Webinar: Nightmare On Ransomware Street - Lock Your Digital Doors
Halloween has been and gone: the time where we share scary stories knowing they’re confined to story books and movie screens, but unfortunately, there are some IT horror stories that are all too real: the scariest being ransomware.
Unlike your typical Halloween monsters, these digital monsters, or hackers are real & use fear to get users to hand over cash or assets in exchange for decrypting essential and valuable files.
Under no circumstance should you give in to fear and pay the ransom demanded by a hacker. Instead, learn from our assembled team of experts what you can do right now to remove the main risks of infection and sleep better at night.
Listen to NNT CTO and CEO as they discuss:
- The Anatomy of a Ransomware Attack
- Proven Steps to Prevent a Ransomware Attack
- Access to Ransomware Mitigation Kits
- Tools to help handle Ransomware fears throughout the organization
A Very Scary Webinar
Welcome to NNT on Halloween – thought I should explain that in case you were wondering what all the dripping blood and creepy images are – but yes, we have a very scary webinar for you today so please - ask any children or the infirm to leave the room – I CANNOT be held responsible for ANY sleepless nights that may ensue from what… you are about…to see…
Certainly A Pretty Horrible Thing To Have To Deal With
The scariest thing? Certainly a pretty horrible thing to have to deal with
What is shown on the right is from Petya / NotPetya – WPP Group crippled, an organization with significant resources – if it can happen to them….. Petya – NotPetya is so called because it appears to share a significant amount of code with an older piece of ransomware that really was called Petya, but we now know it only carries a superficial resemblance, but the Petya tag stuck.
The malicious software has spread through large firms including the advertiser WPP, food company Mondelez, legal firm DLA Piper and Danish transport firm Maersk, leading to PCs and data being locked up and held for ransom. Heritage Valley Health Systems, which runs hospitals and care facilities in Pittsburgh, also said their systems had been hit by the malware.
Talking of healthcare organizations, the UK NHS was very badly hit by another headline-grabbing Ransomware variant, WannaCrypt (or WannaCry). Again, the NHS is the 5th largest employer in the world, behind McDonald's, Walmart, The Chinese Army and the US DoD – so it isn’t a question of manpower, and in fact with Ransomware, because it is generally spread via Phishing, the larger the organisation, the more chance there is to be hit.
The message of the webinar, even though there may be plenty of Zombies around today, we need to make sure we snap back into life and take action.
Just To Show How Indiscriminate Ransomware Is
Just to show how indiscriminate Ransomware is, you can see where it is hitting hardest – there is a rough correlation between where infections are reported and the level of industrialisation – China is very insular in terms of internet usage/access but still reports being hit. With Petya, there was a suggestion that it was perhaps more targeted than most and more designed to cause disruption than necessarily coerce ransom payments.
But again, the overwhelming message you should be taking on board and hopefully using to educate your colleagues and company management is that Ransomware gets the great and the good, the big and the small, the healthcare providers and the most commercially savvy, and it is most definitely trying to get your company’s data too.
This Is A Webinar, So We Needed Some Graphs!
This is a webinar, so we needed some graphs!
The most interesting takeaway is that there is no real trend in the top graph – my interpretation is that on a month by month basis, the battlefront changes and sometimes they win, sometimes we defend better, but there is always a fresh attack coming – and only one of them needs to succeed. This is borne out by the lower graph which shows that some work better than others – but as I said earlier, you only need one to succeed and it’s going to be a Nightmare on Your Street.
A few years ago it was reported that AV is dead – well, not quite, it's more the Living Dead in that it is still alive – just – but is increasingly ineffective as obfuscated zero-day malware is used more and more. Zero Day means unknown to the AV, which renders the malware invisible, untracked by the AV. We need to organise and arm ourselves far more effectively.
How Does It Happen?
How does it happen? Email – phishing, be it the mass, spear or now whale variety for corporate targets – is still the most common means of invoking a Ransomware attack. The home-user ‘market’ for the extortionists lends itself to mass-emailing, but this means that the malware can just as easily end up on Corporate Workstations. Significantly, now that there has been a very public precedent of a hospital paying a ransom, expect to see greater targeting of corporate targets.
The first thing we need to establish is the fact that Ransomware is no different than any other form of malware in terms of its delivery means – usually, but not exclusively, via email with either malware attachments or links to infected websites. The difference - and the scary part - is how it is used to extort money from victims.
Once the malware has been invited onto a user’s computer it can then get to work, encrypting files before announcing its presence and declaring its ransom demand. The nature of its immediate demands and very tangible threat is precisely what makes it more feared than other malware. However, your line of defence and your approach to preventing Ransomware should be the same as it would be for any other Malware.
What Can We Do?
What can we do? Prevention is better than any cure, so start with minimizing the opportunity for Ransomware to infect your endpoints. Malware works because it is able to exploit vulnerabilities at a platform level, like Windows or RedHat, but also at an application level. This is especially pertinent to Ransomware because the main distribution method used is phishing -
Of course, still try AV s/w, it will protect against older, already known ransomware variants but the same blind spots apply. The widely-held view that ‘AV is Dead’ stems from its inability to identify Zero Day ransomware, which like any other Zero Day malware, will not be identified. Doesn’t mean it’s pointless, but it won’t be enough to stop all ransomware infections.
Unfortunately, phishing is, by design, notoriously tough to prevent, due to its cunning and devious methods. The malware is invited in by the recipient, typically either by opening an attachment or by activating/downloading a link, thereby largely subverting Corporate IT Security.
The best approach is to, therefore, harden the user workstation environment, to prevent malware activity where possible and to at least place more obstacles in the way when not. As with any hardening program, a balance must be found between strong security and operational ease of use.
The majority of exploitable vulnerabilities can be mitigated within the Workstation Operating System, and further protection can be provided using manufacturer extensions such as Microsoft’s EMET (Enhanced Mitigation Experience Toolkit) and Windows Defender or 3rd Party AV.
Sounds complicated? Fortunately, NNT works with the Center for Internet Security and they have done all the hard work for you! They pull together all known vulnerabilities and provide detailed secure configuration guidance to ensure your desktops, servers and applications, including email client and browser software.
Best of all we will be giving any attendee a free Change Tracker system including the sample reports and remediation kits to not just identify vulnerabilities, but to then automatically apply a secure configuration policy.
The NNT approach
Determining a finite definition of applications and its processes for a device has always been a deceptively tricky exercise so monitoring is generally considered the best compromise between improving security without inadvertently disrupting user and application operation which is often the unfortunate consequence of rigidly blocking non-whitelisted processes.
However, for completeness, you may consider leveraging Microsoft AppLocker – its free and is effective if you have a reasonably controlled, static platform.
As an advance on this, and it is early day’s right now, but Microsoft will soon be shipping Windows Defender Device Guard for Windows 10 Enterprise and Server 2016. Similar to the current AppLocker, this strengthens security by only allowing signed and/or whitelisted drivers and applications to run, controlled by a User-Defined Code Integrity policy. However, Device Guard significantly advances the concept in that the Code Integrity policy is enforced by an isolated, virtualized secure kernel, rendering it always protected from malware. Device Guard also leverages enhanced BIOS protection provided by the latest UEFI chipsets.
The NNT approach is to whitelist the ‘known safe’ posture of the workstation or server in terms of processes and services, as well as all other configuration attributes – software, security policy, open ports and therefore unexpected activity, will be highlighted too. Again this is a fundamentally sound security best practise not just for ransomware defence but against any malware. We can show this later.
You Can Alleviate The Zero Day Blind Spot
The widely-held view that ‘AV is Dead’ stems from its inability to identify Zero Day ransomware, which like any other Zero Day malware will not be identified.
You can alleviate the Zero Day blind spot using good File Integrity Monitoring software to report any unusual file system activity. Not only will this highlight the ransomware malware files when first introduced to the system, but at least it will also show when newly encrypted files have been created. Don’t be put off by any previous experience of legacy FIM solutions like Tripwire – where this has always been dogged by FIM Change noise, false positives alerted for any file changes.
Contemporary intelligent FIM solutions work in conjunction with Threat Intelligence to eliminate the false positives of change noise and make the operation of FIM a viable, practical option.
Instead of simply reporting every file change as it is detected, each change is first automatically analysed to verify if the file identity is already known as a legitimate system file. This is where the file whitelist and threat intelligence is leveraged. The result is that only the genuinely suspicious file changes involving ‘not already verified as safe’ files are highlighted.
By augmenting the FIM technology with automated access to a comprehensive file whitelist repository, Zero Day malware missed by the AV will still be detected and flagged as suspiciously ‘not whitelisted’.
In The Meantime
In the meantime, the simplest and maybe the most effective countermeasure is to be prepared to start again via regular backups, but make sure this is an isolated
We have talked about the concept of Zero Day Ransomware but inevitably these do become known and so an AV update may help in case superior capabilities to detect and remove have been provided.
Taking this further, take a look at nomoreransom.org, a site backed by security firms and cybersecurity organizations in 22 countries. Since its launch on July 25, 2016, nomoreransom.org estimates that it has been able to save 6,000 victims of ransomware more than $2 million USD to date. Last week the group announced the site is now available in Dutch, French, Italian, Portuguese and Russian.
Visit the Crypto Sheriff page at nomoreransom.org, upload one of the files encrypted by the ransomware, and the site will let you know if there is a solution available to unlock all of your files for free
As the CEO at New Net Technologies, Mark works closely with all departments within the business to ensure NNT is optimized to continue to bring innovative cyber security solutions to market as well as ensuring that the correct support process exists to facilitate successful deployments and that ongoing solution value is maintained for all customers.
As the CTO at New Net Technologies, Mark is the technical lead within the company and is responsible for researching the latest market trends, identifying the technological requirements and translating these points into innovative product functionality.
New Net Technologies is a global provider of data security and compliance solutions. Clients include NBC Universal, HP, RyanAir, Arvato and the US Army.
NNT Change Tracker Gen 7 audits your IT estate for compliance with best practices in security configuration, provides real-time, zero day malware protection and protects systems from any unauthorized changes: