What is ransomware?
Ransomware is a type of virus software that blocks users access to their files or the operating system holding files hostage by encrypting or blocking access to them. The software will ask the user to pay a ransom to regain access to their files. Typically this will come with a countdown of some sort limiting the time the user has to pay the ransom or lose their files.
Ransomware has become a growing trend in recent years. 2016 alone showed new ransomware families has risen from 29 to 247. This shows how important it is to keep systems up to date with the appropriate security software installed.
The WannaCry ransomware made headlines due to the massive amount of targets it was able to penetrate and the damage resulting from these attacks. The WannaCry ransomware variant is based on a modified NSA exploit called EternalBlue.
Although ransomware has existed for quite some time, the current variants have improved their capabilities for spreading, avoiding detection, encrypting, blocking access to files, and getting users and even organizations to pay ransoms.
Reverse-engineering the current encryption algorithms range from extremely difficult to impossible.
The following is a screenshot of the ransom demand screen from WannaCry:
This ransomware can be initiated by downloading a file or clicking a link within an email message.
Keeping your computers up to date with the latest patches is vital to protect against vulnerabilities that ransomware uses as attack vectors to infect systems and propagate to others.
There are other articles on the Ivanti Community site that speak of using the product to add layers of security to your environment to block or contain the infections.
However, there are other security critical approaches to be taken as well:
- Avoid mapping network drives whenever possible, and ensure network shares are hidden if they are required. WNetOpenEnum() will not enumerate hidden shares. This can be achieved by simply appending a ‘$’ to the network share name.
- Be vigilant and aggressive in blocking file extensions via email. While blocking *.js, *.wsf, or scanning the contents of *.zip files may be in place as basic filtering functions, there remain further avenues to explore. Consider screening and filtering *.zip files outright if there is no business requirement to allow them. Also, consider abolishing *.doc and *.rtf document extensions in favor of *.docx, which cannot contain macros.
- Install ad-blockers and script-blockers as standard loadout for all workstations. Drive-by malware is increasing exponentially and is extremely prominent in today’s technology ecosystem. Blocker solutions help to cut off this vector of infection.
- Make sure to keep offline backups of all critical assets (Domain Servers, File Shares, etc.) to ensure restoration capabilities should the aforementioned measures not prove adequate in preventing a future ransomware incident.
Major companies hit by ransomware:
- Department of Homeland Security
- Home Depot
- Jimmy John's
How do Ivanti products protect me from such attacks?
First, I will not mince words here: Ensuring Security is one of the MOST important jobs you can do. One infection can destroy countless amounts of lost revenue, productivity, etc.
Ivanti Endpoint Manager, Ivanti Antivirus, and Ivanti Endpoint Security for Endpoint Manager provide most if not all of the capabilities for cutting off the attack vectors for ransomware.
Ivanti Endpoint Manager - Patch Manager
Patch Manager within the Ivanti Endpoint Manager suite offers the ability to patch systems with the latest operating system patches, and other third party software. Remember, any vulnerability in your environment is a possible entry point into your environment.
Patch and Compliance is a complete, integrated security management tool that helps you protect your Ivanti managed devices from a variety of prevalent security exposures and risks. Ivanti Patch Manager is sold as an add-on product to Management Suite and is included in Ivanti® Security Suite.
Use security scan tasks and policies to assess managed devices for known platform-specific vulnerabilities. Download and organize patch executable files, and then remediate detected vulnerabilities by deploying and installing the necessary patch files. You can also create your own custom definitions to scan for and remediate specific, potentially harmful conditions on devices. Additionally, at any time you can view detailed security information for scanned devices, and generate specialized patch and compliance reports.
In addition to patch management, use the Patch and Compliance tool to perform the following tasks:
- Verify that the latest Ivanti software is installed and up to date on your managed devices, as well as core servers and console machines.
- Use a blocked application definition to deny unauthorized or prohibited applications on devices.
- Use specific security threat definitions that detect the Windows firewall, turn it on or off, and configure the firewall settings.
- Use custom variables that are included with other security threat definitions in order to customize and change specific local system configurations, and to enforce enterprise-wide system configuration policies.
- Check access to specific URL from each endpoint and check if proxy is enabled. This can be beneficial with the WannaCry ransomware as this specific ransomware killswitch will prevent the ransomware from running in case the URL is accessible and there is no proxy.
For more information on how to get started with Patch Manager: How To: Get Started with Patch Manager
Ivanti Antivirus is based on the Kaspersky Endpoint Security product. The Kaspersky Endpoint Security product has consistently received high marks for not only malware detection, but very effective REMOVAL of said malware.
(Ivanti Antivirus scored an "Advanced+" the highest mark for every category listed on AV-Comparatives.org and their "Outstanding Product" award). Often detection is given credence, however, detection and removal of said malware are of utmost importance.
Ivanti Antivirus can be managed completely from within the Ivanti Endpoint Management suite and takes advantage of the Ivanti bandwidth aware downloading technologies for installation of the product and continuous update of pattern files.
Ivanti download technologies include bandwidth-aware downloading, the ability to download from peers and the ability to download from a local preferred server.
For more information on how to get started with Ivanti Antivirus: Getting started with LANDESK Antivirus
Ivanti Endpoint Security for Endpoint Manager
The Endpoint Security tool is a set of complementary features and settings that enable you to configure and implement strong system security for the managed devices on your network. You can restrict network connections for managed devices, restrict access to those machines by other types of devices, and use the Application Control and Ivanti Firewall tools to prevent unauthorized application operations.
Endpoint Security provides an impenetrable defense for all the protected devices within your Ivanti network and the perimeter of that network, as well as mobile users—providing complete control over access to and from those devices and what is allowed to occur on them. You can define trusted locations (network connections) for managed devices, create settings for each of the Endpoint Security components listed below, and deploy those settings based on whether the device is inside or outside the trusted network location.
Ivanti Endpoint Security offers three components that protect against ransomware and other malware. Ivanti Endpoint Security is used together with an Antivirus solution and Ivanti Patch Manager to provide a three-pronged approach to combating malware.
Endpoint Security Basic Protection
At it's most basic protection level (default installation settings) Endpoint Security for Endpoint Manager provides the following capabilities:
- Protection of critical system files
- Protection of critical registry keys
- Protection of Endpoint Security from outside or manipulation
Further configurable options include the following:
- Monitor accessed IP's and URL's
- Collect CPU and memory information
- Automatically isolate device if malware is detected by Antivirus software (this includes 3rd party Antivirus software supported by Ivanti Management Suite)
The computer can be taken offline and still be managed by Ivanti Endpoint Manager. This will allow you to investigate and/or repair your computer without danger to other computers. Remote control and other functions will still work!
- Intermediate patching (Monitor computers running the Chrome, Firefox, Internet Explorer and/or Opera browsers and keep them isolated from your main network until the browsers are at the current patch level)
Endpoint Security - Application Control
- Enable Application Behavior Protection - Operations that impact system security are restricted. Applications listed in the associated trusted file(s) list are granted the specified privilege. This means you can give or take permissions on a file-by-file basis on a client system. The following is an example of explicit permissions that can be assigned or taken away and the defaults:
- Use buffer overflow protection - The Microsoft operating systems automatically include buffer overflow protection of the operating system itself, however, buffer overflows in application software are not automatically protected. Ivanti Endpoint Security for Endpoint Manager allows you to enable buffer overflow protection for applications. Malware can exploit buffer overflows as a vector for infection.'
- Enable Whitelist protection - Allows you to say that anything you have not specifically approved is considered "Bad" on your client system. If you have a more static environment (such as a point sale system or similar) this can be an excellent way to have a lightweight security program protecting your system. A system in whitelist mode theoretically does not need an antivirus software as the system in whitelist mode is very locked down.
Restrict access to physical drives - Protect against malware writing directly to the hard disk firmware or simply directly to the hard disk going below the operating system layer
"...a hacker would need to infect the operating system of the user's computer with run-of-the-mill malware, alter the hard drive's firmware, and then delete the original, operating system-side virus. From then on, the hacker would have complete access to everything on the person's hard disk, the exploit would be almost completely undetectable, and it would persist until the hard drive was physically destroyed."
- Auto-detect and blacklist crypto-ransomware - with this option if crypto-malware is detected in an environment, the initial detection is learned into the system as needing to be blocked and this learned information is shared to Endpoint Security clients throughout the enterprise. This will also kill the ransomware as it starts encrypting files.
Endpoint Security Application Control - File protection rules
File protection rules allow you to restrict the actions that particular files can take. This can be done to protect individual directories, disallow actions, etc. Ivanti Endpoint Security for Endpoint Manager offers the following out of the box:
- Automatically keep scripts named *.SHB, *.SHS and *.VBE from running. This list can be modified.
- Block malicious use of FTP - Keep FTP.EXE and TFTP.EXE from being run by Explorer.exe.
- Isolation between scripts and mailer. This keeps CSCRIPT.EXE and WSCRIPT.EXE from being run from Microsoft Outlook.
- Scripts cannot write to the hard disk. Limits scripts so they cannot create or modify existing files.
- Fake windows processes - keeps fake windows processes from being run (such as named explorer.exe)
- Protect DNS host files from modification
- Prevent script execution from browser or mailer
- Prevent access to downloaded scripts
This model is highly effective in protecting against ransomware and to block users from running scripts (like Jscript, vbscript, and powershell) that were downloaded by a browser or a mail application.
Endpoint Security Device Control
Device Control tool is an important component of Endpoint Security that lets you monitor and restrict access for I/O devices. With Device Control, you can restrict the use of devices that allow data access to the device, such as ports, modems, drives, and wireless connections.
To implement Device Control on clients on your network, you create and deploy Device Control settings that manage USB, modem, I/O port, CD/DVD drive, wireless, and other connections.
You can configure USB restrictions by either generically blocking a whole class of USB devices, such as storage devices, or by using exceptions to restrict certain USB devices based on parameters and values you specify.
- Set restrictions for storage volumes
- Set restrictions for CD/DVD/Blu-ray devices
- Set restrictions for other devices
- Set restrictions for specific interfaces (USB, Bluetooth, etc)
In addition, Ivanti Device Control gives you the ability to enable shadow copy. Create a copy of any data that is copied to an external source and report on it as well.
So as you can see, this set of tools is indispensable in providing protection against the far too large amounts of malware and operators that wish to cause harm to your security and your business.