Ransomware protection -- what you may be missing

25.07.2016
Unless you have been living on a remote island with no internet access, you are no doubt familiar with ransomware.

It is a simple but frightening concept -- making all of your files unavailable, and then demanding that you pay to get them back. Ransomware is definitely a growth industry, with a 30% increase in cases in Q1 of 2016 alone, according to Security Intelligence.

We should not be surprised at all by this trend, as it seems to be the nearly perfect crime. It is an easy business to start, with most of the needed tools being available inexpensively on the dark web. Their customer base, those whose files are being held hostage, is highly motivated, since their files are unusable -- and since payment is typically being made via Bitcoin, the transactions are difficult or impossible to trace.

While ransomware has hit individuals and industries indiscriminately, it can cause the most trouble in industries like healthcare, where the impact of an infected system can reach far beyond inconvenience. In recent months, the information security world has seen an increase in targeted attacks, focusing on businesses and organizations over individuals. According to Security Week, this is not surprising, given that corporations can afford to pay more, and can ill afford to have their operation shut down by an infection.

In the past few months, I have lost track of the number of articles I have read on the topic of ransomware protection. Sadly, most of the ones I read are remarkably similar, with the same top 10 or so approaches to prevention, including having a good anti-virus package, good backups, and well trained users.

These are all good and appropriate approaches, but if you are engaged like me, you have seen them over and over, causing your eyes to glaze over at some point. As the saying goes, sometimes you can't see the forest for the trees. We are so used to seeing the top 10 prevention techniques, we sometimes miss the lesser discussed approaches. These are important, because the purveyors of ransomware read the same articles with the common approaches, and can use these as a road map to improve their  techniques.

One of my customers is a large healthcare institution, and one of my major focuses with them has been to take a deep look at approaches to ransomware prevention and recovery. In the process, I have found many things that organizations can do that are not often discussed in the trade press. Since we in the business world need all the help we can get at this point, these can be very important. Consider a few of these:

A good backup can be your ticket to recovery from a ransomware attack without having to write a big check. The problem however is that an untested backup may turn out to be useless when really needed. It possible to go for months without realizing that your backup process is failing.

The only way to make sure they are ready when you need them is to test them. This involves restoring some percentage of your files from backup on a periodic basis, and confirming that the restored files are usable and correct. While testing is a critical aspect of the backup process, it is often overlooked, even by large companies.

Intrusion Prevention Systems (IPS), that monitor network traffic looking for attempts to exploit vulnerabilities, can be a valuable weapon in the fight against ransomware. It often takes weeks or months for a vendor to release a patch once a new vulnerability is discovered. Even more time can elapse before the patch gets applied to all systems within an organization.

An IPS, which normally sits at the network perimeter (and increasingly, on the internal network as well), can offset some of the danger of unpatched workstations by detecting and filtering out attempts to exploit such vulnerabilities.

IPS technology can be part of a firewall, such as with the Dell Sonicwall products, or as a standalone device, like Trend Micro TippingPoint. IPS is quickly becoming a must-have technology for any business or organization.

Despite the improvements in ransomware technology, in most cases, these programs still depend on a user opening an attachment to an email they receive. As such, user training occupies a key spot on most ransomware prevention checklists, and one I strongly support.

The problem, however, is that even the best trained users can slip up. Companies who use phishing testing/training products such as PhishMe, typically find some percentage of users who fail the test, meaning that some will likely fall for a real phishing message as well. One surprisingly overlooked approach to ransomware is to block all but essential attachment types at the email server.

A good example of the need for attachment blocking is the recently-discovered RAA ransomware variant that is implemented entirely in JavaScript. It is usually spread using a .JS attachment to an email, which can be disguised as a Microsoft Office document. Very few companies really have a need to send or receive .JS attachments, but few attempt to block them, or other file types commonly used as attack vectors.

Most anti-virus programs can only block malware that has been seen before. The challenge is that hundreds of thousands of new malware variants are seen every day, according to AV-TEST. An alternative approach is to monitor system resources on a workstation, looking for common scenarios used by most malware programs. Since certain behaviors are common to ransomware programs, they can often be spotted and filtered, even though the particular variant has not been seen before. While this approach is still in its infancy, it is growing rapidly, with products such as the Barkley agent.

Bottom line -- we need all the help we can get in the war against ransomware. We all need to look beyond the trees, the common tips and recommendations we read about daily, and to the forest of new ideas and techniques that can put us ahead of the bad actors for a change.

(www.computerworld.com)

Robert C. Covington