Best Practices for Ransomware Prevention

by rcole on ‎03-07-2016 06:46 AM - edited on ‎05-12-2017 08:18 PM by Community Manager (124,825 Views)

What Is Ransomware?

Ransomware is a family of malware which attempts to encrypt files on end user computers and then demands some form of e-payment to recover the encrypted files. 

 

Ransomware is one of the more common threats in the modern threat landscape; there are many different variants, an infection can cost a lot of money to recover from, and the actors responsible for the infections are driven to generate as much revenue as possible by extorting their victims.

 

This article will serve as a general guideline for some best practices to help keep a network free of ransomware infections.

 

How Is Ransomware Delivered?

Ransomware is delivered to targets primarily through these avenues:

 

  • Phishing emails may contain malicious attachments. These attachments are not always delivered in executable form; as security vendors and security best practices dictate that receiving executables via email is, in general, something we want to prevent, threat actors have to adapt to the changing landscape. This can be done by indirect delivery mechanisms. In Windows, for example, a malicious actor may opt for a less direct method of delivery: embed an obfuscated JavaScript file into an archive, and rely on the end user for the rest. Opening a .JS file on a Windows host will launch the default browser, and the JavaScript can then reach out to an external URL to grab an executable, deliver it to the victim, and execute it. At this point, preventing users from receiving executables via email is no longer effective, as the executable is delivered via HTTP. 

 

  • Exploit kits (such as Angler, or Neutrino) have been known to deliver ransomware to users by exploiting vulnerable web servers and hosting malicious web scripts on them which exploit visitors when certain criteria are met, and then delivering a malicious payload (Angler Exploit Kit article @ Unit42)

 

  • Targeted ransomware has been noted and tracked recently, in which organizations had external facing web servers compromised by malicious actors in order to gain a foothold, who proceeded to map the environment out, and deployed the file cryptor en masse. (Evolution of SamSa Malware article @ Unit42)

 

Preventing Ransomware Attacks — Security Profiles

PAN-OS has protections at various points in the kill-chain to address ransomware infection and keep it from entering a network. A general overview of security profiles and their purpose is available here: Security policy fundamentals

 

1) To combat exploit kits and known vulnerabilities, numerous Vulnerability signatures exist in PAN-OS content.  In order to protect users against these exploits, usage of a "strict" vulnerability protection policy can assist and is recommended. At the very minimum, ensuring signatures are enabled with preventative action against critical severity signatures is necessary. A strict stance on vulnerability protection profiles will help prevent exploit kit exposure, and help keep external facing web servers safe from exploitation of known vulnerabilities. 

 

Some potentially relevant signatures include the exploit-kit labeled signatures (see Reference 1 below), Malware XOR Obfuscation Detection, Microsoft Windows OLE Remote Code Execution, Malicious PE Detection, and JavaScript Obfuscation Detection.

 

Additionally, as JavaScript is an unsupported file type for file blocking, it is beneficial to investigate actions on signatures 39002 and 39003, which inspect for the presence of JavaScript files within SMTP flows.

 

In order to improve security posture we recommend creating an exception for the threat ID's below.  Setting them to “deny” which would block traffic matching these signatures. 

However, we recommend testing in your environment prior with an “alert” setting to ensure legitimate traffic is not blocked, although there are not many legitimate uses for .js files sent in an email.

 

Threat ID Description
38353 This signature indicates a malicious MSO file is detected
38590 This signature indicates a malicious MSO file is detected
38591 This signature indicates a malicious MSO file is detected  
39002 This signature detects a .js .wsf or .hta file directly sent in an email 
39003 This signature detects a .js .wsf or .hta file in a ZIP folder sent in an email

 

For more data regarding available Vulnerability signatures, please reference ThreatVault 2.0.

(Exploit kit and phishing vulnerability profile categories | Vulnerability Protection Profiles)

 

2) To prevent the delivery of malicious payloads, PAN-OS has an Anti-Virus scanning engine which can inspect supported protocols on which viral content most commonly is transferred, including: http, smtp, imap, pop3, ftp, and smb. Ensuring an Anti-Virus profile with preventative action is assigned to any Security rule which permits traffic that is commonly targeted (Web browsing to the internet, and email access for example) should ideally have an Anti-Virus profile assigned to it with preventative actions configured for both the Action and Wildfire-Action column for protocols on which it is supported. (See the Prevention - Dynamic Updates section for details on what the difference is). (Antivirus Profiles)

 

3) URL Filtering can be configured to block access to URLs in suspicious categories such as Malware/Phishing/Unknown/Dynamic DNS/Proxy-avoidance/Questionable/Parked, which will prevent a host from reaching out via HTTP to a web server Palo Alto Networks has seen host suspicious content/malware. (From the Experts: URL filtering implementation and troubleshooting )

 

4) Use the File Blocking functionality of the PAN-OS appliance. PAN-OS is capable of identifying supported file types in data streams and taking action depending on how you have them configured. One common tactic of ransomware (and malware authors in general) is to stand up new infrastructure for delivery, use it for a short amount of time, and then retire it. This prevents reputational based filtering, as by the time security vendors can classify infrastructure as known malicious, clever threat actors have retired it and are operating elsewhere. One solution to this is to combine File Blocking of common malicious payload types (such as Flash, PDF, Executable, and Office documents) with a security rule with the Service/URL Category set to "Unknown" and the destination being the public internet. This effectively prevents transfer of common payload types regardless of AV detection simply because your PAN-OS device does not know the source of the file.

 

Please note that policy changes of this type should be carefully configured to ensure legitimate traffic is not impacted. As Palo Alto Networks cannot scan company intranet sites, it is important to make sure the URL filtering logs for Unknown category activity are reviewed before enacting a block of this kind to prevent causing a service outage for internal users. Creating custom URL categories for sites that are not currently categorized currently by the Palo Alto Networks firewall can prepare you for this step.

 

Additionally, it may also be relevant to consider blocking certain file types over SMTP, since a significant portion of Ransomware campaigns leverage phishing emails with malicious attachments as an infection vector.

 

Relevant file types include: All PE file types (exe, cpl, dll, ocx, sys, scr, drv, efi, fon, pif), HLP, LNK, CHM, BAT, VBE.

 

Blocking or alerting on encrypted file types can also assist in reducing exposure (encrypted-zip).

 

Alerting on all file types that are not blocked for visibility and log analysis can be useful.

(Tips from the Field: File blocking profile)

 

5) Some variants of ransomware reach out to external infrastructure to receive data (such as input from stated infrastructure to generate encryption keys to encrypt your files); as such, it is important to configure an Anti-Spyware profile with a "strict" setting and ensure that it is applied to security rules in which traffic egresses to the public internet.

(Anti-Spyware Profiles)

 

Additionally, the Anti-Spyware profile contains actions for when Suspicious DNS Queries are detected. The Anti-Virus and Wildfire content contains a list of domains Palo Alto Networks has identified as being potentially associated with malicious traffic; network administrators can block DNS requests to these domains with this profile, or choose to sinkhole the traffic to an internal IP address they have configured for further analysis. Truly dedicated administrators will see the potential here to do some interesting configuration; once one has hijacked DNS and redirected it to a sinkhole, standing up a web server at that IP address can allow the administrator to inspect what may have resulted from a successful DNS lookup. (How to Configure DNS Sinkhole | How to Verify DNS Sinkhole Function is Working | Video Tutorial: How to Configure DNS Sinkhole)

 

6) If licensed, Wildfire submissions should be configured to allow submission of supported file types to the Wildfire cloud for evaluation. This will allow the Palo Alto Networks firewall to identify new malware variants, create a signature for them, and deliver them in our content updates (See the Prevention - Dynamic Updates section for details on content delivery) (Submit Files for WildFire Analysis | Wildfire Configuration, Testing, and Monitoring  )

 

7) PAN-OS supports the usage of External Dynamic Lists for use in a security rule to prevent communication with destinations based on external reputational sources. While Palo Alto Networks does not currently curate their own list of approved sources, there is an aggregated list of resources for customer consumption available here. (Use a Dynamic Block List in Policy | How to Configure Dynamic Block List (DBL) or External Block List (EBL) )

 

8) Usage of SSL Decryption is an important factor to consider when implementing best practices; none of the above preventions can occur if the data streams traversing the firewall are encrypted and cannot be decrypted for inspection. Anti-Virus inspection will not function on HTTPS streams or encrypted email; URL Filtering is best effort against the common name/SNI on the certificate assigned to the web server; File Blocking cannot occur if PAN-OS cannot identify files due to the protocol they are traversing being encrypted; Wildfire submissions cannot occur if PAN-OS cannot identify supported file types for forwarding due to the protocol they are traversing being encrypted; Vulnerability and Spyware profiles cannot inspect and compare traffic against known signatures if the traffic is encrypted. This makes SSL decryption an integral part of ensuring a network does not have blind spots. (SSL decryption resource list)

 

9) As much as possible, allow specific application in the security rule. If possible, consider blocking 'unknown-tcp' and 'unknown-udp' traffic and create custom applications for internal applications if needed. 

 

10AutoFocus (autofocus.paloaltonetworks.com) can be used to better understand the behavior patterns of a particular variant of ransomware. When ransomware detonates, the artifacts it generates both on the host and network side are often unique enough to help identify which type of ransomware it is; this can include file extension of the encrypted files, format of the ransom notes that are left with recovery instructions, and C2 traffic to external web hosts, just to name a few. Reviewing common ransomware family tags in AutoFocus can illustrate what is unique to what variant and can help users understand what each variant looks like. Being armed with this knowledge will make a network administrator better armed to address a potential infection.

 

AutoFocus can also lend context as to what ransomwares are targeting which organizations, industries, or their peers. This can allow some measure of pro-active data gathering prior to any incident and better prepare administrators to strengthen their defenses in preparation for any future attack.

 

One might even combine AutoFocus indicators of compromise with other PAN-OS preventative functions like External Dynamic Lists to help increase their security posture. (Tips & Tricks: AutoFocus FAQ | Tips & Tricks: How to Use AutoFocus (with video) )

 

Preventing Ransomware Attacks — Dynamic Updates

Along with properly configuring PAN-OS security profiles, ensuring that the latest content is available on the device will help keep a network safe from the latest threats. (Manage Content Updates

 

Palo Alto Networks provides content in numerous forms:

 

  • For URL Filtering, PAN-DB/BrightCloud lookups occur as URLs are accessed (with caching of them that expires after a period). As such, no scheduled update is required for URL filtering.

 

  • Anti-Virus updates occur roughly once every 24 hours, publishing early AM PST (Please note that this is an estimate, and the time can shift depending on quality assurance processes). As such, configuring a PAN-OS device to update the Anti-Virus content at least once a day is recommended. Anti-Virus content contains signatures for known malicious files, and the content is generated as a result of Wildfire sandbox analysis of submitted samples. This content ties into the Anti-Virus security profile under the "Action" column.

 

  • Wildfire updates (if licensed) are available about every 15 minutes. As such, configuring a PAN-OS device to update the Wildfire content as often as possible is recommended; this will ensure the device has the latest signatures at any given time, and keep prevention capabilities up to date. This content ties into the Anti-Virus security profile in the "Wildfire Action" column.

 

  • Applications and Threats updates occur roughly once every 7 days, releasing Tuesday evening into Wednesday morning (there might be an occasional Emergency Content Update as well between two regular weekly releases). As such, configuring a PAN-OS device to update Applications and Threats at least once a week is recommended. Please note that these packages contain updates to application identification capabilities and it is recommended that administrators thoroughly review release notes to fully understand any potential impact or configuration changes required before installing the content. The "Threats" portion of this package contain updates to Vulnerability signatures (tying into the Vulnerability protection security profile) and updates to Spyware signatures (tying into the Anti-Spyware security profile).

 

As a closing note, it is worth mentioning that backups are the best defense against serious impact on a network that has been infected by ransomware. So long as up-to-date and secured backup data is available, remediation after infection will have significantly less strain on afflicted parties and organizations.

Comments
by Peter_Blasko
on ‎06-21-2016 02:00 PM

Hello, in the text is sentence "Opening a .JS file on a Windows host will launch the default browser, and the Javascript can then reach out to an ..... "

 

So my Q is how can I block js file into zip file.?

by gabrielhill
on ‎06-22-2016 03:57 PM

Very nice article.

Peter hit the dot though. A lot of my issue are .JS files coming in through .zip file. The threat ID shown is: 52004, but I cannot simply tell it to block on that ID, as all .zip files show this ID.

Any suggestions?

by Lucky
on ‎06-23-2016 05:02 AM

Hello Peter and Gabriel,

 

we have just re-published signature that was temporarily disabled, in content update 590 we re-enabled signatures 39002 and 39003 that should detect .js files sent via email (zipped or not). Default action on both signatures is "alert", you can change it to "block" in order to block such communication.

 

Please note, email will still have to go through from sender to the firewall (but not to the recepient) because blocking email before it has been fully transmitted can cause sender to retransmit believing communication was erroneously interrupted; therefore we allow sender to complete communication and we return response 5.4.1 (acess denied) to the sender.

 

Regards,

 

Luciano

Ask Questions Get Answers Join the Live Community