How CryptoLocker Has Been Good For The Industry

By Ian Trump, Security Lead, MAXfocus

Ian Trump is a fan of ransomware; not because of what it does but because of how it’s refocused our attention on security. Here he offers four quick wins that will help you build a hard-to-hack fortress.

15:36 Yellow Dog Tavern, Winnipeg, Manitoba, Canada: CryptoLocker 4.0 is the current topic of conversation, mostly due to my PR team and content team asking for something and because I’m a fan of ransomware. Let me be clear here, I’m not a fan of what ransomware unleashes on countless IT admins and MSPs, but as an advocate of layered security I believe it’s done four really important things for our industry:

• It’s demonstrated the failings of single security solution thinking;
• It [a ransomware outbreak] has provided a tangible, identifiable indicator of how “you could be doing a better job” for your customers;
• It’s shown that a managed services provider (MSP) or IT admin not taking this threat seriously is going to loose customers or jobs; and
• It’s provided us with a frontline test of our skills — if your defenses can ward off the latest ransomware, you can probably face down the worst the Internet can throw at you.

One way to look at the ransomware story is to talk about the customers that are not getting infected, and examine what they are doing it. The most important take-away here is that there are things — really inexpensive things — you can do to avoid a nasty encounter with ransomware. Here’s my advice:

Reduce The Attack Surface.

To understand why this is such an effective defense, we need to understand the ecology of a CryptoLocker infection. It really comes in two parts: The Exploit; and the Payload. To start with, the Exploit looks for software vulnerabilities to attack, more often than not in programs such as Java, MS Office, Silverlight, Shockwave, Adobe Reader, QuickTime, and (my personal favourite) Adobe Flash. When it finds one it then unleashes the Payload. If you can provide a business computing environment that is free from all — or some — of these commonly exploited bits of software, they are well on their way to shutting out the bad guys. Granted it’s hard to go MS Office free; but that brings me to my next point.

Patch And Update Aggressively.

Unless you’re going up against really sophisticated cybercrime gangs or foreign intelligence services that are packing 0-Day attacks, the chances are that a weekly patching schedule will keep software up-to-date and prevent an exploit package from finding vulnerabilities through which to gain a foothold. If you have a large number of computers to look after, you will want an automated tool to do this. You may also want to hire a cybersecurity intern to stay on top of rolling out weekly patches; just don’t forget to feed them.

Remove Administrative Rights. Many of my more learned readers will be quick to point out that CryptoLocker will still run and ruin your day without administrative rights. And that’s true. However, what removing administrative rights does is prevent a user from deliberately, or accidently, downloading a program, or changing a configuration and making themselves vulnerable. In order for an exploit package to target and successfully exploit Adobe Flash you must have Adobe Flash installed on that machine. Preventing your users from deciding to install Flash after you’ve careful removed it, can only be a good thing.

Install Free Tools. Who does not like free stuff? Here are two programs you shouldn’t be without:

1. Cryptowall Vaccine — This piece of software sits side by side with your antivirus and performs a key function, which of course can be duplicated with a GPO or NTFS permission change. The immunization feature prevents software, downloaded by the exploit package, from executing from %appdata% and %startup% — two areas that ransomware and other software use to land the payload of malware.
2. Enhanced Mitigation Experience Toolkit (EMET) — This Microsoft package helps protect against new and undiscovered threats even before they are formally addressed through security updates or antimalware software.

These four free strategies are going to take some time and effort to roll out, but when combined with your costlier software like managed antivirus, web protection (for ransomware delivered by drive-by download), and mail protection (ransomware delivered by email attachments) you really are building a hard-to-hack fortress.

Of course, no defence-in-depth strategy is fail-proof, despite your best efforts something “bad” may get through. If you’re executing on all the above suggestions and have good tools in place; then your risk is low. But remember, the rock star IT admins and MSPs know that one thing is essential in the fight against ransomware: a good, consistent backup. Prepare for the worst and hope for the best — great words to live by if you are in the IT business.

Ian Trump is security lead at LOGICnow. You can follow Ian on Twitter at @phat_hobbit