If you haven’t already heard, Locky is back! Borrowing another tactic from the Dridex playbook, we’re seeing the Locky campaign use malicious .pdf email attachments as its preferred infection vector. Once opened, the .pdf requests to extract and open a second file (an embedded Office document) which then prompts the user to execute malicious macros. Interestingly enough, this technique is being used in response to increased user awareness of malicious office macros.
So what does Sentinel do to protect me?
Security is a team sport and we always advocate for a layered approach. While the Sentinel’s function won’t usually prevent the initial execution of ransomware, we can absolutely help you with detecting its presence and potentially mitigating the damage. Here’s how:
1. Our CINS (Collective Intelligence Network Security) system ensures all Sentinels play an active role in protecting your network by acting as an early notification system for communication with Command and Control (C2) servers.
2. We’re constantly on top of managing your Sentinel, which includes reviewing high priority alerts that might be related to ransomware, and making sure you’re up-to-date with the latest community-harvested threat intelligence.
3. In some cases, the Sentinel will block ransomware communications based on either threat intelligence related to the C2 servers, or detection of malicious traffic on the wire.
That said, although disrupting ransomware C2 communications can give you just enough time to locate the compromised machine and clean up things on your network, there are several other things you should do before it becomes a problem. They are:
A comprehensive backup strategy is an absolute must! We recommend an approach that keeps short, medium, and long-term backups separate from each other to mitigate the damage an infected workstation can have on your backups themselves. Don’t forget to test your backup/restore process regularly.
Ransomware primarily spreads through phishing and drive-by downloads and usually requires some form of user interaction. Don’t forget — your users are your first line of defense, so equip and train them accordingly. Unsolicited email attachments should not be opened, and files requesting unusual things like opening other files or running macros should be a giant, waving red flag. While most people emphasize security awareness training, we also think you should actively test the effectiveness of your training and phishing simulation services. Duo Insight or PhishMe are great tools to use.
Insight into your endpoints is a critical part of a clean and well-maintained network. We highly recommend some form of endpoint control, for example AV or NextGenAV software, as well as disabling potentially dangerous features via group policy management including Office macros, Windows script host, and PowerShell execution.