Ransomware is a growing plague we’ve been covering frequently here on TechGenix. Many of my colleagues in the IT profession have had many sleepless nights worrying about the potential for disaster their company could face should a ransomware attack against them succeed. But is ransomware really such a big problem? And are there any steps you can take as an administrator to protect your organization and stop ransomware attacks before they are successful? I discussed this with security expert Oddvar Moe, and we both agreed that a good starting point is to make use of the many protection features that are already built into the Windows operating system and Microsoft Office platform. Oddvar is an experienced fellow who has worked as an IT pro for more than 18 years. He is a Microsoft MVP in the area of Cloud and Datacenter Management and he currently works at Advania in Norway as a technical architect with a focus on security testing, cloud services, and Windows enterprise security. He’s also a Microsoft Certified Trainer and a GIAC-certified Penetration Tester (GPEN) and he has a passion for security and loves to share his knowledge either through his blog and by writing articles, speaking at conferences, and on social media. What follows is an edited excerpt from my discussion of this subject with Oddvar on how you can stop ransomware.
Understanding the problem
You can’t stop ransomware unless you know what it is, so I started by asking Oddvar to explain what the actual problem is that we call ransomware. He replied as follows: “Many companies have been hit with ransomware and the problem is increasing. It is very difficult to stay ahead of this problem and be proactive about it. Companies invest a lot of money on security products, but still, ransomware finds its way into client computers. I have seen a lot of different approaches on how to be prepared for the next wave of ransomware. There are a few low-hanging fruits that you can easily enable in your environment to make it more difficult for ransomware to infect computers and I will go over them in this article. But in order to prevent something, you will need to understand it first.
“A user normally gets infected either through email with a malicious attachment or links that they click on. The attachment will normally either contain a PDF with an exploit or if it is an Office document it can contain macro code that executes something evil. When the user opens the attachment the attacker’s code starts to run and ransomware gets executed. If the user receives a link and they click on it, they will often be sent to something called an exploit kit. An exploit kit is a tool that cybercriminals use to auto-exploit clients that visit the page. A typical exploit kit will enumerate what version of Flash, Adobe Reader, and Java that is installed and give the computer a working exploit in order to get the ransomware executed on the machine. When the ransomware gets executed on the machine it will normally contact a server controlled by the cybercriminals to get a key to start encrypting files. Furthermore, the ransomware typically deletes volume shadow copy snapshots and then it enumerates all your local drives and mapped drives and starts to encrypt the content on them. Newer versions of ransomware also scan the local area network for shares that the user has write access to and starts to encrypt them as well. After the ransomware is done encrypting the files it will make sure that the user gets notified about how to get the files unencrypted again by paying.”
Identifying mitigations to stop ransomware
Having explained the basics of a typical ransomware attack, I went on by asking Oddvar to go over some simple mitigation steps we can implement as administrators to stop ransomware in its tracks. “An easy mitigation is to disable execution of macros in Office 2016. If your company for some reason needs to run macros from your Office documents, you can set the settings to only allowed signed macros. That way the company needs to digital sign every macro they use, but it will make the execution of macros safer. In Office 2016 there is a new setting that will prevent the execution of macros on content that has arrived from the Internet. I have explained that in detail on my blog here. In short, if you have Office 2016 you need to enable this setting. There is no reason why you should not enable it. All of the Office macro settings are managed through Group Policy and the latest ADMX/ADM files can be downloaded here.”
I asked Oddvar what else one could do besides disabling macros to protect one’s Windows PCs from the accidental execution of downloaded ransomware. AppLocker immediately came to mind: “Another great mitigation is to use whitelisting of executables with the use of AppLocker. A quick way of getting started with this is to install a computer with all the software that your company uses and use the AppLocker in Group Policy to import executable list from that machine. That way you will have a standard list of allowed applications in your enterprise. If malware is executed on your computer, it will not be able to do that due to the AppLocker policy. AppLocker will only allow execution of the applications you allow. AppLocker can prevent a lot of malware and unwanted executables and I highly recommend that you implement this.” Technical documentation of AppLocker on Windows 10 and Windows Server can be found here.
Office 365 Advanced Threat Protection, formerly called Exchange Online Advanced Threat Protection, is another tool we identified as essential to stop ransomware. We both agreed that if you have your mail flow through the Office 365 cloud then you need to implement this feature of Microsoft’s Exchange and Office 365 plans. Oddvar says that with it “you have a better chance of preventing new ransomware campaigns before they reach your client computers.” Windows Defender Exploit Guard which is built into Windows 10 version 1709 and later is another essential safeguard Microsoft provides customers for safeguarding against ransomware and other forms of malware. This built-in Windows 10 feature also replaces the earlier Enhanced Mitigation Experience Toolkit (EMET) that Microsoft developed for Windows 7 and made available as a free download (it’s still available for download though by the time you’re reading this article it will have just reached its end of life). While Oddvar and I agreed that EMET has been a useful tool against malware, the online world has become a lot more dangerous since Windows 7’s heyday as the Microsoft Security Research & Defense team explained here. For a good explanation of how Windows Defender Exploit Guard compares with EMET see this article on the Windows IT Pro Center. Needless to say, this makes upgrading your PCs to Windows 10 a no-brainer if you want to stay secure nowadays.
Don’t forget your backups
I ended my discussion with Oddvar by asking him if there were any other best practices administrators should adhere to in order to protect their environments from ransomware. He said: “The most important tip you will ever get is to make sure you have backups of your data. I know this is probably self-explanatory for many, but I have seen many customers that actually don’t have good enough backup of their systems, and when they got infected with ransomware they had big problems. There are of course many other important things you need to do, to prevent infection of ransomware. Things like patching all software, removing local administrator rights, updating antivirus signatures, controlling user access to the file shares, and educating your users. One of the most difficult tasks is to find out where the user has write access to in your network. Remember that if the user can write to a file, so can the ransomware if the user gets infected. To automate that tiresome job, I created a script that checks the user’s access on the network that I named ‘Ransomware Simulator.’ The script will scan your LAN for shares (both normal shares and hidden) and enumerate if the user has write access to it. The script will then output this to a report file that you can have as documentation. The script can be found on my blog.” This is excellent advice. Backups won’t stop ransomware, but they will help you recover from a successful attack.
Hopefully, these tips and tools will help you keep your organization’s information assets safe and stop ransomware attacks before they start.