Pete Greenwood, Senior IAM Consultant, SecureITsource, Inc.
WannaCryptor Ransomware Overview
While many American’s signed-off of their workstations on Friday May 12th to enjoy Mother’s day weekend with their families, there was a fresh new malware variant released into the wild. A massive ransomware attack named WannaCryptor (aka. Wanna-Cry) was launched against organizations worldwide using a known vulnerability in the Microsoft Windows SMB (server Message Block) protocol to spread a ransomware payload, effecting over 200,000 systems in 150+ countries. The Windows SMB protocol provides an authenticated inter-process communication mechanism and is generally used for sharing resources between networked nodes. Wanna-Cry used the SMB exploit to create a worm that moves through the network over port 445 infecting one machine after another with its ransomware payload.
Although Microsoft released Security Bulletin MS17-010 (MS17-010) and pushed an update to patch this vulnerability on March 14th, hundreds of thousands of machines remain unpatched today. Why are widely reported, patched, and critical security vulnerabilities not being promptly applied to effected endpoints? The answer is, enterprise patch management policy. The argument for and against promptly rolling out Microsoft patches or subscribing to automatic updates has been debated for years and I will not pretend to know what the right answer is for your particular company. In this instance, a patched machine would not have allowed the spread of this ransomware, therefore greatly reducing the fallout. Additionally, if you are running an EOL/EOS OS such as Windows 2003 or XP in the enterprise, public sector, or your home for that matter in 2017 then you are the low hanging fruit and will continue to be targeted by ransomware. Now on to how we stop this alarming trend of targeting institutions such as hospitals with ransomware.
To effectively protect against malicious file encryption caused by ransomware, organizations should implement a combination of secure backup policy, least privilege access, and application greylisting.
1. Secure your Enterprise backup strategy
The availability of virtual server and workstation environments in the cloud and on-premise creates an opportunity to easily backup entire systems using snapshots. Making sure there is a secure destination for these snapshots is of the utmost importance because ransomware will attempt to encrypt all drives attached to an infected machine. Enterprise SAN and NAS solutions provide scalable, flexible, and highly available storage that is necessary in this day and age, however, they have one thing in common; they provide an attack vector for criminals due to their dependence on the enterprise network infrastructure. If traditional cold storage is not a viable option for securing backups, then the access to these systems should be highly secured. Connections to your SAN, NAS, Cloud resources, or ESXi clusters need to be completely isolated from a potentially infected machine. These connections also need to be monitored, recorded, and most importantly secure. Using industry proven best practices, the CyberArk Privilege Account Security suite of products can provide solutions to all of the above without sacrificing productivity. If organizations secure their system backups and implement a privileged access solution, recovering from a ransomware attack will be much less painful.
2. Implement Application Control Greylisting
Application control is not a new market offering by any stretch of the imagination. However, moving away from the traditional endpoint security model of blacklisting to a more secure whitelisting approach has been a source of concern to prospective adopters when faced with the potential fallout from businesses users after implementation. The deluge of help desk calls every time a user needs to run a program that didn’t make it onto the whitelist or the sheer loss of productivity from such changes in policy can be intimidating. This is exactly the use case that application greylisting addresses.
Application greylisting allows unknown applications to be run in restricted mode – with limited access to files and data, no internet access and no access to network shares or servers. CyberArk’s Endpoint Privilege Manager (EPM) offers application whitelisting, blacklisting, and greylisting with granular controls. CyberArk Labs tested the combination of least privilege and application greylisting controls against the Wanna-Cry ransomware and found that in 100% of attempts, endpoint files were not encrypted due to controls in place at the file system level. Application greylisting is the perfect solution to protect against ransomware threats while also allowing end-users to install and use software required for business purposes.
3. Implement a Least Privilege Access Solution
The Least Privilege Access model is at the foundation of a sound security policy, and when followed, can greatly reduce the enterprise attack surface. The majority of business users do not need administrator privileges when performing routine tasks, but many organizations allow their end-users admin privileges for a variety of reasons. It can increase productivity, limit the burden on help desk staff, and allow the execution of software at the user’s discretion, to name a few. The downside to this approach is seen when perimeter security measures fail and a system becomes compromised. A compromised system that is running in a privileged state is far more dangerous than a compromised system running as a standard user; and the actors behind these attacks understand this.
The CyberArk PAS suite of products can solve these problems in a number of ways. EPM, as mentioned above, and several other modules integrated with Enterprise Password Vault (EPV) cover most use cases in the enterprise for privileged access. PSMP and OPM are the UNIX counterparts to PSM and EPM, respectively, offering similar outcomes using slightly different tactics. PSM offers numerous benefits, but one of the often-overlooked benefits is that sessions launched through PSM are completely isolated from the target machine. Wanna-Cry ransomware did not require user privilege escalation to encrypt its targets, but it did spread through active RDP sessions to connected machines increasing the overall effectiveness of the virus, which escalated the damage. When launching an RDP session through PSM, the connection is proxied through another server that effectively performs the tasks on your behalf. An infected machine cannot spread the payload through a PSM session due to the isolation factor built into the solution.
Don’t fall victim to ransomware
Ransomware attacks are a growing trend and the focus is shifting from targeting individuals to targeting organizations due to the large profits to be had in extortion fees. Organizations must secure their environments and protect themselves from ransomware attacks. Unfortunately, every time someone pays the ransom to decrypt their files it incentivizes the criminals to keep exploiting this attack vector.
At SecureITsource, we are experts in Privilege Management and our experienced consultants have implemented reliable, automated, secure solutions for managing privilege in the enterprise for some of the largest companies in the world.
SecureITsource is an authorized reseller and professional services partner with the industry’s leading Identity & Access Management solution providers. Our team of consultants help our clients to reach their IAM goals by providing strategy, design, and engineering expertise.