Getting Ahead of Ransomware: A Q&A with Tim Bandos
Digital Guardian's Senior Director of Cybersecurity and F100 Threat Hunting and Incident Response expert, Tim Bandos answers your questions on how to recover from and get ahead of ransomware attacks.
Following one of this year's worst cyber disasters, we recently presented a webinar featuring Digital Guardian's Senior Director of Cybersecurity, Tim Bandos, called After WannaCry: Getting Ahead of Ransomware. Tim, who has over a decade of threat hunting and incident response experience at a Fortune 100 manufacturing company, lends his expertise to help you learn from the WannaCry outbreak and protect yourself from future ransomware attacks. You can watch the full webinar on demand here.
What tips do you have for preventing ransomware attacks?
- Patch Management - stay on top of the latest updates for your OS and 3rd party applications
- Email Filtering - actively monitor email attachments and filter out those that are potentially dangerous
- End-User Education - teach users how to identify malicious links and attachments
- Install Ad Blockers - protect against malicious ads from even legitimate sites
- Exploit Prevention - for example, Microsoft has its Enhanced Mitigation Experience Toolkit that you might want to check out
- Back Up & Recovery - implement an effective back up plan in case you need to restore your data
- Data Protection Suite - consider leveraging a DLP technology with the ability to prevent malware infections and ransomware attempts to encrypt files
Why are AV (anti-virus) vendors sometimes ineffective at detecting and blocking ransomware?
A lot of AV solutions tend to focus on signatures within files. They need to have some sort of signature for a particular variant of the malware in order to be effective in detecting and blocking the threat or to even clean it up. In my experience, when we've encountered a malware attack in my organization and it was a variant that didn't have a signature yet, we would have to acquire that sample off the machine and send it to the AV vendor so that they could come up with a signature in order to clean it up and block and have detection for it moving forward. So I think in the AV space, they have a really tough job staying on top of everything and the approach that they take isn't going to cover you for all scenarios. That's probably part of the reason why WannaCry was so successful because maybe AV vendors didn't have a signature for that particular variant.
How does an ATP solution, like Digital Guardian's, protect against new ransomware we haven't seen yet?
Our ATP solution is not signature based. We're behaviorally looking for how things are executing on the endpoint. If we see mass editing of files and extensions changing, we can block that activity. Our ransomware rules in our ATP solution effectively blocked WannaCry prior to being well aware of its existence. ATP doesn't necessarily need to know about a particular threat. We're just looking for anything bad in general and if it's breaking the laws of an OS.
Is an ATP solution a replacement for a traditional AV vendor or a complementary control?
The way I look at our ATP solution and our DLP suite is that we sit alongside the antivirus and other security tools. It is recommended to have a layered security approach. I don't think there's ever going to be a place where we can completely replace AV. There are a lot of capabilities built into AV solutions like remediation and being able to restore your registered keys and kill different files. I see an ATP solution as a complementary control as are a lot of the other tool sets. Having an AV solution in place is definitely a recommendation even it's a generic solution like Microsoft's Windows Defender, which is actually a fairly effective solution. You don't necessarily have to go out and buy something from one of the top AV vendors out there.
When you say WannaCry exploited an open port, does that mean that the infected computers were simply sitting idly and WannaCry injected itself without any activity by the end user?
Even if the machine was just idle, having an open port, over which the particular SMB protocol operates, and the EternalBlue vulnerability exposed your machine to potential infection. So even if your computer is just standing there on the network with no activity, you could be infected if another machine on your network was infected because of how the variant was built to propagate. Making sure you do regular patch management and having an exploit prevention tool can help limit exposure to ransomware.
Is it ever worth paying a ransom when infected?
No, it's never worth paying the ransom. That's my personal recommendation. Do research before paying the criminals because there are other ways to get your data back. If you don't have a back-up, encrypted files from some strains of ransomware can actually be decrypted for free. You can go to https://www.nomoreransom.org/.
Once ransomware has infected an endpoint, what do you recommend for cleaning that endpoint?
Once ransomware has infected an endpoint, you have to rely upon an anti-virus tool. If you didn't have a tool to block that ransomware in the first place, you need a solution that has the signatures and knows which register keys have been changed and which files on the particular machine need to wiped or removed. A lot of times it's a waiting game for the AV vendors to release a signature update to actually do the cleaning. There are certain things you can download on the web like Malwarebytes or any of the other free web-based tools that can clean some of the files. At the end of the day, it comes to either waiting for the AV vendors or doing a wipe of your system. That's why it's important to have the proper prevention tools like an ATP solution and a back-up in place.