18 December 2019

SECURITY GYAN Bytes : December 2019 : 18th December 2019

Ransomware - Part 2
Disable Macro - for most Ransomware initial vector is phishing; the victim will
receive an email with Microsoft office products – Word, Excel, PPT OR sometime
a zip archive. The message will be very compelling for user to open it; mostly, it
is the invoice.docm as attachment and message says that x amount has been
spent on your credit card; user being concerned, immediately opens the
attachment and finds that he must click on enable macro (snapshot below) to
view the document. As soon as, user clicks on enable macro, it runs a macro
code, which begins to encrypt the files on hard disk and sometimes associated
mapped drives.

Follow below link to disable macro from Group Policy – How to disable Macro
URL/SPAM Filtering Solution – It is a good idea to have decent URL filtering
solution in place for your enterprise; not only will it keep the junk traffic away
from your organization but if configured correctly, it would also help with
keeping Ransomware at bay. Configure your URL filtering solution to block the
files so that end-user doesn’t end-up clicking on them. This article has list of
malicious URLs that you can start with and fine-tune based on your experience.
Also leverage IP Reputation feature; as even if the malicious file makes a way
into the organization; the reputation service will block the C2C communication
to master bot.

You should also configure your SPAM filtering solution to block unwanted files
coming as attachment; you can send them to quarantine and have manual
review to release as required.

Application Control – The easiest protection against most of commodity
malware is controlling what is allowed to execute on your computer. The
whitelisting approach is recommended to define what all applications can be
allowed to run and rest block everything. You can leverage Microsoft AppLocker
OR Software Restriction Policies to implement the application execution.
Also, disable the windows scripting host as well, as many malwares does come
as .JS or .VBS scripts as well, normal user doesn’t need the scripting capability
on their computers.

Do not allow your OS to run program
No external media should be allowed
without proper security checks and

Antivirus – though I’m not big advocate of having anti-virus; but it’s a
necessary evil that we all must do; so, if we’re doing it, let’s do it the right way.
Most anti-virus products now have “behavioral analytics” to detect malicious
encryption activity and block it – leverage it.

External Media Control – Don’t stick it in, if you don’t know it. Yes, the
Ransomware does come via external media as well, so it’s a good idea to
restrict the external media access. You can implement it via Group Policy OR
using the extended feature of antivirus product.
Additional Tip : Scan your external IP range and if you have RDP disable that
or have 2F minimum for login; as ransomware like SamSam; they brute force
valid user account over RDP and once successful; will manually login and
encrypt whatever they can get their hands on.

Final thoughts – 2020 will see increased ransomware activity as Windows 7 is
going to be out of support; it is already a Billion-dollar industry and set to
increase if we only depend on technology solution and stay at mercy of security
vendors. Awareness plays a major part in stopping this menace – train your end
users, Implement defense in depth; it’s just better planning and
implementation. So, roll your sleeves and take control of your environment.

This Gyan-Byte is contributed by Vikas Arora.
He is currently the Vice President – Global IT & Security
of Toluna. He has more than 23 years of work
experience in the IT industry and is passionate
about cybersecurity. He also works as a virtual
CISO for various organizations and speaks at
various national and international forums.
Twitter: @techievicky