COMMENT
Encryption stage
Back-up and restore files locally: By
creating a storage volume and running
archival differential-based file backups
to that storage volume, remediation is
as easy as removing the ransomware,
going back in time with the backup to a
point before the ransomware affected
the files, and restoring all the affected
files. This can be done today by network
administrators who could either use
external storage volumes with a good
archival backup utility or partition a
local drive and run the backup utility
against that.
that offers centrally administered
whitelisting to block unauthorized
executables on servers, corporate
desktops, and fixed-function devices,
thus dramatically reducing the attack
surface for most ransomware.
Limit privileges for unknown processes:
This can be done easily by writing rules
for host intrusion prevention systems or
access protection rules.
Infection stage
Don’t turn on macros unless you know
what’s happening: In general, do not
enable macros in documents received
via email. Notice that Microsoft Office
turns off auto-execution of macros
for Office documents by default.
Office macros are a popular way for
ransomware to infect your machine,
so if a document “asks” you to enable
macros, don’t do it.
Make yourself “weaker” when working:
Don’t give yourself more login power
than you need. If you allow yourself
administrator rights during normal
usage, consider restricting this. Surfing
the web, opening applications and
documents, and generally doing a lot of
work while logged in with administrative
rights is very dangerous. If you get hit
with malware while you have fewer
rights, you will reduce your risk because
malware will also execute with fewer
rights, which will reduce the threat’s
attack surface
Use access protection rules on software
installs: Write access control rules
against targeted file extensions that
deny writes by unapproved applications.
This complements host intrusion
prevention systems rules with a similar
strategy.
Use sandboxing for suspicious
processes: If a process is flagged
as suspicious (due to low age and
prevalence, for example), that process
should be sent to a security sandboxing
appliance for further study.
Block “unapproved” processes from
changing files: Block these by writing
rules for host intrusion prevention
systems or access protection.
www.intelligentcio.com
RAJ SAMANI
VP & CTO, EMEA,
Intel Security
MANY RANSOMWARE
VARIANTS WILL
LOOK FOR ACCESS TO
FILES ON STORAGE
OTHER THAN THE
BOOT VOLUME —SUCH
AS FILE SERVERS,
ADDITIONAL VOLUMES,
ETC.— AND WILL
ENCRYPT EVERYTHING
THEY CAN FIND TO
INFLICT MAXIMUM
DAMAGE
Communication stage
Firewall rules can block known
malicious domains: Writing rules to
block malicious domains is a standard
capability of network firewalls.
Proxy/gateway scanner signatures
for known traffic: For those with
proxy and gateway appliances, these
technologies can be configured
to scan for known ransomware
control server traffic and block it.
Most ransomware cannot continue
operations if it cannot retrieve the
public encryption key needed for
asymmetric encryption.
Limit shared file activities: Many
ransomware variants will look for access
to files on storage other than the boot
volume—such as file servers, additional
volumes, etc.—and will encrypt
everything they can find to inflict
maximum damage. Consider limiting
operations allowed on shared volumes.
Ransom demand stage
Restore from backup, keep a recent
backup offsite and “air gapped”: Store
a set of multiple, complete backups
and assume an attack. An “air-gapped”
backup is not connected to the
computer or the network anywhere.
(For an individual this could mean back
up to an external hard drive. When
the backup is done, unplug the drive
and keep it in a drawer, away from
any computers. That way ransomware
cannot detect the backup and damage
it.) Consider using a “bare metal
backup” utility, which not only backs up
your user files, but also lets you erase all
storage volumes (in case the machine
is stolen) and get you back to a usable
state with all your applications and
data restored
Ensuring your organisation’s precious
data is not ripe for the taking is a
daunting task, especially with the
steady rise of ransomware as an
attack vector. By adopting a planned
approach involving both end users and
IT administrators, and implementing
integrated security solutions that
protect, detect and correct, businesses
in the region can avoid the unplanned
downtimes and losses associated with
such malware attacks.
INTELLIGENTCIO
25