I’m frustrated. Frustrated because I keep seeing articles about businesses, specifically hospitals, being ransom-wared into submission. In the past month, I can recall three specific instances. Some paid the ransom. One is still in limbo. Each system claims that their data is being held hostage, and that the ransomer is demanding somewhere between $1600 and $3.7 Million dollars – all negotiable, of course. Hospital administrators cry foul, sysadmins look to expensive solutions, and patient care suffers.
None of this has to happen.
Sysadmins, we need to talk. I know the struggle – I’ve been a systems administrator for 15 years. You have too few resources, too small a budget, and no respect. I get it. I do. Your users click links they shouldn’t, download things without forethought, and go to websites that you would firebomb from afar if you had your way. I understand that ransomware is a fast-changing, ever evolving beast that is mitigating your defenses as quickly as you’re mitigating its attacks. Its impossible to stop every attack. I get that. However, I’d like to pose question to you, and I ask this with as little snark as I can muster: Is that really an excuse? Can we really throw up our hands because “its hard,” and not even attempt good, basic security measures?
Admins, lend me your ears. With good, basic, and built-in tools, you can defend against ransomware. With just a few hours of configuration (at most!), you can stop this madness. Let’s talk turkey.
Fix Your Email
- Filtering extensions. Do you block incoming file attachments? Most companies don’t, and can’t – that’s fine. However, you can certainly block the dangerous ones. All modern email systems block executables (.exe) and batch (.bat/.cmd) files from the get go – most will also block VB scripting (.vbs), screen savers (.scr) and a few others. Lets get to whats not being blocked:
- .doc / .xls files – Yep, MS Office. No, I am not suggesting you disallow your users from sharing office files – but modern Office extensions are .docx and .xlsx – so ditch the old versions. Inside these files are malicious macros that will grab the ransomware payload and pull it onto your machine. While you’re at it, block .rtf
- .zip files and .rar files – Yes, some businesses use these to transfer files. Say it with me (and if you’re a sysadmin, you’ve been shouting this for years) – email is not a file transfer mechanism. Find an alternative. Utilize network shares or a third party system like OwnCloud. Ransomware often comes in a .zip, and sometimes even password protected (with the password in the email body). Why? Mail scanners can’t look inside zipped files. Block them outright if you can.
- Filtering countries. Does your company do business with China, Romania, or the Ukraine? What’s the business impact of never receiving mail from Russia again? In a great majority of cases, this will not impact you at all – but will cut down exponentially on both spam and phishing. Many email servers will allow you to block based on region or country. Take heavy advantage of this. If not, you can look at netblocks by country and black/grey-list them manually.
- Crank up your spam protection. A lot of ransomware coming through is going to be flagged as spam by the same criteria that “13UY V1@GAR4” ads get stopped with. It doesn’t have to be turned to max, but it does have to be turned on.
- Consider blocking any of the generic gTLD domains out there. Domains such as “.xyz” and “.info” are cheap and used as throwaways by spammers. Stop them from entering your email environment and you’ll reduce the number of phishing attacks and spam emails your users receive.
Defend Your Servers
- Software Restriction Policies. Via group policy, you can restrict any executables from running out of the %TMP% directory – which is how all ransomware I have encountered or read about starts. Pushing this down to your users should be a no-brainer. Now, I say that with a grain of salt – this will break things. In my experience, Quickbooks installers, MS Office installers, and Spotify all break with an SRP is in place. These, however, can be whitelisted. This takes testing and should be rolled out slowly, especially in complex environments. Here’s a very thorough tutorial with screenshots on how to implement a Software Restriction Policy.
- File Server Resource Monitor. FSRM is a method for actively monitoring file shares. One of the first things ransomware does is drop a file explaining how to pay the ransom. With FSRM you can easily alert on those files and run a script. The script I wrote is extremely basic – it kills the file sharing service, sends the admin an email, and writes the event to the event log. Here’s a list of filenames I monitor for.
- Follow good security practices. Does everyone have read, write, execute access on every share? They shouldn’t. Follow good security practices for accessing data – use the principal of least privilege and role-based access control. This is good practice aside from ransomware, but will help contain the damage should something slip through your other controls. Users in Groups, Groups assigned to Folder/File permissions. Add/Remove users from groups as their access or roles change. This makes management easy
- Monitor Handles. Consider setting up a “canary” to alert you of processes generating a high handle count. There are a few that we should expect to do so – system, SqlServer, and lsass come to mind – but a process actively encrypting or modifying thousands of files at once will generate a high number of handles. I wrote this script when the first CryptoLocker hit, and run it as a scheduled task every 15 minutes; feel free to modify it as you wish. Be warned that it is fairly ugly, but it does what it says on the box.
Defend Your Endpoints
- Antivirus. Some people will tell you that antivirus is dead. There are certainly arguments for that – an antivirus can act as a last line of defense if your other controls fail. Make sure your definitions are updated, and the antivirus is up to date. Microsoft Security Essentials is free, and will defend against known ransomware. Teach your users to report virus alerts, not ignore them.
- Patching. Keep your endpoints patched. You can download and install Windows Server Update Service for free, and have it manage your updates and reboot cycles.
- Phish your users. It can be done for free and teaches them not only to be suspicious of emails they aren’t expecting, but helps train them on indications that an email is not from who they think.
- Remove local administrator rights from machines. Users may kick and scream that they can’t install Skype, but reducing the local machine rights drastically reduces the damage that can be done. Without admin rights, you can only install and run applications out of very limited folders (My Documents and %TMP%), so its easier to mitigate malicious software trying to do you harm.
Defend Your Network
- DNS. If you’re using your ISP’s DNS server, I would encourage you to change it to the free OpenDNS service. OpenDNS is good about blackholing known-bad IP addresses and command & control channels. It will reduce malware from web-browsing significantly and costs you nothing.
- Block Tor. Tor has many legitimate, and noble uses. However, many pieces of ransomware use it to establish a connection to a C&C channels to generate the key used to encrypt data. If this step fails, ransomware stops. Block Tor unless you are actively using it for business – which you likely are not.
Defend Your Data
- Backups. If all else fails, you need the security of having recent, tested, GOOD backups. Windows Server Backup is not the most elegant solution, but it works – and costs you nothing. A large USB drive is all you need to back up your data. Find out what your company’s tolerance for data loss is, and take the drive off-site that often. If they can tolerate a week of lost data, take it off-site every Friday. If they can tolerate no more than a day, take it off-site every night. A note about ransomware: if the backup drive is plugged in, and the system infected? It will encrypt your backup drive. Its important that you eject the USB or physically remove the drive every time you complete a backup. If you can spare a few dollars and some bandwidth, a service like CrashPlan runs about $8 per month and backs up changes in real time, and maintains a version history. Not an ideal way to recover the data should you lose everything, but it’s a “set it and forget it” approach that requires little maintenance and no drive swapping.
Sysadmins: this is what the phrase Defense-in-Depth means. Multiple solutions to solve a problem that may mitigate one or more defenses you have in place. An antivirus and firewall are no longer enough. There is no excuse for a ransomware infection resulting in lost data and days/weeks/months offline. You can accomplish every step outlined above with a zero-dollar budget.
Any other tips, tricks, or $0 mitigations you’d like to share? Please comment below!