Defense-In-Depth Techniques to Combat Ransomware

(James Gillies) #1

There is no silver bullet to stop Ransomware if you are intending to continue functioning as a business.

Similar to an aircraft disaster there is a chain of events that lead up to a breach, usually with an opportunity to prevent the breach from ultimately taking place.

As we all know, systems don’t infect themselves so user action plays a major part of this kind of threat from taking hold.

Here is a non-exhaustive list of various techniques that can be used to prevent Ransomware infections from taking hold or spreading.

1.) Strong email content filtering to prevent malicious attachments or Phishing emails from getting to users Inboxes.
2.) End-user training to help them identify such emails, a la KnowBe4.
3.) Web Proxy filtering to prevent connectivity to infected websites/malicious websites/downloading infected files.
4.) Outbound connectivity monitoring to prevent the “Phone Home” mechanism of many variants of Ransomware.
5.) Strong Anti-Virus Endpoint policies with HIPS functionality to prevent the launch of malicious software from the endpoint.
6.) Well-maintained patch management to close up vulnerabilities on the endpoints.
7.) Removal of all local Admin Rights for end-users across the desktops.
8.) Implementation of Least Privilege so that no-one logs onto the network with an Admin account unless they are performing an Admin task that needs those rights.
9.) Implementation of Microsoft Application Whitelisting (AppLocker) where possible to prevent anything not explicitly permitted from running.
10.) Implementation of FSRM (File System Resource Manager) a Windows Server role that can stop the spread of Ransomware-ecnrypted files on the network and provide alerting when this sort of activity happens.
11.) Improved backup strategies that are offline, regularly checked for both “integrity” and restored in anger to make sure it is actually valid and usable.
12.) Implement the use of Sandbox technology to “detonate” suspicious files that are being passed through the email or web gateways to determine exactly what the file will attempt to do, controlling as appropriate based on the the result the Sandbox technology sees.
13.) Consider the total blocking of Macros on the network, and certainly Quarantine any and all potentially executable Office documents at the mail gateway.

Some of this list is common-sense of course, and some of it is very hard if not “impossible” to implement on a customers network. But something is better than nothing, and extra layers can be added over time.

This list I have compiled is based on the past few months of experience I have had of trying to combat Ransomware infections for a number of customers, some of which were not obvious to me beforehand, such as AppLocker and FSRM.

I hope this helps, please let me know if you want any further information on any of those points I have listed, I have kept it high-level and vendor-agnostic at this stage.

Thanks a lot.

James Gillies


I just had block lists for ransomware added to my firewalls. Nice feature to block ransomware every hour inbound and outbound.