Ransomware.
It’s one word that can strike a chill in anyone from a corporate C-suite to a home user. It’s sometimes hard to get a feel for the overall ransomware industry (and yes, it’s now an industry). But based on anecdotal reviews of forums and social media, it appears as though attacks against individuals are slowing. I no longer see people report they’ve been hit by ransomware on their PCs.
But it may be that attackers have realized that going after “one-off” targets isn’t the best business plan. In fact, in a recent Microsoft Secure online seminar (registration required), Jessica Payne and Geoff McDonald discuss how ransomware is now a big business, offered as a service by those who sell access to compromised networks to others.
When attackers go after big-name targets, they often create bad press for the ransomware industry. So, they’re now coordinating efforts to avoid headlines likely to prompt vendors and providers to tighten security, end users to patch, and corporations to deploy better security solutions.
Beyond that, attackers are also targeting search results for the information tools IT teams need to do their job. A search result could, for example, point admins to a malicious tool that tricks them into installing a potential back door. That access is then sold on the black market. (Ransomware actors know the easiest way into a network is to trick the “unpatched human.”) While companies may be doing a better job of patching operating systems and Office suites, they still rely too much on end users to be smart. If users are not slightly paranoid — meaning they stop and think before clicking on links and phishing schemes — networks remain vulnerable.
Ransomware can also enter systems due to security misconfigurations or overlooked vulnerabilities. Payne pointed to the additional information in a 2022 Ransomware as a Service blog post. Attack Surface Reduction (ASR) rules remain one set of tools many firms do not take advantage of. ASR rules can be enabled on Windows 10 and 11 Professional versions to boost Windows’ ability to block attackers.
Even if you’re not a Microsoft 365 Defender customer, you can deploy ASR rules; the specific rules that target ransomware processes:
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
- Block credential stealing from the Windows local security authority subsystem (lsass.exe).
- Block process creations originating from PsExec and WMI commands.
- And use advanced protection against ransomware.
ASR rules, which usually don’t cause any side effects to normal PC processing, can be set to “audit” systems rather than impose restrictions. That’s one way to test the impact on a network.
In addition, Microsoft has made changes to Office to slow the deployment of ransomware. One recent change involves VBA macros. As noted by Microsoft, “VBA macros are a common way for malicious actors to gain access to deploy malware and ransomware. Therefore, to help improve security in Office, Microsoft is changing the default behavior of Office applications to block macros in files from the internet. With this change, when users open a file that came from the internet, such as an email attachment, and that file contains macros, there will be a red notice shown at the top of the opened file.”
Users should identify the files you need for work and ensure that they no longer deemed suspect and are flagged to be in a trusted location. (You can review guidance here to ensure that you don’t block files you need.) As noted in the presentation, “QakBot and Emotet have both relied heavily on malicious macros for initial access. But after Microsoft disabled macros globally, they have shifted to other techniques, such as using direct links to payloads and phishing emails or attaching OneNote attachments to those phishing emails.”
And coming this month to OneNote on Windows are additional protections for users who open or download an embedded file in OneNote. Users will get a notification of files considered dangerous, a change designed to improve the file protection experience in OneNote. Clearly, Microsoft is trying to stay one step ahead of attackers.
Some ransomware operators are now pivoting to extortion. By merely proving to a company that they can destroy data — either on premises or in the cloud —without actually doing so, attackers can get a payoff without actually inflicting harm. Microsoft has a follow-up event April 11-13 to augment topics covered at Microsoft Secure. For additional resources and information, the SANS organization is also offering a free day-long Ransomware Summit June 23 to discuss initial access vectors and defensive techniques.
While the ransomware situation may be improving for home users, the same isn’t necessarily true for business. Now’s the time to review these resources and make it harder for attackers to turn your company into a revenue stream for them.