Stop panicking about the Locky ransomware [Update 2]

February 22, 2016

Almost everyone in the German speaking media and many IT professionals are running around like a bunch of scared chicken because of the Locky ransomware. Stop that! And think!

  1. Ransomware is not new
  2. Ransomware with correctly implemented crypto is not new

I really don’t understand why this ransomware is hyped that much. You just need to implement the security procedures you should have already implemented years ago. Following list shows what security procedures would help in this case and most of them should already be implemented in your company. All are not specify to Locky and will help you against many other malware.

Blocking the infection

  • Force a HTTP and HTTPS proxy and block .exe downloads
    That is really simple to implemented even for small companies. e.g. Untangle supports that. You can opt to not scan e-Banking sites if this is a concern.
  • Block direct internet access except over the proxy
    Make only exceptions for specify IP addresses or domains. Every enterprise Firewall allows that, if you’ve only a router currently think about using something like Untangle or pfSense(Open Source).
  • Remove or block mails with DOC, XLS or PDF attachments which contain macros.
    If a user really needs that file with macros he can request it from the IT department. If you’re using Open Source software as your mail gateway take a look at ExeFilter. Otherwise take a look at your commercial product or talk to your email service provider.
  • Enforce prompting before MS Office runs a macro
    MS Office allows you to configure that before executing a macro the user gets prompted. You can configure that also via GPO or OCT. Make sure the user can’t deactivate it and if you need internal macros/scripts sign them by your internal CA.
  • Block access to Tor nodes
    Why should a user from your company network need to access a tor node? Block that on the router or proxy. Sometime ago I’ve written about doing that with a Microtik router. The script can be easily modified or any other router or firewall which allows configuration via the CLI.
  • Use application whitelisting
    As with firewall rules long ago we currently only block bad files (blacklisting) but on the firewalls we’ve moved to whitelisting (only allow the configured good stuff) years ago. Its time to move to the same method for exe files on your Windows systems.  If you’re using a central software deployment it is also not that difficult:

    • Allow everything that is installed in folders that only a local administrator is able to write to (e.g. c:\windows or c:\program files)
    • Allow digital signed files (e.g. everything from Microsoft, Google, Cisco)
    • Block everything else.
  • [Update]Block AD networks
    I really have forgotten that point, sorry. Block ad networks, they are used to inject malware via the browser. On the computer itself I recommend uBlock Origin for Firefox and Chrome. Some proxy server allow to filter the ads already there, if that feature works ok, enable it also there. [/Update]

Detecting an infection

  • Network Intrusion Detection System (NIDS) or Network Intrusion Prevention System (NIPS)
    A NIDS will be able to alert you to suspicious DNS queries or access to tor nodes.  If you’re fast enough in reacting to the alert you can disconnect the computer from the network. A NIPS can be able to block some stuff put it is still possible to get through sometimes, so fast reaction is also recommenced here. pfSense and Untangle both provide that functionality.  Security Onion is an alternative.
  • [Update] Run a software that detect typical ransom malware behavior
    By it’s nature ransom malware must behave a certain way. It creates many files and deletes many files at the same time, which is not normal for most programs. Following free software, currently in Beta, detects that.[/Update]

Mitigating an infection

  • No working under administrator accounts
    The users the employees use for their day2day job must not be in any administrator group. This is also valid for your IT administrators, they need secondary users with higher privileges (and different password and not stored).
  • Make sure the file servers have snapshot activated
    This is a feature of modern file servers, just take a look at FreeNAS. Its important that removing the snapshots cannot be done by normal users. (Windows Server allows that sometimes!). This features allows you to go back to the state fast without needing a restore from backup.
  • Make and keep offline backups
    As the headlines says … make sure you’ve backups that are outside the reach of the malware and also make sure the restore works before hand.
  • Least necessary privilages
    There should be no normal user (even not the IT administrators) that is able to access all file server shares. Use special admin or service users to privileged access.
  • Block client 2 client traffic
    Make lateral movement for the malware impossible by blocking client to client traffic. Most clients don’t need to talk to each other and if they do its most likely something like RDP but not the windows file sharing stuff.

These procedures where just top of my head and I’m sure I’ll got more if thought a little bit more about it. In summary: Locky is no problem to you’re organisation if you did your homework. If not –> do it now!

6 Comments »

RSS feed for comments on this post. TrackBack URI

  1. […] I came across this great article by Robert Penz in which he describes measures how companies can reduce the risk of Ransomware encrypting their […]

    Pingback by Good Advice To Block, Detect and Mitigate Ransomware Damage In Companies – WirelessMoves — February 27, 2016 #

  2. […] Ein weiterer ziemlich guter Blogeintrag auf den sich das BSI Dokument bezieht findet sich hier: Stop Panicking about the Locky Ransomware […]

    Pingback by Ransomware weiter im Aufwind – dansitblog — March 12, 2016 #

  3. […] my last blog post I wrote about blocking, detecting and mitigating the Locky Ransomware. I’ve referenced to a […]

    Pingback by Block Ransomware botnet C&C traffic with a Mikrotik router | Robert Penz Blog — March 14, 2016 #

  4. […] You really need to implemented procedures as described in this early blog post. […]

    Pingback by New RTF macro Malware from the Dridex gang. | Robert Penz Blog — March 23, 2016 #

  5. […] And now lets take a look at all the stuff I wrote over a year ago, what you should have done before the Locky malware happened (yes this is not the first ransomware making big waves), to be not affected:Stop panicking about the Locky ransomware [Update 2] […]

    Pingback by WannaCry happened and nobody called me during my vacation – I tell you why | Robert Penz Blog — May 18, 2017 #

  6. Admiring the time and effort you put into your blog and detailed information you present.

    It’s nice to come across a blog every once in a while that isn’t the same outdated rehashed
    information. Wonderful read! I’ve bookmarked your site and I’m including your
    RSS feeds to my Google account.

    Comment by Agen Judi Taruhan Bola sbobet — June 19, 2017 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 69 queries. 0.074 seconds.