By this point in time, everyone should be familiar with the crypto-virus and its many variants. Given all the media attention regarding crypto, I find it hard to believe that folks haven’t taken steps to protect themselves. But they haven’t, and just about every week I hear about another individual or organization attacked by crypto.
These cyber attacks target a computer file system and encrypt its contents. Crypto most often gains access through a user action — either opening a nefarious email attachment or following a hyperlink to an attacking website. Crypto is very efficient and very effective. If you are not doing anything to protect yourself, eventually you will get hit. Guaranteed.
So hot shot, pop quiz. What do you do?
Unfortunately, crypto is hard to stop. With multiple variants and multiple attack paths, no single approach will prevent all crypto attack. A multilayered approach is required to protect your systems. Let’s review the basics…
Perimeter Firewall — A perimeter firewall with an integrated Intrusion Protection System such as ones marketed by SonicWALL and other vendors scan and block network traffic for the signatures of crypto activity, such as encrypted key exchange to the TOR network used by some crypto variants. These devices will also restrict the transfer of zip files and other files known to facilitate a crypto attack.
Software Restriction Policies — Most crypto variants download and execute within the same group of folders. Software restriction policies created within Windows Group Policy or Local Security Policy prevent applications within these folders from running. While it’s a few years old now, Jonathan Hassell wrote a nice article in Computer World on how to construct these policies. Unfortunately, the old school SRP’s block many legitimate applications may as well. The applications may be whitelisted, but you will encounter some inconvenience when first setting this up.
With Windows 7 and Server 2008 R2, Microsoft released a feature called AppLocker that addresses many of the shortcomings of SRP’s. AppLocker prevents users from running any application except for those specifically allowed by the administrator. Enterprise organizations running Windows Group Policy should strongly consider implementation of AppLocker.
Folder Permissions — While the first two items aim to block crypto from running, this item seeks to mitigate the impact of a successful attack. Many shared file systems do not configure or only minimally configure folder permissions. While done for convenience, the lack of security places all files on the network at risk. Folders permissions limiting access only to the relevant individuals or applications will significantly limit the impact of a crypto attack.
Along similar lines, note that using a service like OneDrive or DropBox that automatically syncs to your file system does not protect files from attack. As a matter of fact, crypto can encrypt the local copy and sync the corrupted files to the cloud! (Ugh.)
Backup Your Data — A reliable and tested backup process is the only way I’ve found to guarantee protection against a crypto attack. A crypto attack is really no different than a fire or a flood; all occurrences result in the destruction of your data. To ensure your data is safe, the 3-2-1 rule applies: three different copies of the data on two different types of media with one copy located offsite. When establishing your backup management procedures, a comprehensive data protection package such as StorageCraft will be invaluable.
Of course, this list is simply a starting point when setting up a defense against crypto. Reputable endpoint protection, enhanced web filtering, and the migration of certain services to the cloud should also be part of your security strategy. Your IT provider will be able to work with you to determine what is appropriate for your environment. Whether we like it or not, crypto is a reality that we must address, and the only thing you shouldn’t do is nothing.