Ransomware, part3: make a security plan

I have to say this is some rewarding article series, since I write part 2 I’ve spoken to so many people about this. Everybody knows someone or some company that had issues with ransomware. Everybody is wondering how to control ransomware, what tools are there to help us, who has the expertise to help me? It might seem to some that there are no solutions to help you but that’s not completely true, let’s get into that. So don’t pay the ransom make a security plan and prevent infection.


One tool or a mix of tools?

In the past with classic viruses we would rely on one solution, a virus scanner on the desktop, a virus scanner on the mail server and so on That would make sure we would stay clean, wouldn’t it? A firewall to protect the ba guys coming in would do the rest, but what if the virus you are receiving is not a virus but a routine that will execute like a program  or something similar? What is the old-skool virus scanner can’t detect this routine coming in because it was looking for virus patterns instead, how should we deal with that?

To make it clear, I think you still need a virus scanner  on your desktop, file server, mail server and so on, it’s not like the less-bad guys are gone.  Without a virus scanner much more infections would take place and we all know how much time it took us in the past to clean an infected network.

These new threats, infections 2.0 or 3.0, ask for detection, prevention, auditing and control on different segments of your network. Only a firewall and a virus scanner is not enough. Let’s go a bit deeper on this.

As I wrote in part 2 of the article on ransomware – link – the way ransomware is activated is various, some are as simple as a few files that look (they think so) like e.g. firefox.exe and are installed in the profiles temp folder (a location the user has rights to), others are far more advanced and come in when you watch a stupid video, it stays in memory and will call a local trusted file to star the infection, others are even more advanced and know that you have a backup that you can restore so they wait and let you backup the infection with the good files. So once it is activated and you restore it will active again and again until your backup is useless and you have nothing left than to pay. The latest version I know of uploads part of the files, or all to a remote location so they can release them when you don’t pay.

As you see there is so much out there and so many methods surely not one tool can capture that all. If you think about it you know that you can’t do with a firewall and virus scanner alone. Let’s break this down a bit;

Desktop and the user

The problem is with the user, they click on things, they open files so they cause the infection. We can’t, I think, do anything about that. The only thing we can do about users opening every G^&$%amn thing on the Internet is educate them about the risks. So do that make sure your users know about the risks of the infection.

So if we can’t control what the user is doing we have to look at how we can manage, monitor and prevent infection on the desktop they work on. Users will open files, video’s, music and what more from the Internet, they wil receive E-mail attachments and open Word document on the desktop. All these files are risks to security as any of them can hold a routine that will infect your computer.

If you look at Word documents, they often have embedded macro’s that they “need” to work properly. If you get a word document as an attachment and when the document is opened a bar is displayed that you need to enable macro’s you have a security risk.

So what can we do to protect the desktop? On the desktop we need to run the following solutions (not naming names but solutions);

  • Anti virus scanner
  • Ransomware detection scanner (perhaps integrated with AV)
  • User Environment Management (UEM) with security
  • Firewall

The UEM solution should have a security module and the ability to block, files, folders, file types. So certain types of files should never be allowed to be started from a user context. If you look at .JS or .COM, .VBS, .HTM and so on, these can be blocked without any issue. This won’t have a negative effect on the users as all applications and files they need to work with are authorized. Any not-recognized file that is not authorized will be blocked and can’t infect your system.

But there is a catch here, otherwise this was THE solution, it’s done from the user sphere so only actions done by the user will be detected. What is the threat is coming in at a different level, some UEM solution will be able to detect that but others won’t. What if the threat comes in, in memory and only will contact the system at a last moment, will UEM be to late? so you need more.

You need a machine-lever-solutions next to UEM to detect differences in memory, in file access and in behaviour. These solutions often come with the anti virus solution for the desktop like with Trend Micro but also as a separate product like Palo Alto Traps. These are early detection systems that will stop the threat before it has the ability to try to access your system and before it will infect.

Nothing is full proof so that why you need more solutions. It’s like creating multiple hurdles for the threat to take so that one of them will succeed. Think of an aircraft carrier that has two cables to catch a plane, if the first one fails there is one more to do the job. Here the first hurdle is the Firewall, default access rules, perhaps even combined with VMware NSX to take it to a next level. The next hurdle is the virus scanner and the ransomware detection tool, that will take out the biggest part of it but some might look like a real program.

The last hurdle is the user side, with UEM you determine what they can do and what they can’t. There are several best practices to keep to, like not allowing USB drives to be connected and configuring security with UEM. There are more but I will tell about that a bit later.


The firewall is one part in the security plan that is most forgotten, the firewall is seen as a dumb thing that can only allow or disallow traffic to external sites or coming in. But if you think about it for a minute that is pretty powerful, as you look at many ransomware and other trash that can hurt your business it will connect to foreign locations. Sites for instance are located in China or Russia or some other far far away country. Now if you don’t do business in those areas why would your users need access to sites in those countries.

So a simple step in more security is to block access to e.g. Chinese and Russian site at all, any ransomware that will get installed and that will try to call home is denied that acces and your files won’t be uploaded.

I hear you think but what if a user want so order something from a Chinese site? ask yourself is it for business or not. If it is for business reasons provide them with a virtual machine with no drive mappings etc to do that job don’t open the firewall for this one occasion.

Next to these manual steps in which you configure the firewall there are several tools that learn from a central database. If a user is downloading a file that solution will know if that file is secure. the problem with this solution is that someone is the first one to get the file and only after number of infections the alert status will be there. So it will work but only after systems have been infected, just like a new virus in the old days. Together with the other solutions this of course make a great combo. Every know infected file is blocked from downloading before it enters your network.

A few more things

There a few more obvious things you need to do

  • Update with the latest security patches
  • Don’t use Flash if you don’t need to and otherwise update it with security patches
  • Don’t use Java if you don’t need to
  • Don’t allow access to unneeded Windows functionality (icacls, extrac32 etc).
  • Install Ad blockers so users are not tempted by that crap.


Of course there are so many more components that need attention, Exchange servers, file server etc etc… I’m sure you get the idea about that you need to make a plan, a security plan I call it. In that plan you need to draw your network and decide what protection you use where, what backup/restore strategy you use. how do you make sure your backup is safe, one tip take it offline. Look at a decent UEM solution, lock down the desktop so unnecessary functions that could cause a risk are disabled.  update your systems and make sure the security patches are there as well as a good virus scanner.

04 May 2016 04-20-58

As said in the pervious articles I’m just as many on a learning trip to learn how to fight this new threat. Hope my articles help you get awareness and perhaps new ideas.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.