This is the fifteenth in my Security Series of Connect articles. For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated in November 2017.
This article shares some tips and actions that can be taken to make your organization (both environment and employees) better capable of dealing with your next inevitable encounter with ransomware.
Yes. Computer Ransomware has been around since 1989's AIDS Trojan. For many years this family of threats was rare. In the past couple years, though, malware which locks or encrypts computers and demands payment has become an epidemic. The threat actors behind the many variants have a strong financial motive to continue creating new samples and attacking as many victims (both at random and targetted) as possible. My crystal ball says Ransomware is not going away any time soon.
So, ensure your defenses are up! The more measures you take now, the better prepared you will be. Each of the recommendations below will reduce the risk of a successful Ransomware infection.
(Of course, nothing can completely eliminate the risk... see SEP Times in the City: A Helpful Symantec Endpoint Protection Analogy for a mildly amusing illustration.)
Don’t give every end user administrator user rights. The principle of "Least-Privilege" has been recommended forever- it's time to put it into practice. Implementing Least-Privilege Administrative Models https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models
Carefully control write-access permissions to remote files. Use Access Control Lists to specify what actions your users can perform against files. If the only permission a user account has is Read Only, it's not possible for ransomware running as that user to corrupt anything. Best practices for basic NTFS permissions on a share https://social.technet.microsoft.com/Forums/office/en-US/c6242159-d15d-417e-91f8-eb19c0da3a35/best-practices-for-basic-ntfs-permissions-on-a-share?forum=winserverfiles
Use FSRM to block ransomware's changes to your file servers. Most file servers are sabotaged when an infected laptop or workstation on the network has a remote drive mapped. FSRM will not save that desktop, but it will prevent the shared reource on the file server from being corrupted and raise an alarm. Protect your File Server against Ransomware by using FSRM and Powershell https://gallery.technet.microsoft.com/scriptcenter/Protect-your-File-Server-f3722fce?tduid=(20a69f8ccbbd96b722925b5ddec0d859)(256380)(2459594)(TnL5HPStwNw-Zy7_Vi7bCaEBMnCq.fWQsg (Please note: the script above is not from Symantec nor is it supported by Symantec. I am just giving it and its author some well-deserved due credit. I hear it's been a huge help to some companies.)
Back your data up! If it is destroyed by ransomware- or a tornado, fire, whatever- you can restore it and carry on.
Keep those backups where they cannot be hit! An air gap between the data and the backup copy means that no ransomware, worm, hacker or other hazard can get to it. Another approach is to burn your backups to DVD or other storage medium that is then write-protected.
Mail Security! Take it Seriously. Don't just purchase a product, leave everything at its defaults, and assume you'll be safe. Configure it to use Rapid Release definitions, strengthen its policies, implement Disarm, and block the attachments which are always malware. This is incredibly effective when done right.
Support Perspective: W97M.Downloader Battle Plan https://www-secure.symantec.com/connect/articles/support-perspective-w97mdownloader-battle-plan
Patch against Drive-By Downloads. Surfing with old browsers and old Flash plugins? Here's a cute cartoon for you.
Use all SEP components. IPS and SONAR have saved a lot of bacon. Give them a shot at saving yours. Ransomware protection and removal with Symantec Endpoint Protection http://www.symantec.com/docs/HOWTO124710
Use SEP's optional Application and Device Control (ADC) policies. These can make it more difficult for Ransomware to run. Strengthening anti-virus security to prevent Ransom-ware derivative (Trojan.Cryptolocker family, etc.) infections
Configure the environment not to run unsigned Macros. If you MUST allow Macros, only allow signed ones. Plan security settings for VBA macros for Office 2013 https://technet.microsoft.com/en-us/library/ee857085.aspx
Lock down RDP. If your server's username and password are compromised or can be brute forced, an attacker can Remote Desktop in and perform any action they wish. That includes disabling security features and then downloading ransomware. It happens. Securing Domain Controllers Against Attack https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack
Avoid Mapping Network Drives. Some ransomware can even sabotage unmapped shares. So, hide your network shares!
Use the latest SEP. SEP 12.1 is still supported, but SEP 14 includes new, additional technologies which can block malware. The more roadblocks and lines of defense in front of the ransomware files, the better!
Read Your Logs. The SEPM provides excellent intelligence on what is happening in your environment. For example, it can provide a report on “system infected” IPS events. Don’t just ignore them! Especially if IPS is fighting off a cryptolocker, isolate that computer and submit to Security Response the malware which is causing the malicious traffic.
Test Your Disaster Recovery. When was the last time you checked how swifly you could restore from a backup and get people working with that known-good data? It's a slight inconvenience to run "fire drills" but they are always worthwhile before a real emergency strikes.
Test Your Users. Do they know how to react to suspicious incoming emails? Find out! &: )
Educate Your Users! Saving the most powerful point for last....
Never enable Macros to view any incoming mail attachment! Don't click Enable to allow the "hidden contents" to display, don't enter in a password to see the document's hidden message, don't be fooled by any enticing message.
Have Windows configured to “show known file types." Instruct end users not to open anything with more than one extension.
Save mail attachments to a folder from which .exes are not permitted to run (ADC policy can create one) and open them there if they appear genuine.
Many thanks for reading! I hope this article helps.
If not, these will:
Special Report: Ransomware and Businesses 2016 https://www.symantec.com/connect/blogs/report-organizations-must-respond-increasing-threat-ransomware Businesses most at risk from new breed of ransomware https://www.symantec.com/connect/blogs/businesses-most-risk-new-breed-ransomware
Special Report: Ransomware and Businesses 2016 https://www.symantec.com/connect/blogs/report-organizations-must-respond-increasing-threat-ransomware
Businesses most at risk from new breed of ransomware https://www.symantec.com/connect/blogs/businesses-most-risk-new-breed-ransomware
Please leave comments and feedback below.
Very useful, Excellent.
Just giving a link to a couple of additional respected resources full of good advice...
https://krebsonsecurity.com/2016/12/before-you-pay-that-ransomware-demand/ https://www.bleepingcomputer.com/news/security/how-to-protect-and-harden-a-computer-against-ransomware/
https://krebsonsecurity.com/2016/12/before-you-pay-that-ransomware-demand/
https://www.bleepingcomputer.com/news/security/how-to-protect-and-harden-a-computer-against-ransomware/
Nice one!
Thanks, Mick!
An addendum to step 9. (Use SEP's optional Application and Device Control (ADC) policies.)
How-To Harden Cryptolocker file encoding attempts with SEPM Application Control
Hey Everyone,
I'm actually waiting for something better from Symantec, some of these are good tips but very little have anything to do with what can be done in SEPM. I used to see posts with custom ADC policies often in the past with Locky on the loose and now it all seems to be dwindling down. Is it that custom ADC/IPS signatures/Host Integrity policies aren’t being shared as much on here, or is it something that is not being used a lot anymore?
I would really like to see some of those polices being shared and created by Symantec and allowed to be tested by administrators like myself, I've implemented many in the past to battle Locky that have been successful, but seems less and less is being posted here.
If anyone has anything to share, i would love to test that in my environment.
Best,
-Alex
Nice one! Thank you!!
Very useful!
Good One!
excellent ....