Like many information security firms, Rendition Infosec has worked many ransomware attacks over the last several years. If you’re reading this post, you probably know about the obvious things you can do to prepare for a ransomware event. We often talk about having good backups (and testing them). We also know that most ransomware is distributed through phishing, so having good phishing defenses helps too.
But lets assume that you’ve checked those two boxes (as well as anyone can). Let’s face it, sooner or later you are likely to have to deal with a ransomware threat in your environment. So what else can you do to prepare for the inevitable ransomware compromise? In this post, we’ll detail a few things that can be done to quickly ensure security for your machines in the event of a ransomware attack.
The five preparation steps are:
- Enable Volume Shadow Copies and increase allocated space
- Remove users from the local administrators group
- Limit the number of shares that a user has write access to
- Use hidden file shares
- Only map file shares while in use
In the rest of the post, we’ll discuss the rationale for each of these recommendations.
1. Enable Volume Shadow Copies and increase allocated space
Volume shadow copies are automatic backups that are probably already running on your Windows machines. Well, sometimes that is… For performance reasons, a number of websites recommend that systems administrators disable the volume shadow service on workstations. This does give some (small) performance benefits. However, the recovery benefits in the case of a ransomware attack far outweigh any potential performance gain. Also, most workstations in enterprise today have a surplus of disk space. Consider increasing the amount of disk space allocated to volume shadow copies so you can keep a larger surplus of backup files.
2. Remove users from the local administrators group
If users are in the local administrators group, they represent a two special risks for ransomware attacks. First, the attacker can encrypt all files on the machine, not just those owned by the user. On a multi-user machine, this can be a really big deal. The second (and larger) issue is that with local administrator permissions, the attacker can delete volume shadow copies. Ransomware typically does this if it has the permission to do so.
3. Limit the number of shares that a user has write access to
We know this is hard to do, but carefully review the list of shares a user actually needs to write to. We recommend maximum segmentation of shares and groups. Most organizations Rendition Infosec work with today combine groups and shares for the purposes of administrative convenience. The small administrative overhead involved in segmenting these groups is dwarfed by the productivity losses suffered if a ransomware infected user compromises files on a share and you have to restore from backup.
4. Use hidden file shares
Some ransomware scans systems using something similar to a “net view” command to servers that users already have shares mounted on. If you use hidden shares (those ending in a “$” character) the malware can only see the shares that you have actively mounted. This does create the potential problem of users not being able to freely enumerate available shares on your file servers. But stop and think about it for a minute – is this something you really wanted? Users shouldn’t be randomly browsing your file servers looking for new file shares. And good news: if users can’t do it, attackers can’t do it either. Only one of those two groups has easy access to the helpdesk to get their issues resolved. Like most of our recommendations, while this will help with ransomware it will also help with security in general.
5. Only map file shares while in use
A number of ransomware variants attempt to encrypt files on mapped file shares. If you train users to map only the shares that they need, you can minimize the damage if they are hit with ransomware. This is most easily done by providing users with shortcut batch scripts to map and unmap their shared drives. Ensuring that users log off at the end of each day (another good infosec practice) and unounting shares as part of the logon scripts will help to minimize the number of shares mounted.
We’ve only scratched the surface in preparing for ransomware attacks. Rendition Infosec offers a number of services to help organizations defend themselves from ransomware and other attacks. In addition to assisting with (and auditing) the steps above, Rendition also offers ransomware tabletop exercises. Further, Rendition has developed proprietary code that can help organizations determine their exposure in the event of a ransomware attack. The results of these assessments can help your organization takes steps to lock down your environment ahead of a ransomware attack.
Rendition also offers continuous monitoring of your information security assets. Protecting your organization from ransomware is much cheaper than you might think and we have packages that fit the budget of any organization. Contact Rendition Infosec to discuss a prevention and monitoring package that will work for you.
Finally, if you’ve already been compromised by ransomware, contact Rendition Infosec immediately as we may be able to help recover your files. Don’t power down your machine, capturing memory is a critical component for some ransomware variants.