March 31, 2016 | Security and Risk | Jessica Stanford
It’s hard to open a newspaper or scroll through daily headlines without seeing new reports of extortion and blackmail through the use of ransomware – a type of malicious software designed to prevent access to information on a computer system until a sum of money is paid. Once used largely by cyber criminals to target consumers for short change, ransomware attacks have escalated to the enterprise, with highly motivated adversaries targeting corporate networks with increasingly creative tactics. Recently, major news outlets including the BBC and New York Times were also hit by ransomware “malvertising” that demanded payment in Bitcoin to unlock user computers. According to The Guardian, the malware “was delivered through multiple ad networks and used a number of vulnerabilities, including a recently-patched flaw in Microsoft’s former Flash competitor Silverlight, which was discontinued in 2013.”
There are two types of ransomware attacks that organizations could experience. The first one is “standard” ransomware infecting user machines, which is the same ransomware that would infect a regular consumer at home. These attacks will be opportunistic and less damaging to organizations, which usually store the important information on dedicated servers and in databases out of reach of attackers, so that files on user machines can be fairly easily replaced.
The second type is far more dangerous. These ransomware attacks follow the same general attack pattern as targeted network attacks, but for a much different end goal. Instead of information theft, ransomware attackers seek to cause widespread havoc through mass infection and encryption of user data. To do this, attackers often seek out privileged accounts to hijack (both privileged user accounts and application accounts used by automated processes, services and applications), then exploit them to propagate the ransomware throughout the network.
An example of this is a recent attack that targeted three different Indian banks and a pharmaceutical company, resulting in millions of dollars in damage. The attacker infiltrated the networks of each company, hijacked the necessary privileged credentials, then escalated access to other computers via unprotected Remote Desktop Ports (RDPs). With access to a computer gained, the attacker downloaded the ransomware from a server and then started the encryption process. Without privileged access, the attacker’s mission could not have been accomplished.
Removing local privileges can help defend against ransomware attacks, however, it’s not necessarily enough. For example, CryptoLocker is an example of malware that encrypts data using standard user rights, so efforts to remove or restrict local administrative rights without additional security measures does not completely mitigate the risk. Additionally, because CryptoLocker encrypts (and renders unreadable) all files that a user has access to in a corporate environment, it has a devastating effect.
With increasing attention on ransomware, many organizations are focused on eliminating the threat of a ransomware infection. To effectively defend against such ransomware attacks, organizations must combine the principle of least privilege AND application control to reduce the attack surface and block their progression. This dual-pronged approach can prevent ransomware from entering an organization in four key ways:
- It blocks untrusted applications
- It restricts or denies access for unknown applications (such as CryptoLocker)
- It continuously monitors applications entering the environment
- It removes local admin privileges to block CryptoLocker from deleting the shadow copy command,
- It enables security teams to restore encrypted files using shadow copy.
Organizations should look for flexible tools that automate the management of local administrator privileges and control of applications on endpoints and servers. This unique combination of least privilege and application control can help organizations reduce the attack surface, protect against threats that have made their way inside, and alert security teams to potential in-process attacks – all without halting user productivity or overwhelming IT security teams.
To learn more about minimizing ransomware threats while achieving security and productivity with least privilege and application control, download this free eBook.