To stop ransomware, opt for app graylisting and admin rights removal

CyberArk Labs tested over 23,000 ransomware samples from more than 30 prevalent malware families, including Cryptolocker, Petya and Locky, in order to better understand common infection, encryption and removal characteristics, and identify potential strategies for mitigating the impact of ransomware attacks on enterprises.

Stop ransomware

They analyzed the typical path to encryption, discrepancies and commonalities in ransomware execution, tested several strategies that could mitigate the damage caused by ransomware attacks, and finally found that app control coupled with the removal of local admin rights can stop ransomware from encrypting files in 100% of cases.

This approach was compared to the effectiveness of other mitigation strategies, including the use of traditional anti-virus software, which relies on known blacklists – and is not effective at stopping ransomware.

Whitelisting is effective, they noted, but is not a good choice for dynamic user endpoints – user productivity will be affected if users can’t use non-whitelisted business apps, or if they have to wait for the IT team to whitelist them. Instead, whitelisting is a good fit for servers.

The researchers found that while many strains of modern malware require local administrator rights to properly execute, many strains of ransomware do not require these rights. While 70 percent of ransomware attempted to gain local administrator rights, only 10 percent of ransomware would fail to execute if these rights were not attained.

Because ransomware behaves differently, organizations need to combine the removal of local administrator rights with application graylisting (i.e. deny read, write and modify file privileges to unknown applications, and apps that are not explicitly trusted) to prevent file encryption.

And, to minimize the negative effect on user productivity, the researchers advise administrators to automatically elevate account privileges for specific authorized tasks instead of providing unnecessary privileges.

Blocking the endpoint’s access to the Internet is also helpful in some instances. “Without Internet access, the ransomware was unable to access its key server. This resulted in 20 percent of ransomware failing immediately and 70 percent being forced to attempt encryption using a default key,” the researchers found.

Needless to say, setting up frequent and automatic backup data processes is also a good idea, as they will come in handy if everything else fails and you need to proceed to distaster recovery.

Black Hat USA 2016

Don't miss