This article presents tips, strategies and alternatives to avoid or mitigate the effects of a ransomware attack in our organization.
What is ransomware?
According to Wikipedia's definition, ransomware ("data hijacking" in Spanish) is a type of malware that restricts access to certain parts or files of the infected operating system and asks for a ransom in exchange for removing this restriction. Some types of Ransomware encrypts operating system files rendering the device unusable and coercing the user to pay the ransom.
This type of attack has become very popular in recent times and is one of the most dangerous in the sense that it causes the immediate and total loss of the victim's data (in the absence of backup copies). This article presents tips, strategies and alternatives to avoid or mitigate the effects of a ransomware attack in our organization.
General guidelines for users
- Never click on unverified links.
- Do not open attachments from strangers.
- Only download files from trusted sites.
- Never give personal data, much less credentials (username / password).
- Never connect third-party USB media.
- Never connect to public WiFi networks (without WPA2 security).
Making use of virtual desktops (which users access via RDP or another protocol) can be a comprehensive security solution in the sense that it will allow us to have total control over the security of the client terminals. In this way we can apply the policies that are necessary and the principle of least privilege to minimize risks as much as possible.
On the other hand, customers would not worry about the setup of applications and services used by CA, at the cost of having to provide a more comprehensive technical support service.
However, the costs of deploying WVD (Windows Virtual Desktop) in Azure can be high. The WVD Pricing Guide (Windows Virtual Desktop) article looks at a 10-user witness case where it estimates a total cost of more than $ 420 per month.
- Full control over workstations that allows you to apply the principle of least privilege and maximize security.
- Distract yourself from the heterogeneous farm of client operating systems.
- High cost of service (money).
- Service setup cost (hours of research, testing, setup and maintenance of the DVs).
- Cost of internal support to our users (weekly support hours).
- GPO restrictions can be set to prevent not only ransomware, but general malware from being installed. GPO has the ability to provide granular control over the execution of files on a system. So, adding rules that block activities such as executing files from common directories (ProgramData, AppData, Temp and Windows \ SysWow) or preventing executables from running from email attachments.
- Use antivirus software and keep it updated.
- Keep applications updated (browsers, mail clients, Java, Adobe, etc.).
- Remove administrative privileges from users.
- Configure the folder options so that it always shows the extensions (essential so that the user can distinguish a "disguised" executable).
- Disable Windows Script Host and Windows PowerShell.
- Disable macros and ActiveX in Office.
- Install a browser with blocking Ads and Popups.
- Disable Autoplay.
- Disable Remote Desktop on the client (this prevents the attacker from taking control of the client operating system).
Google Drive / Docs / G Suite
Encrypting Drive files with ransomware is a real threat, although it doesn't have as much impact thanks to Drive's trash (many ransomware delete files before creating the encrypted copy) and version control.
Google Drive has a change control mechanism that allows you to recover files to a previous version:
- View activity & file versions
It is unclear how many copies and for how long.
Beyond this, you can implement a periodic backup script (for example daily or weekly) that synchronizes the Drive files and uploads them to a third-party service or repository:
- Your backups to Google Drive automatically
- drive - drive is a tiny program to pull or push Google Drive files (written in Go)
Of course this type of solution must be of type "pull" and asynchronous. This prevents an attacker from accessing the backups.
With Dropbox it is the same as with Drive. It can be a tempting target for ransomware attacks.
There is a CLI for Linux (developed by a third party) also written in Go (excellent):
- dbxcli: A command line tool for Dropbox users and team admins
The most important and basic way to mitigate the effect of these attacks is to have backups in the cloud. In the case of Drive / Dropbox, keep regular backups elsewhere (for example, in an AWS S3 bucket). If you do not have an alternative backup strategy, it is necessary to implement it as soon as possible to be covered in an attack case.
An alternative to WVD would be to define security policies and implement a security script for Windows user environments. This for the case in which we do not have a network of corporate workstations, but rather that each user uses their own hardware.