In May 2017, a large cyber attack was launched, infecting over 230,000 computers in 99 countries, demanding ransom payments in 28 languages. The attack has been described by Europol as “unprecedented in scale”.
Yeah, whatever. Blah, blah, blah… You just got pwned!
Now, combine this with the more recent introduction of JScript file-less malware with legitimate website advertising networks and you have a recipe for disaster. Well known sites, such as YouTube or Reuters, have been targeted by attackers preying on users’ implicit trust of the sites to inject their malwares into the advertisements. Using such methods, visitors don’t even have to hover over or click on the ads to become infected. All they have to do is visit a site that has had its ad network compromised. This is the method known as “drive-by”. No user interaction is required.
Such could have been the case here.
Lastly, with advancements that the hackers have implemented of late, the malware can be injected into memory and, as a result, avoid detection by most antivirus programs since they tend to only read the input/output of whatever is being written to or read from the hard disk.
So, how can this be avoided?
Well, ask yourself what you did prior to clicking on the link that brought you here.
- Did you know and trust the source from which you received the link?
- Did you know the full path of the website address (URL) that the link was directing you to? (i.e. your web browsers status bar)
- Were you excited about the potential of a decryption tool?
All of these are behaviour patterns that we must educate our end users about.
- Application Whitelisting – If it can’t run, it can’t infect. Need I say more?
- Device Control – Such solutions may be able to prevent auxiliary connections from also being encrypted during land & expand process. These include UNC shares, connected USB devices & NAS-based storage.
- Validated Backups – Those that have recovered from a ransomware infection without paying up have only been able to do so through weak encryption methods defeated by the decryption tools that brought you here to begin with or through good backups. Use the 3-2-1 rule and test them regularly.
- Incident Response Plan – Let me just say that having a bitcoin wallet loaded and ready to go is NOT an incident response plan!
- Next Generation Firewalls– NGFWs and their inherent stateful packet inspection can help shut down ransomware attacks before they happen. If you’re not up on this tech yet, you should seriously look into it. Write it down!
- Threat Detection – Assume you’ve been breached! Failure to do so and respond accordingly proves one thing only: you deserve to be breached and you’ve been warned!
- Known Tor Entry/Exit Blacklist – Refer to: https://www.dan.me.uk/filtergen
- Anti-Virus Software – Yes, sadly it’s still a tickbox requirement.
- End-user Awareness Campaigns – They are our greatest inside threat. Educate. Educate. Educate. Conduct regular phishing tests using a reputable third-party like knowbe4.com.
- Firings – I fully believe that we’ve come to the point that we have to take more drastic measures to emphasise the point that end-users are the greatest, single inside threat to the organisation. Fire one or two (maybe a few!) after a second infraction and the point will get across: this will not be tolerated!
About the Author
As a nearly 20-year veteran of Information Technology with a laser focus on Systems & Security Management, Duncan McAlynn, is a driven and passionate IT professional. He is a contributing author/editor to several books, magazine publications, and websites as well as a popular presenter at many Microsoft events. These activities have led to him receiving the Microsoft Most Valuable Professional award for six consecutive years and being named a member of the FBI InfraGard division.
Duncan has held a number of certifications and awards including 6x Microsoft MVP, MCITP, MCSA, MCSE, & CISSP.
Today, Duncan is a Principal Security Engineer & Evangelist for Ivanti, ISSA Gulf Coast TX chapter president & author of Advanced Windows Security