The Petya ransomware attack struck many countries, taking under its grasp systems, loosely patched and surprisingly even those systems as some news reports say, having the latest patches from Microsoft. Two global ransomware attacks in as many months. The WannaCry ransomware, last month, swamped over tens of thousands of computers globally. Express Computer Spoke to K K Chaudhary, Group Head IT and IS, LANCO Group. He prescribes the strategy to tackle the ransomware threat vector
Steps taken to shield the enterprise against ransomware
The mail whitelisting should be done at the gateway itself. The Lanco group has conducted rigorous exercises in perfecting the email whitelisting practice. If the email gateway is configured such that emails from only known sources are allowed. The system has been whitelisted with people who are supposed to send mail to the company. The rest are not allowed. The mail with a suspicious payload will be blocked at the gateway. Other mails, which are genuine but not whitelisted will be sent to the concerned email ID in a quarantine folder. If the user feels it’s a genuine mail, he will open it otherwise, it is binned. After confirming the genuineness of the mail, the IT should be informed about the respective mail ID of the sender for whitelisting. So the next time, the email from the same person is received it directly hits the inbox without any need for a quarantine folder.
Suppose a suspicious mail with an attachment from a genuine email ID but from a suspicious person has been clicked through, then too the system can be protected. After clicking the attachment, the malware will strike the hard disk and will try to run the file. In that case, the next layer of defense i.e the Data Loss Prevention (DLP), will not allow the .exe file to execute because it’s not on the whitelist. The file will be blocked. It will trigger an alert to the security manager. This is a secure practice but it has to be well backed up by regular patching of the OS and end point.This will thwart 90 percent of the ransomware attacks.
For the rest 10 percent, there are two practices to be followed. One- Inculcate the habit of backing up data. Secondly, awareness is important that mails from unknown sources should not be clicked upon.
Application whitelisting will ensure that only the ticked applications will run on the endpoint. The DLP has to be kept in the blocking mode. It only allows what is supposed to run.
In all, three steps of email, application and OS whitelisting and two more steps about generating awareness and backing up data is a wholesome strategy to get around the ransomware threat vector.
Ransomware – Where are companies missing the plot ?
The primary reason being the absence of a sound DLP strategy. Even if the companies do have a strategy, the DLP is configured in monitoring mode and not in the blocking mode. Most of the organisations will have their DLP in a monitoring mode. “The reason why DLP is not kept in a blocking mode is because it may result in many performance issues for the enterprise. In that fear, the IT department is not able to have its way, “ says K K Chaudhary, Group Head IT and IS, LANCO Group. They should be able to convince the business about making sure that the business will be as usual and there will not be any hiccups.
Another miss on the part of the enterprise is not having adequate backups. Data backups nullifies any need for a ransom.
Importance of application whitelisting
A ransomware did attempt to intrude in the IT systems of LANCO group, three months back. “A few phishing mails had come,” says Chaudhary. However the company was not affected because the endpoints were protected. The malware comes with a payload. The moment the attachment is clicked, some executive or COM file will get downloaded on the hard disk and then it will execute. But the endpoints were in the block mode. The DLP too. It doesn’t allow any application to run unless that application comes into a whitelist. The DLP client only runs selected files and nothing else. “The applications have been whitelisted and thus even though the malware landed in our systems but could not crank up,” The moment an alert was triggered from the DLP about a suspicious file trying to execute, it was blocked. “Some 53 suspicious emails had hit the inbox an hour’s time. But none of them were opened. Even if it was opened, no damage would have been done because the DLP has been blocked,”
What about mobiles?
WIth the growing use of mobility devices and enterprise mobility solutions, the employees use their phones for official work, hence it’s important to protect the mobility devices too in addition to desktop systems.
The enterprise data does not directly reside on the mobile phones. Even if the device is encrypted, the data is on the server. So, even after the device getting affected by ransomware, the data can be again taken from the endpoint or the server after the device is formatted. The device only holds a copy of the data. It’s not the only copy.
However an employee using the mobility device under BYOD and if his device is affected then the personal data can be hold to ransom. But if the Mobile Data Management (MDM) tool is implemented then no official data will be lost.