Saturday, February 28, 2015

More (crypto-)paranoia

Image result for ransomware

You are more than likely to be aware of the rapid rise of a particularly malicious species of malware known as ransomware. Generically, it uses very strong encryption to lock down your files and then demands a fee to enable it to be unlocked. The "droppers" for this malicious code are commonly email phishing, but also exploits of unpatched flaws in browsers and their plugins. This threat is equally prevalent for Apple Mac O/S and Microsoft Windows platforms; nobody is immune...

Protecting against these threats - particularly, say, on a home network  - is not trivial. While users often will need to do something to let the malware activate - this is now not necessarily the case. A well managed machine or network will be well backed up - but in many cases either backup locations on local machine drives or networks are also linked to the computers by drive letter assignments.

While ransomware does not so far typically (as far as I am aware) look for network storage locations - it absolutely will encrypt anything with an associated drive letter.

So there is the non-zero possibility of an infiltration of ransomware - without any users doing anything "wrong"; and having it lock out not only active data but also your backups. In our instance we have backups of backups, that while "live" are not actively directly connected to any computer on the network - so there is some confidence in the ability to recover a lot if not all data that may be subject to a ransomware attack. But it's not a comfortable situation.

One approach to preventing this sort of attack is "white listing" executables, so that only known safe ones can run. A variant only allows specific executables to run from certain locations - with the operating system in most cases "sandboxing" downloaded executables to these areas. (i.e. so malware cannot generally install itself in more trusted locations).

As it happens the Windows operating system has existing group security policy mechanisms to put this sort of protection in place. They do however require some manual effort and a modicum of expertise to put in place. And they need updating as threats evolve.

CryptoPrevent from Foolish IT automates the setting up and continuing update and maintenance of these policies for Windows machines. This is a level of protection that you need in addition to a quality anti-virus system. (Windows Defender is free and works reasonably well. The best rated paid tool is probably Kaspersky; with a tip that buying it off the US site is by far the cheapest option. Even though they don't recognise non-US addresses they will take your money and provide the license keys...)

Unfortunately, I am not aware of a similar protection tool for Mac O/S users yet... But ofr Windows machine users, a) make sure you are keeping regular backups and that they are not continually connected to your machines and b) think about acting on the suggestions above...

No comments:

Post a Comment