Decrypt my data!  

When someone has something dear to them, that thing can be used as leverage for blackmail. Blackmail, or extortion, is a criminal practice that’s been around since times immemorial. Children, family, pets, material possessions… all of them can be levers used against you to extract something valuable. Due to the development of technology and our subsequent dependence on it, a new lever has sprung up that can be used for extortion or blackmail: our data. Since it frequently contains something that we’ve spent days, months, or even years working on, or contains private and intimate information we do not want to share with others, this data is something very important to us. Sadly, criminals are also aware of this fact. It’s not really strange to hear that several years ago, malicious software was developed with the intent of stealing our data, destroying it, or holding it for ransom. The latter is the most profitable variant and hence the most pervasive. Software that doesn’t harm data but instead makes it inaccessible until the victim pays a predefined sum is called “Ransomware”.

A couple of months ago, Croatia and other eastern European countries were plagued by multiple variants of “Ransomware”. It’s precisely due to this problem that corporations are asking how to protect their own data. Unfortunately, the majority of “Ransomware” is very well made and because of advanced infection methods, nearly undetectable by antivirus tools that are, also unfortunately, the only line of defense for most corporations. Once again, just like in many other incidents that get media coverage, the topic of comprehensive, consistent, and continuous information security is brought up. Why? Because it’s the only way that companies can deal with these kinds of threats. Even when a corporation has all the mechanisms, people and processes of the highest level, security incidents are still possible and practically guaranteed. “What’s the point of all this effort to maximize the security level of the system if even then I’m not secure?” is the question asked by all. The point is to decrease the extent of problems as much as possible, isolate them to limit the damage, and insure the companies’ continued business. Some of the incidents in Croatia cause by “Ransomware” were so drastic that entire IT systems had to be rebuilt from the ground up because they didn’t follow the most basic security recommendations and industrial practices. What are those methods/practices? There are many and they are specifically connected to each individual system, but there are a few general ones that may help you protect yourself from “Ransomware” and many other malicious threats. Let’s go through the list:

1. Continuous and regular vulnerability checks on all systems

Regular automated vulnerability checks deliver an insight into the security state of the system and potential critical leaks that some variants of “Ransomware” employ for initial system compromise (CROZ recommends the Rapid7 Nexpose tool).

2. Reducing surface area against attacks on workstations by limiting application execution such that only approved applications are allowed to run

If we limit the execution of files at workstations to only those that are trusted, then we can drastically decrease the area for attack and compromise that “Ransomware” employs, as well as all other malicious code (CROZ recommends – Symantec Endpoint Protection – Application Control).

3. Controlling and filtering web traffic

Content control for web content decreases the chances of a user visiting a page that contains malicious code and also analyzes each web page for malicious code upon visiting the page. It is imperative to also monitor traffic and track web page visit anomalies. One of the simplest anomalies to detect is a jump in traffic to IP addresses located in the Ukraine, Russia, or China. An additional advantage that filtering web traffic gains you is the blocking of known malicious IP addresses, or “botnets”, which helps prevent downloading malicious files. Blocking all executable files is another important method which can be applied in this context (CROZ recommends – Fortinet Fortigate)

4. Inline sandboxing

Inline sandboxing is containing all suspicious files that enter the network in a controlled virtual environment, then executing and analyzing them. While this technology does not directly block out malicious software, it enables a company to confirm whether code is truly malicious or not once it has been analyzed as such. Considering that analysis is completed within a couple minutes after the arrival of the files into the network, companies can quickly react and prevent further infection within the network (CROZ recommends – Fortinet FortiSandbox).

5. Following the best security practices relating the Microsoft operating systems

• Reduction of administrative privileges
• Implementing a patch update cycle
• Employing User Access Control possibilities
• Employing EMET technologies

6. Employing log management solutions for anomaly tracking of file system access

Log gathering systems can warn you about anomalies relating to file system access and with this detect suspicious behavior (ex. A large increase in the number of file server accesses – the moment when “Ransomware” begins encrypting files) (CROZ recommends – IBM Qradar).

7. Educating users

Likely the most efficient way to prevent infection is to educate users about real and present threats. Periodic use education can help immensely to eliminate problems with malicious software in general.

For a system security check and application, contact us!