Protection against ransomware

What is clear is that traditional security approaches based on the use of antivirus software or malware scanners are insufficient for ransomware defense. Such solutions attempt to detect attacks using signatures. If a malware is detected, the protection software blocks it, preventing access to system resources. It is precisely at this point that the serious disadvantage of these solutions becomes apparent: Because they rely on malware detection, they often cannot provide reliable security against the growing number of new, previously unknown ransomware.

Consequently, a company must take additional measures. Common options include

• Application blacklisting
• Application whitelisting
• Greylisting of applications
• Least Privilege Control

Blacklisting

 With a blacklisting approach, organizations can prevent malware from executing in their environment. While this can be used to detect and block older versions of malware, it is not very useful in protecting against ransomware. Thousands of new ransomware versions are released every day, making the continuous adaptation of blacklists an impossibility.

Whitelisting

Application whitelisting is inherently 100 percent effective in the fight against ransomware because this method blocks all applications that are not explicitly trusted. Although ransomware attacks can be extremely effectively prevented with this containment strategy, it too is difficult to implement in practice. To effectively whitelist applications, IT teams must know exactly which applications and application versions each individual user and system in the enterprise needs, and each application version must be explicitly whitelisted. Unlike the blacklist, this makes the creation and management of a whitelist very time-consuming, as not only do all deployed applications need to be taken into account, but more importantly, so do application updates. Finally, the update can change the check value - for example, a hash - of the approved application in such a way that it differs from the entry in the whitelist and the program consequently no longer starts.

Greylisting

Greylisting of applications offers another option. This approach allows companies to prevent the execution of known malware on blacklists in their environments and at the same time limit the permissions for all applications that are not explicitly trusted or unknown. This classification can be based on various parameters that an administrator stores centrally - such as certificates from software vendors, hash sums of programs, or reliably identifiable sources such as specific servers, software distribution services, or program folders in the corporate network. Greylisting thus offers more flexibility than whitelisting and can be used to prevent actions by unknown applications such as establishing an Internet connection, accessing the network or reading, writing and modifying files. By restricting permissions, ransomware is also generally unable to access and encrypt files.

Least-Privilege

Last but not least is the least privilege control, which is not only a security routine, but also one of Microsoft's "Ten Immutable Laws of Security". Especially in the Windows world, this aspect is highly relevant. It is not uncommon, for example, for normal users with Windows computers to be given administrator rights or at least extensive user rights at the same time. There are several reasons for this, such as relieving the burden on IT, the use of applications that can only be run in admin mode, or simply "sovereignty claims" by end users over their own device. If more privileges are granted than necessary, a large, confusing and frequently used attack surface is created. If an attacker gains access to a machine to which a domain administrator is or was logged on, he can steal the access data for the domain account and thus gain access to all resources, rights and privileges of the corresponding account for the entire domain. In this way, attackers can gradually penetrate into the center of a company and launch a wide-scale ransomware attack with the aim of completely taking over the company network. Consequently, enterprises and public institutions should deploy a solution that supports the implementation of flexible least privilege policies for business and administrative users. On the one hand, it should do this by limiting privileges to the minimum necessary, and on the other hand, it should allow rights to be granted on an as-needed basis and, if necessary, only temporarily and task-related.

Conclusion

Ransomware currently presents itself as a very reliable and suitable method for attackers to present companies with the dilemma of writing off the hijacked data or - in the hope of getting the data back - making a payment. The classic security solutions such as antivirus software are not effective in defending against ransomware, so additional security measures must be taken. The analysis of various options shows that blacklisting and whitelisting alone are also not suitable means. Least-privilege approach and application control in particular prove to be efficient.

A first step is to revoke local administrator rights, because CyberArk's research has shown that a large number of modern malware requires such rights to function smoothly. However, this measure is not sufficient. Equally important is application control with greylisting. With the combination of a least-privilege approach and application control, there is an effective shield against malware encryption, and without compromising user productivity.

Michael Kleist, Regional Director DACH at CyberArk in Düsseldorf