Best Practices: Preventing Ransomware in Government Networks
4 min read
Governments globally, like their commercial counterparts, are currently grappling with ransomware. The FBI receives calls from U.S. state and local governments, especially law enforcement, many of whom are apparently paying the ransom, to report the attacks. In the U.S., some victims have paid over $24 million in 2015 according to IC3 statistics. The U.S. Department of Homeland Security (DHS) reports that 29 agencies have noted over 300 ransomware-related incidents in the last 9 months. In those cases, luckily the attacks were unsuccessful, but in some cases, attackers are using government as the purported source of emails to lure unsuspecting users to click on the malicious links. Businesses in Australia have received ransomware emails that look like they are from the Australian Federal Police and Australia Post.
The good news is that there are numerous best practices that can help prepare your network and endpoints for a potential ransomware attack that targets your unwitting employees and/or contractors to gain access to your assets.
The basics: Ransomware is malware that encrypts your files and uses that encryption to restrict access to your (or any other victim’s) files or systems until the victim pays the ransom for the key to decrypt those files.
How does it get delivered: Like all of those other phishing emails you’ve been training your employees to delete, ransomware relies on the same social engineering technique to fool your users into opening them and downloading what’s inside. Often, the link itself is encrypted so if you’re not decrypting suspicious links within your email, it can often get right through your defenses that way. In other cases, the malware is hosted on the legitimate website of an unsuspecting host just waiting for your employees to use it. Since government is naturally a high profile target, the attackers may intentionally look for websites they know your employees will use in order to host their malware. It’s up to website administrators to maintain their own security best practices to prevent infections of their sites.
Why it’s harder to detect and prevent than other malware: Because the malware changes rapidly (usually every few hours), it often fools network defenses. And even best-in-class remediation processes are often too late to save your assets – they’ve already been encrypted.
Without going through an exhaustive security best practices list, below is a summary of some best practice “reminders” in light of this evolving and growing threat to our networks:
- People and Process:
- Refresh your existing and ongoing training to advise your employees and contractors about these threats and what to watch for, as well as how to report anything suspicious. The more realistic you can make this training, the more likely it is to stick with your employees. Theoretical examples are only interesting to a point.
- Use red teaming types of exercises to keep your employees alert to these phishing emails. It’s easy to become de-sensitized or oblivious to them.
- Run hourly backups on your critical systems and daily backups for all others. Have a reasonable backup plan, for your particular environment, to address data on end user systems.
- Establish as swift of a patching process as possible. Recall that many exploits damage your networks because they can. Government, in particular, is often too slow in patch cycles – do whatever you can to change your process and improve these patching times.
- Disable Flash altogether if possible.
- Restrict mounted file shares as much as possible. It’s no surprise that this is an oft-forgotten vector and has the potential to wreak the most damage in an enterprise environment.
- Technology – on the Network:
- Whitelist applications at your gateway. If you do no other whitelisting, at minimum block the following:
- Unknown TCP/UDP applications
- High risk applications that you do not need
- All file-sharing applications, e.g. Dropbox, Box, which can be a common delivery mechanism -, unless you are using Aperture to ensure file-sharing environments are secured and the right users have permissions to the applications.
- Whitelist applications at your Data Center. Given that this is a controlled environment, you can be more restrictive at this critical point in the attack life cycle.
- Block known bad URLs (in the Palo Alto Networks platform, it’s the malware category)
- Block unknown URLs, or put a ‘continue’ page to warn users and to break automated downloads/droppers
- Enable all threat prevention capabilities, on our platform, on all traffic all the time (IPS, AV, Spyware). Newer IPS rules have been added such as those that block javascript files sent via email that are used as droppers.
- Block specific file types depending on delivery app.
- eg, block PE’s and other unwanted file types over web/email.
- Block file downloads from unknown URLs sites altogether.
- Enable SSL decryption – remember that the payload can be delivered by SSL
- Whitelist applications at your gateway. If you do no other whitelisting, at minimum block the following:
- Technology – on the Endpoint
- Enable exploit prevention on all of your critical assets using Traps
- Don’t allow unknown executables to run. If you are a Palo Alto Networks customer, disable until WildFire returns a verdict on the file.
- Don’t allow .exe’s to run from risky locations, e.g. a tmp directory.
Use the global surge in ransomware as an opportunity to revisit your security practices, regardless of which framework (ISO 27000-series, NIST Cyber Security Framework, etc.) you use.
For more on ransomware trends and best practices for prevention, download “Ransomware: Unlocking the Lucrative Criminal Business Model” from Unit 42, the Palo Alto Networks threat intelligence team.
[Palo Alto Networks Research Center]
English