Preventing ransomware infections is often framed as a complex and expensive problem to solve, this article aims to convince you that this isn't always the case.
Almost all ransomware operators break into networks using the same handful of methods, these methods abuse common misconfigurations which on a technical level are not difficult to fix but are still often missed, usually because of vendors selling fear, company politics, red tape and a simple lack of internal knowledge. The truth is, ransomware is most often deployed by unsophisticated attackers using unsophisticated attack methods. The changes outlined below will help prevent these attacks and can be implimented by most system administrators using existing tools. No specialist software, AI, threat hunting or expensive licenses required, just people and process.
Thanks to security researchers and incident responders, the tactics and procedures used by ransomware operators are mostly well understood, papers jammed with technical detail are easy to find but often confusing to read, these papers often contain stunning malware analysis but almost no detection advice for the blue team other than IOCs therefore this article has been created using a slightly different source; a recent Talos interview with an operator from the Loki ransomware family. This interview gave a peek behind the curtain, revealing the human side of ransomware which I hope will be easier to understand than jargon packed technical white papers.
Prevention #1 Patching
Aleks also mentioned that he gains an operational advantage from white hat research that reveals new vulnerabilities and the common delay in users’ implementation of new protections. He takes advantage of the gap in time between a vulnerability release and subsequent patching, claiming, “We use white hat research against them. As soon as a CVE is published, we take advantage of it because it takes a long time for people to patch.
Aleks (a verified operator of ransomware) has made it very clear. Failing to promptly patch systems will allow people like him into a network. Enterprises must implement an actionable patching procedure or face the consequences. Doing so seems like just another insurmountable task, but it doesn't have to be. You should draw out a repeatable and understandable process that your administrators can follow every month, here simplicity is the key to success. Identify your most vulnerable systems like VPN appliances, Citrix access gateways and anything else that sits on the edge of your network, catalogue them and agree that every month on a particular day, these systems will be patched. Keep it simple, even if it means manually logging into your network appliances once a month and clicking update.
If you make the process or even accessing the documentation for the process complex people will ignore it or make mistakes. But how on earth do you keep a patching procedure simple? I believe the key here is to make your documentation succinct (one-pager if possible) and accessible by exterminating cover pages and legalese. If someone is reading documentation they want to understand the process, not scroll past an out of date version control table and company branding.
Imagine your network has an edge appliance that allows external computers access to the internal network. A critical patch has become available. You should have a process in place to address it as quickly as possible. For example:
- Identify a patch is available for a system you are running by signing up for relevant alerts from a service like https://secalerts.co/
- Select a day within the next 15-30 days for installation (maybe fewer days if the patch is critical)
- Align a technical resource to install the patch.
- Verify the patch installed by checking version numbers or some other identifier.
Once you have gotten comfortable with patching your externally accessible systems you should begin to look inward. The logical place to start would be your user endpoints and servers. If this means eMailing your users to click the "Update Windows" button once a month, then do so. Its also important to keep third party software like Java and Google Chrome up to date but this is a different ball game because these types of software require frequent patching. Administrators could use the above methodology by keeping tabs on what software users have installed and sending out notifications when it's time to update but this is easier said than done. Ideally, a patch management tool like SCCM, Altiris or PDQ should be deployed but this is further complexity that takes the article away from its main point, simple changes for the largest security benefit against ransomware.
Prevention #2 Firewall Configuration
After identifying and confirming various accessible services, such as RDP, a common next step of the attack is using already-compromised accounts to login to the victim organization
In the above quote, Aleks has confirmed something that the security community already knows; ransomware operators scan the internet for open RDP ports, login to them with stolen or brute-forced credentials and deploy ransomware.
It's a ridiculously simple attack method akin to stealing from someone that left the front door open. There's no good reason to have RDP open to the whole internet. Network administrators must, at the very least, restrict inbound RDP (3389) to particular IP addresses but preferably block it entirely. Expanding this section of the article any further will just dilute the message. Blocking RDP (port 3389) inbound on your firewalls prevents ransomware.
Prevention #3 Passwords
Once persistence is established on the victim network, a variety of follow-on attacks are executed which in most cases aim to expand the compromise by stealing more and more credentials. For example, adversaries sometimes attack LLMNR and NBT-NS to obtain the administrator’s hashed password which can be used in pass the hash attacks or be loaded into hash cracking platforms.
Passwords are an age-old problem in the computing world and unfortunately is something that needs addressing in the fight against ransomware because after gaining initial foothold attackers will of course try to compromise the network further, in turn stealing more privileged credentials that let them spread further, starting the cycle again and expanding the compromise exponentially. This part of the attack can be hampered or even halted by implementing a good password policy for everyone, users and service accounts alike.
Where possible use Windows managed service accounts which are much harder for an attacker to steal and crack, plus even if they are stolen the credentials automatically (and invisibly) rotate which means they quickly become useless to an attacker.
If managed service accounts cant be used then long passwords should be enforced by policy. It is okay to use long and complex passwords for service accounts because a human should never have to remember or type them, they should be copied and pasted from a credential storage technology like BitWarden, KeePass or LastPass. Making service account passwords long and complex makes offline cracking by ransomware gangs (or any attacker) prohibitively time-consuming. Whilst this might not prevent an attack it will certainly extend the time an attacker is active on the network thus increasing the defender's chances of detecting them.
User password policies also need to be shaken up. Your users are struggling to juggle countless passwords alongside their work credentials, try to help them by making your password policy minimum length 16 characters and password rotation once per year.
Traditional password practices are so last year. Forget about regular rotation and forget about complexity. It's all about length and longevity. This point is explained in much greater detail by Troy Hunt here and this quote from the NCSC:
Users have traditionally been told to remember passwords and to not share them, re-use them, or write them down. The problem with this is that the typical user has dozens of passwords to remember – not just yours. To cope with this overload, users resort to workarounds, such as reusing passwords, insecure storage or predictable passwords.
In an ideal world (again, as per NCSC guidance) system administrators should reduce the number of passwords users have to remember and maintain. If possible allow staff to use passworldess auth via platforms like Windows Hello or Azure SSO.
Prevention #4 Two Factor Authentication
If we have learned anything from prevention number three it's that humans are bad with passwords. Antique password policies condition people to reuse passwords, or variations of passwords across many services which means, if one of your users has their password stolen for a personal site then in most cases their work network password could be exposed or at least inferred by brute-forcing. So, now more than ever, 2FA is an absolute must for any system that is accessible from the outside of an organisation. It's not even up for debate. All VPNs, cloud services and accounts must have 2FA policies enforced to stop password replay and credential stuffing which would otherwise have let ransomware operators like Aleks in.
The next set of preventions have made it into the article without the recommendation of Aleks but are important to recommend nonetheless as they are also exploited by the bad guys. We will call these Bonus Preventions.
Bonus Prevention #1 Disable Internet Macros
Office Macros have been a popular remote code execution technique since the 90s, despite their age they show no signs of retirement. Malicious macros dressed as legitimate office documents are still a viable infiltration technique that is used by trojan and botnet operators to clutch a foothold on victim networks. This foothold can then be sold off to the highest bidder, in some cases ransomware operators.
Thankfully Microsoft is providing defenders with free protections against macro-based attacks via Group Policy. This feature released in 2016 stops Windows from automatically executing macro code when opening Office documents that came from outside the network. If a user is ever successfully phished they would be protected from the initial infection because they cannot enable the macro however, if your business uses macros that are sent in via email or cloud file sharing then this policy might not be for you as it could impact business workflows.
Bonus Prevention #2 Control remote access applications
Ransomware gangs are known to set up persistent access to networks via off the shelf remote management tools like Teamviewer. It could be beneficial to block the use of Teamviewer in your network. This could be done via EDR, App Locker or perhaps even firewalls.
- Patching - Patch everything as regularly as possible but most importantly keep your network edge appliances up to date. Use https://secalerts.co/ to get notified when your technologies become vulnerable and patch immediately.
- Firewall policy - Comb through your firewalls and check for permissive inbound rules. Do not allow RDP inbound. Better yet, scan your network perimeter at intervals. Shodan monitor is a great tool for this. Passwords - Modernise your password policy to match advice by Governments and cybersecurity leaders. Length and longevity is the new school of thought. Help your users to help you. https://www.ncsc.gov.uk/collection/passwords
- 2FA - If someone is logging into your network from the outside, they need to be using 2FA. If they aren't, someone is going to shove credentials down that login portal until they eventually get in. And if they aren't brute-forcing they will be simply logging in with the correct credentials after they were stolen elsewhere.
- Disable Internet Macros - This simple Group Policy change will protect you. If your business won't be impacted, enable it.
- Control Administrative Tools - Prevent/detect unauthorised users from running Teamviewer, PSExec, rClone and other remote admin tools.