methodology is critical if you do get impacted by Cryptolocker type attacks. Once files are infected restore is often the only recourse. CPI recommends the following:
- Frequent data backups
- Test your backups to ensure they are reliable.
- Good retention period as it sometimes takes days/weeks to know that ransomware is on the system.
- Limit Drive mapping: If a user does not need a mapped drive it should be removed.
- Audit User rights: Limiting user rights to directories and files throughout the environment reduces the surface area that an attack can have. If a user is compromised and they have access to file stores they don’t need, files can become damaged inadvertently.
User Preparation and tips:
- Conduct user awareness training
- Download email attachments only from trusted sources.
- Turn on desktop firewalls
- Bookmark trusted websites and access these websites via bookmarks.
Deploy newer technologies:
- Systems for Email Protection: Anti-Spam, Email Anti-Virus, Malware scanning
- Implementing Next Generation Firewalls and utilizing IPS, Malware Protection and URL Filtering will provide multiple layers of additional protection.
- Migrate to Microsoft Office 365 and gain access to a variety of security and protection systems focused on keeping email safe.