How to fight back against ransomware

 

Connecting state and local government leaders

Antivirus and firewall solutions will stop commodity and automated attacks, but agencies must deploy defense-in-depth strategies.

The first documented ransomware attack hit in 1989, prompting organizations to implement antivirus, firewalls and other security tools to guard their network perimeters and endpoint devices. Yet, three decades later, state and local agencies remain vulnerable. Hardening security postures requires understanding how attackers “teach” ransomware to slip past their defenses. 

Ransomware locates the files it wants to encrypt based on file extensions. It targets an agency's Microsoft Office documents or photos, while leaving operating system files intact to ensure that system will still boot. Then the malware encrypts that data in memory, destroys the original file and displays the dreaded ransom note.

The security industry has developed five primary approaches to combating ransomware, although none have proven to be consistently effective:

1. Static file analysis. This is the same technique that’s used for malware detection in antivirus, anti-malware and other endpoint protection products. It looks for known malicious code behavior, sequences or strings as well as commonly used words that often appear in ransom notes (e.g., Bitcoin, encryption, etc.). It’s a signature- and machine learning-based method for detecting malicious code. Malware writers use packers, crypters and other tools to obfuscate and change their signatures, which makes static analysis too easy to bypass.

2. Blacklist file extensions. Admins can blacklist those file extensions that ransomware typically uses and gives to the files it encrypted. While this may stop ransomware encryption immediately, it too is easy to bypass because the ransomware simply needs to come up with new file extension or random file extension. For example, CryptXXX and Cryptowall variants used random extensions instead of a specific ones. Alternatively, ransomware may keep the original file names along with the original extensions.

3. Honey pot files. After baiting attackers with decoy files, IT pros can monitor how they try to change them. Once a file is “touched,” the system identifies the touch as an attack and blocks it. However, this does not prevent all damage because many files will likely be encrypted before the ransomware hits a decoy file. Or, the ransomware may simply avoid those files/folders altogether.

4. Monitoring the file system for mass file operations. Security managers should monitor renames, writes and deletes within a certain period of time. If a defined threshold is exceeded, the offending process will be terminated. This technique eliminates the reliance on specific signatures or file extensions and instead looks for abnormal activity typically associated with ransomware. However, some files will be encrypted before that defined limit is exceeded. Malware can also bypass this detection method by using a “low and slow approach” like adding delays between encryptions or by spawning multiple encryption processes. 

5. Tracking file data change rate. This security solution performs an entropy calculation to measure the randomness of data in a file. After a certain threshold of change is detected, the offending process is deemed malicious and terminated. This method benefits from fewer false positives than other techniques, but the files will be encrypted until a level of confidence is reached, so not all damage is blocked. Additionally, this technique can be bypassed by encrypting only parts of files, or by encrypting in chunks.

What can municipalities do to fortify their defenses against ransomware attacks? By following these five steps agencies can address basic IT hygiene and embrace a “defense in depth” approach.

First, organizations need to know what they have. Often IT departments cannot answer a simple question like, "How many Windows 7 SP1 systems do we have?" Asset management must be table stakes.

Second, take patch management seriously. The days of 30-day SLA for critical patches are long gone (or they should be). Attackers start leveraging vulnerabilities sometimes within hours of being publicly released.

Third is multifactor authentication. At the very minimum, highly privileged users, like admins, must leverage MFA/2FA. All remotely accessible systems (e.g., terminal servers, remote desktop protocol clients) must be accessible only with 2FA. This dramatically hardens an environment against groups like SamSam that often get through by brute-forcing passwords to gain entrance into the organization.

Fourth, ensure a sound backup strategy is in place. Many ransomware groups target backups in an attempt to corrupt, delete or encrypt them. This requires answering several key questions: Where is sensitive data located? Just servers or workstations as well? What about backing up to the cloud? Are recovery procedures tested and confirmed ready? In the event of an attack, how long will it take to recover all data and systems? Is the network properly segmented?

Finally, complement traditional security layers that look for “the bad” with an approach that does the exact opposite -- ensuring what’s good. This is not a call for municipalities to uninstall their antivirus products. Even though a skillful locksmith can unlock a house door in a matter of seconds, it doesn't mean we should be leaving our doors unlocked or getting rid of the door altogether. On the contrary, those basic defenses serve as a deterrent, while we deploy more advanced defenses -- alarm systems, guard dogs, etc.

The same logic holds for cybersecurity. Antivirus and firewall solutions will stop commodity and automated attacks. However, as antivirus technologies (even those that use machine learning or so-called artificial intelligence) rely on the past knowledge to stop attacks, they will rarely be effective against new, targeted attacks. And that's exactly what the advanced groups behind high-profile ransomware attacks frequently leverage.

Changing the status quo requires combining these existing tools with ones that ensure the “good” by applying a whitelisting-like approach. This enables agencies to embrace a true defense in depth approach to security by building a last line of defense against malware and ransomware that can evade frontline defenses like antivirus.

The security team cannot work on an island; it needs the support of management for both making the necessary investments in people and technology and ensuring all employees are regularly trained on security best practices. Well-educated employees who can recognize and report suspicious emails and other activities are just as effective a security layer as the latest next-gen security software tools.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.