Ransomware, once an occasional nuisance, evolved into a significant threat for agencies and IT teams worldwide this year.
The WannaCry worm infected hundreds of thousands of computers in May, preventing access to their files until users paid ransoms. In June, a new version of the Petya ransomware worm spread quickly, exploiting the same vulnerability that WannaCry abused. Unfortunately, Petya wasn’t capable of restoring access to infected computers. This form of ransomware, known as wiperware, makes each infected device unusable even if the user pays up.
To date, wiperware and other forms of ransomware have caused little damage to federal agencies. In the case of WannaCry, most agencies had already migrated from unsupported versions of Windows to newer systems with patches that stopped the worm in its tracks. IT leaders were also prepared to rapidly deploy missing patches.
While this approach is commendable, and successful thus far, it’s by no means a full solution. Most ransomware attacks rely on social engineering and user interaction, not merely automated worm techniques. That means leaning on patch deployment during the next major ransomware attack may not be enough.
To better protect their systems for the future, agencies can take these additional steps.
1. Endpoint Protection Keeps Networks Safe
Ransomware targets endpoints and, as a result, IT leaders should protect endpoints through a variety of security controls. For example, an endpoint protection suite bundles advanced anti-malware, anti-spam, anti-phishing and firewalling capabilities for desktops and laptops. These packages also frequently use reputation services or threat intelligence feeds to determine the likely intent of a file. In short: Is this ransomware?
Unified threat management (UTM) solutions offer similar anti-ransomware features as endpoint protection suites, but instead provide safeguards for servers.
Together, endpoint protection suites and UTM solutions can stop many ransomware threats, including those spread by email, websites or instant messaging. These tools deny the worms the opportunity to infect the endpoint in the first place.
For even stronger protection, some agencies may want to deploy anti-malware, anti-spam and anti-phishing controls in conjunction with its email servers. This approach is particularly helpful for those networks that do not centrally manage endpoints, because it prevents attackers from reconfiguring or even disabling endpoint-based security controls.
2. Prevent Ransomware with Vulnerability Management
The next layer of defense in preventing ransomware infection is vulnerability management, which requires IT leaders to focus on patch management and configuration management.
Patch management includes updating an endpoint’s operating system and applications, especially email clients and web browsers, to eliminate many of the vulnerabilities that ransomware might try to infect. This protection strategy has been instrumental in agencies’ success against WannaCry to date, and it will undoubtedly continue to be critical in the future. Agency officials should ensure their patch management practices go beyond operating systems and cover the very applications that ransomware may target.
IT leaders will also want to double-down on configuration management. Some ransomware takes advantage of weak security configuration settings. For example, if an operating system allows silent installation of new software and a user has logged on with full administrative privileges, ransomware could infect an endpoint without that person having any opportunity to stop it. Agencies should create, use and maintain security configuration checklists for their endpoint operating systems and major applications. To prevent ransomware infection, these checklists should center on fundamental security principles, such as providing users the least amount of privilege necessary.
3. The Last Line of Defense: Application Whitelisting
If other security controls don’t stop the ransomware, the last layer of defense is application whitelisting. With this technique, an operating system only allows an executable to run if the agency has specifically approved its use. Depending on the whitelisting technology, an agency grants executables permission to run based on methods such as file hash or software vendor identity. In some cases, the software only authorizes new executables to run if they were acquired by the operating system’s built-in update feature.
Even if a user is tricked into downloading and installing ransomware, whitelisting technology prevents the user from running it, regardless of their privileges.
However, to be truly effective, whitelisting must be kept up to date. Any errors in its configuration could inadvertently prevent legitimate software from running or mistakenly allow ransomware or other malware to spread. Agencies should carefully evaluate whitelisting solutions and, whenever feasible, run them in a monitor-only mode at first to confirm proper operation before enforcing whitelisting policies.