Photo by John Cameron on Unsplash

Photo by John Cameron on Unsplash

Fight Windows ransomware with on-board tools

Negotiating Hurdles

Article from ADMIN 80/2024
By
Ransomware defense involves two strategies: identifying attacks and slowing the attackers to mitigate their effects.

The horror scenario: Your organization's data has been encrypted – in the worst case, after the data has been stolen and is at risk of ending up on the darknet. The measures used to mitigate the effect of ransomware can be broken down into two aspects. The first involves preventing attacks, and the second is all about slowing down the attack if it is successful. Both tasks require changes to workflows and processes involving administrative intervention that is not always convenient.

Entry

Ransomware has a limited number of vectors for entering the company network. Email and malicious attachments come first, but external access to the mailbox is also conceivable, with the manipulation of existing attachments. Many companies also have holes in the firewall that provide a direct route to the internal network. Remote Desktop (RDP) and other protocols that allow remote access are worthy of note, as well as manipulated software that users download and install. Last but not least, one visit to a manipulated website is all it takes to be infected by ransomware or some other malware (drive-by attacks).

Email

Email is the most common way for ransomware to enter a company. A simple file attachment is all it takes. Sending billions of email messages costs nothing but electricity. Valid target addresses can be bought, found, and generated. Anyone who has worked with the same email address for a period of time will be familiar with the problem of spam and be aware that their own address has been public knowledge for a long time. What was technically brilliant about the Locky attack [1], for example, was that the malware and the associated executable file were not directly included in the attachment. Instead, the recipients received an Excel file with a macro that acted as a downloader. The executable was only downloaded from the Internet and executed when the macro was executed. Virus scanners, especially those on mail servers, did not sound the alarm because the attachment itself did not appear to be critical.

You are playing a constant game of cat and mouse: Attackers create malware that will sooner or later be detected by antivirus programs. Because of the abundance of malicious code and the increasingly clever tricks used by attackers to disguise their malware, antivirus (AV) manufacturers have had to switch to behavior-based detection. If a file originates from the Internet, is not digitally signed by a trustworthy software manufacturer, and possibly attempts to access critical system areas, the alarm bells go off. The AV tools also block suspicious connections to the Internet.

In this race, the attackers usually come out on top. If you create a rule that prohibits Excel files with macros, the attackers switch to PDF files with JavaScript or HTML files with an encapsulated script. OneNote files containing Excel files with macros are also a potential vehicle. The game goes on endlessly, and at the end of the day, attachments with dangerous content will always slip through. One relatively simple method to manage this problem is to ban blanket acceptance of email messages with attachments. If no attachments come in, no spam filter or virus scanner has to evaluate and recognize them.

A workflow in the form of a fixed process is required to receive legitimate email with attachments. Third-party providers can help. Anyone wanting to send an email with an attachment needs to communicate with the recipient beforehand. The recipient can negotiate a route with the sender through which the attachment can be transferred. After all, a company does not want to lose an application.zip file if an application comes from a legitimate source. If you want to send something, you can be expected to respond to a reply email telling you to contact the receiver personally.

Third-party providers in this mail flow have ready-made dialogs and portals in their portfolio that initiate the upload with password protection. The password can be trivial and is negotiated spontaneously by telephone; the upload is only permitted during a specific time window. The attachment can then be examined and analyzed before it finds its way to the recipient. Of course, automated systems must have allowlists, but normal users in your company and their counterparts can usually be expected to handle a few extra clicks. The advantage of this workflow is that a company does not have to react to special extensions, but simply blocks everything that comes in without a prior agreement.

Insecure Passwords

Another construction site in IT security is passwords. The sad truth is that companies still use insecure passwords and don't dare switch to at least 16 characters because users can't be expected to remember that many. However, it must be clear to all companies that direct external access to any system over the Internet can no longer be protected by a moderately secure password alone. Even a 20-character password can fail if it falls into the hands of attackers. Therefore you need multifactor authentication (MFA), one-time passwords (OTPs), and similar procedures.

Many companies have opted for the cloud. Exchange Server is often exposed on the network and can be accessed from anywhere in the world. Imagine the only protection for the managing director's email account being the password Summer23 , because the managing director has to change the password every three months and doesn't feel like doing so. The annoying thing is that Summer23 complies with the Microsoft complexity rule for passwords: upper and lower case letters, numbers, and special characters – three of these four character sets are required – along with a minimum length of six characters. This password would have any reasonably experienced attacker laughing out loud.

As soon as an attacker gains access to the mailbox, they can, for example, reply to a co-worker's email containing an Excel spreadsheet with another Excel spreadsheet with macros and malicious code. In this case, the recipient will never suspect an attack, because it is a direct reply to their own email from somebody they know. Moreover, corporate policies for internal attachments are often more lax than for external posts – a phenomenon that the notorious Emotet automated banking trojan exploited.

Another option that attackers now often use is manipulated invoices. Emailing invoices is an established practice. If the dispatched PDF is redirected to the attacker by a mail rule in Outlook, the PDF can be provided with a different invoice total, and the bank details can be adjusted so that it can then be sent out again by someone who looks like the legitimate sender.

Ultimately, attachments will always find a way into the company. As soon as employees open these attachments and malicious code is executed, companies rely on their virus scanners and combine them with behavior-based detection – especially in a cloud with an endpoint (E), managed (M), or extended detection and response (XDR) service. Providers can make good money by offering their protection as a subscription and bill per endpoint. The organization relinquishes responsibility and relies on a tool to detect incidents.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus