Endpoint Protection

Hardening Your Environment Against Ransomware 

09-16-2016 12:50 PM

Introduction

This is the fifteenth in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated in November 2017.

This article shares some tips and actions that can be taken to make your organization (both environment and employees) better capable of dealing with your next inevitable encounter with ransomware.

 

Inevitable?

Yes.  Computer Ransomware has been around since 1989's AIDS Trojan.  For many years this family of threats was rare.  In the past couple years, though, malware which locks or encrypts computers and demands payment has become an epidemic.  The threat actors behind the many variants have a strong financial motive to continue creating new samples and attacking as many victims (both at random and targetted) as possible.  My crystal ball says Ransomware is not going away any time soon

mick2009_crystal_ball_it_is_true.JPG

 

So, ensure your defenses are up!  The more measures you take now, the better prepared you will be.  Each of the recommendations below will reduce the risk of a successful Ransomware infection. 

(Of course, nothing can completely eliminate the risk... see SEP Times in the City: A Helpful Symantec Endpoint Protection Analogy for a mildly amusing illustration.)

 

What Your Infrastructure Can Do

  1. Don’t give every end user administrator user rights.  The principle of "Least-Privilege" has been recommended forever- it's time to put it into practice. 

    Implementing Least-Privilege Administrative Models
    https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models  
     

  2. Carefully control write-access permissions to remote files.  Use Access Control Lists to specify what actions your users can perform against files. If the only permission a user account has is Read Only, it's not possible for ransomware running as that user to corrupt anything.

    Best practices for basic NTFS permissions on a share
    https://social.technet.microsoft.com/Forums/office/en-US/c6242159-d15d-417e-91f8-eb19c0da3a35/best-practices-for-basic-ntfs-permissions-on-a-share?forum=winserverfiles

  3. Use FSRM to block ransomware's changes to your file servers.  Most file servers are sabotaged when an infected laptop or workstation on the network has a remote drive mapped.  FSRM will not save that desktop, but it will prevent the shared reource on the file server from being corrupted and raise an alarm.

    Protect your File Server against Ransomware by using FSRM and Powershell
    https://gallery.technet.microsoft.com/scriptcenter/Protect-your-File-Server-f3722fce?tduid=(20a69f8ccbbd96b722925b5ddec0d859)(256380)(2459594)(TnL5HPStwNw-Zy7_Vi7bCaEBMnCq.fWQsg


    (Please note: the script above is not from Symantec nor is it supported by Symantec.  I am just giving it and its author some well-deserved due credit.  I hear it's been a huge help to some companies.)

  4. Back your data up!  If it is destroyed by ransomware- or a tornado, fire, whatever- you can restore it and carry on.

  5. Keep those backups where they cannot be hit!  An air gap between the data and the backup copy means that no ransomware, worm, hacker or other hazard can get to it.  Another approach is to burn your backups to DVD or other storage medium that is then write-protected.

  6. Mail Security!  Take it Seriously.  Don't just purchase a product, leave everything at its defaults, and assume you'll be safe.  Configure it to use Rapid Release definitions, strengthen its policies, implement Disarm, and block the attachments which are always malware.  This is incredibly effective when done right.

    Support Perspective: W97M.Downloader Battle Plan
    https://www-secure.symantec.com/connect/articles/support-perspective-w97mdownloader-battle-plan

  7. Patch against Drive-By Downloads.  Surfing with old browsers and old Flash plugins?  Here's a cute cartoon for you.


    scary_driveby.png

  8. Use all SEP components.  IPS and SONAR have saved a lot of bacon.  Give them a shot at saving yours.

    Ransomware protection and removal with Symantec Endpoint Protection
    http://www.symantec.com/docs/HOWTO124710

     

  9. Use SEP's optional Application and Device Control (ADC) policies.  These can make it more difficult for Ransomware to run.

    Strengthening anti-virus security to prevent Ransom-ware derivative (Trojan.Cryptolocker family, etc.) infections
     

  10. Configure the environment not to run unsigned Macros.  If you MUST allow Macros, only allow signed ones.

    Plan security settings for VBA macros for Office 2013
    https://technet.microsoft.com/en-us/library/ee857085.aspx

  11. Lock down RDP.  If your server's username and password are compromised or can be brute forced, an attacker can Remote Desktop in and perform any action they wish.  That includes disabling security features and then downloading ransomware. It happens.

    Securing Domain Controllers Against Attack
    https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack  

  12. Avoid Mapping Network Drives. Some ransomware can even sabotage unmapped shares.  So, hide your network shares!

  13. Use the latest SEP. SEP 12.1 is still supported, but SEP 14 includes new, additional technologies which can block malware.  The more roadblocks and lines of defense in front of the ransomware files, the better!

 

 

Most Powerful of All: What Your People Can Do
 

  1. Read Your Logs.  The SEPM provides excellent intelligence on what is happening in your environment.  For example, it can provide a report on “system infected” IPS events.  Don’t just ignore them!  Especially if IPS is fighting off a cryptolocker, isolate that computer and submit to Security Response the malware which is causing the malicious traffic. 

  2. Test Your Disaster Recovery. When was the last time you checked how swifly you could restore from a backup and get people working with that known-good data?  It's a slight inconvenience to run "fire drills" but they are always worthwhile before a real emergency strikes.

  3. Test Your Users.  Do they know how to react to suspicious incoming emails?  Find out!  &: )

  4. Educate Your Users!  Saving the most powerful point for last....

  • Never enable Macros to view any incoming mail attachment!  Don't click Enable to allow the "hidden contents" to display, don't enter in a password to see the document's hidden message, don't be fooled by any enticing message.

  • Have Windows configured to “show known file types." Instruct end users not to open anything with more than one extension.

  • Save mail attachments to a folder from which .exes are not permitted to run (ADC policy can create one) and open them there if they appear genuine.

     

Conclusion

Many thanks for reading!  I hope this article helps. 

If not, these will:

Special Report: Ransomware and Businesses 2016
https://www.symantec.com/connect/blogs/report-organizations-must-respond-increasing-threat-ransomware

Businesses most at risk from new breed of ransomware
https://www.symantec.com/connect/blogs/businesses-most-risk-new-breed-ransomware
 

 

 

Please leave comments and feedback below. 

 

 

Statistics
0 Favorited
30 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

03-17-2020 05:04 PM

10-26-2017 01:11 AM

Very useful, Excellent.

12-07-2016 03:53 AM

Nice one!

Thanks, Mick!

An addendum to step 9. (Use SEP's optional Application and Device Control (ADC) policies.)

How-To Harden Cryptolocker file encoding attempts with SEPM Application Control

 

11-02-2016 04:55 AM

Hey Everyone,

I'm actually waiting for something better from Symantec, some of these are good tips but very little have anything to do with what can be done in SEPM. I used to see posts with custom ADC policies often in the past with Locky on the loose and now it all seems to be dwindling down. Is it that custom ADC/IPS signatures/Host Integrity policies aren’t being shared as much on here, or is it something that is not being used a lot anymore?

I would really like to see some of those polices being shared and created by Symantec and allowed to be tested by administrators like myself, I've implemented many in the past to battle Locky that have been successful, but seems less and less is being posted here.

If anyone has anything to share, i would love to test that in my environment.

Best,

-Alex

 

 

10-19-2016 07:28 AM

Nice one! Thank you!!

09-20-2016 08:27 AM

Very useful!

09-20-2016 01:47 AM

Good One!

09-20-2016 01:22 AM

excellent ....

Related Entries and Links