Ransomware 'Quick' Fixes: Hardening Suggestions for Your Enterprise Network [Part 1]

Ransomeware 1

Ransomware isn't going away anytime soon...

As you might imagine, ransomware is a threat that isn’t going anywhere anytime soon. According to numbers from the FBI and Infoblox, the number of DNS domains associated with ransomware -- in addition to the amount of money ransomware is raking in -- are both skyrocketing. It’s pretty plain to see that this is a problem that’s going to get worse before it gets better. During the course of my research, I was fortunate enough to come across some great resources for defending against ransomware. In fact, if you read this, some of this will more or less be considered “review”. The goal of this guide is to provide you with a variety of suggestions for hardening your enterprise network against ransomware attacks. Some of these suggestions may be easier said than done, but all of them will help defend your enterprise and your users against ransomware and other malware variants.

(Note: I've decided to break this blog post down into three parts, so it'll be a little less gargantuan and daunting... Ooh, and there's an infographic too. I've put it at the top, but check out the rest of the blog post too!).

User Awareness on Phishing

Ransomware has traditionally been distributed via phishing emails with weaponized office documents attached. These office documents are often disguised as invoices, business documents, legal notifications, shipping notifications, etc. They’re designed to make the victim feel like the document contains important business from someone, regarding something of importance. There are several guides online for spotting phishing e-mails. Do your research, read through several, and adapt their message to your user security training.

Wait, did you think we were done here? Oh, no no no. There’s way more to user training than that. See, there’s one thing that these guides seem to have in common: They expect your users to be technically savvy individuals, to understand the terminology, and actually notice the slightest imperfection in phishing messages.

Reminder: Your Users Are Humans, Not Robots

They think your users are robots who have the time to notice the slightest discrepancy in a message, when the fact of the matter is, they’re busy people with a million other things they have to get done. All they know is that computer security is the job of some nebulous team in the company that they never see, enforces (what they believe are) arbitrary rules, and get in the way of them doing their job. Now, they have to do your job too!

Now, before you bust out the torches and pitchforks, stop for a minute and put yourself in the user’s shoes. Try to spot the phishing email. Go ahead; I’ll wait.

Teach Users to Limit Trust and Always Verify

Even with the best training, phishing emails are extremely hard to detect. The vast majority will not be able to tell the difference between what is real and what is a phish. I got 9 out of 10 on that phishing quiz, and I’d like to think I’m fairly good at what I do. That’s the point I’m trying to make here is that I’ve had years of experience in security and even I wasn’t able to spot all of them. What chance do you think your userbase, who have tons of other things they have to get done in a given day, are going to fare as well or better? By all means, teach your users the terminology, and do your best to teach them how to spot phishing attacks, but don't rely on technical guides alone!

Teach your users how to use critical thinking when it comes to phishing messages. Some of the articles I linked to touch on this, but only just barely. Were you expecting an email from the organization? Do they normally send you an attached document when you receive invoices/shipping/tracking/whatever notifications? If so, is this the normal file type they attach? Are there misspellings, changes in the message formatting/appearance, etc.? Last, but certainly most important, teach your users to limit their trust, and always verify. Have your users contact the person or organization an e-mail claims to represent, ask if they actually sent them an e-mail.

User: “Hey, Bob from ABC. Did you send me this email with “XXX” subject, and XYZ attachment?”
Bob: “No?”
User: “That’s weird, I have an e-mail that said it came from you guys today, and you’re saying you didn’t send it.”
Bob: “Okay, thanks.”
User: *Click*

Hopefully, after this phone call, Bob forwarded the message to your company’s spam alias (you do have an alias for users to forward spam/phishing emails for the security team to analyze them, don’t you?), or to the security staff to analyze the message, or at a minimum deleted the message. If so, score one for your security training.

Eliminate The "Blame the User" Mentality

So, what do you do if user education fails and users still manage to get infected? First and foremost, don’t panic, don’t get angry, and DO NOT blame the users. Instead, practice public outreach with your customers/users, and encourage them to reach out to the helpdesk/IT/Security if they notice anything strange happening after they opened messages.

If user training can’t prevent the attack from happening, user training can at least teach your users to communicate with your IT staff if they suspect something is wrong. Even if it turns out to be a false alarm, I’d rather have users who see something strange and communicate it, rather than say “Weird. Oh well. Guess it was just a glitch” and continue like nothing ever happened.

tl;dr (6 points to bear in mind)

  1. Make training relevant
    Make awareness training relevant to users' lives. If you don't, it becomes another checkbox that your users fill out once a year.
  2. Don't blame/insult users
    Phishing is hard even for trained professionals to spot, let alone your users who have a million other things to do. If they get phished, don’t blame or insult them.
  3. Eliminate assumptions
    Don’t assume that your users understand technical terminology, or will understand technical methods on how to spot phishing attacks.
  4. Ensure easy reporting
    Have an easy method for reporting phishing emails to your security/IT team, such as an email alias/group users can forward suspected phishing messages to.
  5. Promote "trust, but verify"
    Appeal to your user’s capability to use critical thinking and/or common sense: question everything, “trust but verify”, etc.
  6. Build a positive community
    Make your relationship with your user community positive, so that if they do get phished, or they do notice something strange, they’re more forthcoming about reporting it.

Next, enter better email security...

Better Email Security

As stated above, phishing is by and far the most common way that ransomware is being distributed in this day and age. Ransomware phishing attacks typically utilize an office document format with a malicious office macro or script embedded in the document - typically in the form of .doc, .ppt, .xls, .docm, .pptm and .xlsm. Office macros are essentially embedded VB scripts that can be used to automate tedious tasks and in fact, according to a number of old IT/data entry stories, have resulted in automating people and entire divisions of a business out of a job. Office macro attacks aren’t new and in fact have been around since the late 90’s -- ever hear of the Melissa virus?

Unfortunately attackers have not limited ransomware phishing attacks to just microsoft office documents, but have also used self-extracting zip files, javascript, powershell, wmi, PDFs, and a host of other file formats and scripting languages, relying on windows default file associations and/or application permissions to fool the user and launch malicious scripts. What are ways to mitigate the risks?

First, Disable Office Macros Entirely

The first and most obvious thing you could do is disable office macros entirely without any notifications. It’s the first thing most security pros will tell you to do. By default most recent versions of Microsoft Office disable macros, but have a nice little notification bar that says “Hey! Macros are disabled. We need you to enable them to read the content of this message.” Combine this with the fact that ransomware phishing docs are designed to make the user want to enable macros “This document is protected by X security feature. Click enable content to view”, “This document may be incompatible with your version of office. Click enable content if you are experiencing problems viewing the content of this document”, and so on.

Believe it or not, however, there are some business units or organizations that actually need office macros to do their job effectively. Maybe nuking macros for everyone and everything is… a bit ham-fisted. For those who still need macros...

Consider the following alternatives:

  • Disable office macros for business units, or groups in your business, who do not need it. This requires you to figure out workflows for the different business units in your organization. Figure out how they do automation and see if it’s feasible to disable macros for that group.
  • Disable office macros for macro-enabled files downloaded from the internet. The latest version of Office (2016) now (finally!) allows administrators to do this. If you’re a an organization rolling out Office 2016, consider making use of this new feature.
  • Disable office macros unless they are digitally signed. Office can be configured to trust macros from a particular local network location and/or digital signatures can be issued for macros that are considered critical to business processes, workflows or tasks.

What about other types of phishing attachments?

Okay, so what do you do about phishing attachments that aren’t office documents/macros? Changing file associations for executable scripts is a very clever way of preventing scripts from executing. Windows is super helpful in that if there is a script file that windows can execute, double-clicking it runs the script using the Windows Scripting Host engine. No warnings, no problems! On a related note, the Windows Scripting Host is capable of natively interpreting and executing javascript -- which ransomware phishing campaigns have begun to leverage a lot more lately. By default, all a user has to do is double click on the .js or .jse file and Windows will automatically execute it thanks to default file associations.

File associations are used by windows to determine what file extensions are opened by what programs. You can change file associations through group policy. For starters, take a closer look at default file associations for .bat, .cmd, .hta, .js, .jse, .msh, .msh1, .msh2, .mshxml, .msh1xml, .msh2xml, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .reg, .vb, .vba, .vbe, .vbs, .ws, .wsc, .wsf, .wsh -- these are all file extensions associated with scripting on windows. Experiment with changing their file association to open with something a little more innocuous, like notepad.exe. That way, if users are phished, instead of running the script, a notepad window with the contents of the script will pop up instead. While we’re talking about file attachments and file formats, you may want to take initiative and block all e-mails any of the attachments above, as well as other commonly abused file formats.

Adopt an Enterprise File Sharing Platform

Now, normally, I’m not a fan of cloud file hosting or sharing services. However, you can’t deny their ubiquity and the fact that your user base more than likely uses them or tries to use them -- with or without company approval.

Consider adopting an enterprise file sharing platform and using that as the official standard for exchanging files over the internet instead of e-mail. Most cloud file sharing solutions offer the ability for you to share links to a file so your users can share their files with third parties, and they also offer the option to share links to a third party for them to securely upload files to your users as well. Eliminating e-mail as a file storage and sharing solution doesn’t completely remove the risk of phishing attacks (attackers could still attempt to send emails with malicious links), but it does all but eliminate the risk of malicious document phishing as an attack vector.

Screen Shot 2016 08 02 At 2 31 19 Pm
Default file associations for some scripting languages are set to execute using Windows scripting host as soon as they are double-clicked.

tl;dr (10 points to take advantage of)

  1. Disable macros where possible
    Disable macros where you can. In order to figure this out, you may need to meet with different business units to determine if and/or how they are used. Typically, macros are used by data entry positions and/or accounting/finance business units to automate data input, calculations, etc.
  2. Remove re-enabling option
    If you choose to disable macros, don’t give your users the option of re-enabling them. Most weaponized documents play into this and try to coax the user into clicking the “Enable Content” button. Here is a guide on disabling macros in MS Office. If you want to make this mass-deployable (e.g. group policy) You’ll need to get the right ADMX template for the version of MS office in your enterprise.
  3. Implement Group Policy feature
    The newest version of Microsoft Office allows you to configure Office to never enable macros in documents downloaded from the Internet. If you are rolling out Office 2016, consider implementing this feature.
  4. Consider digitally signed macros
    If disabling macros is not an option, consider implementing digitally signed macros and configuring Office to not allow unsigned macros at all.
  5. Change default file associations
    Change the default file associations for Windows scripting file extensions to ensure that malicious files, that take advantage of windows default file associations, are not executed if a user downloads and clicks on them from a phishing attack. This article shows you how to do so through Group Policy. You’ll want to pay attention to the following file types at the very least: .bat, .cmd, .hta, .js, .jse, .msh, .msh1, .msh2, .mshxml, .msh1xml, .msh2xml, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .reg, .vb, .vba, .vbe, .vbs, .ws, .wsc, .wsf, and .wsh
  6. Block specific file types/attachments
    Block e-mail messages with abused file formats attached to the message. Check out this list for suggestions on file types to block. Also consider blocking .zip, .rar and .7z files.
  7. Implement an email quarantine
    Implement email quarantine for legacy document file formats and/or macro-enabled documents, so that users have to confirm with IT that a quarantined message is legitimate before it can be released to them.
  8. Utilize blacklisting solutions
    Utilize mail blacklisting solutions (e.g. SenderBase, Spamhaus, etc.) to blacklist known spam/malicious relays.
  9. Implement a Sender Policy Framework
    Implement SPF -- an email validation system designed to detect email spoofing -- and block email for domains that do not utilize SPF records.
  10. Configure external email messages with tags
    If your mail server allows, configure email messages received from external systems to be marked with a tag in the subject line (E.G:[External] Subject Line) to make users aware that the message originated from a third party and to treat anything contained in or attached to that message with caution.

To be continued...

Ransomware 'Quick' Fixes Parts 2 and 3 are now available as well. Feel free to follow @hurricanelabs (or myself @da_667) on Twitter, if that's your thing.