-
Notifications
You must be signed in to change notification settings - Fork 8
Ransomware Defense
- OpenEDR stops Ransomware without signatures
- OpenEDR complements & maximises native security features without the learning-curve
All these for free! https://github.com/jymcheong/OpenEDR
There are many variants of Ransomware but most of them have common characteristics:
| Tactics/Sub-Objectives | Offensive Methods |
|---|---|
| Payload Delivery | Malicious email attachments &/or landing-web-pages, Mal-Ads, Remote Desktop Protocol, USB drives... |
| Initial Code-Execution | Office-Macros (attachments), Exploit-Kits (malicious web links), Scripting to Execute-After-Write, DLL injections |
| Install Persistence/Backdoor | Modify startup shortcut links (LNK files) & registry-settings, Living-off-the-Land techniques that abuse system-features/tools to persist after reboot |
The exception is delivering via RDP (or any other vulnerable services) ports found on the Internet as a means to infiltrate & spread within the affected internal networks.
Threat-actors want victims to pay-up.
-
Most Ransomware incorporate User Access Control bypasses because source-codes are freely available at sites like https://github.com/hfiref0x/UACME.
-
Many home-users are running as local admins especially if it is the first & only user account.
UAC bypass allows malware to escalate privilege & wipe Windows backups, making it irrecoverable.
Even for local-admin accounts. Few will run-as Admin for Browsers, MS-Word, Outlook... on a daily basis ;)
Malware tend to write more files for further execution & persistence. Files written by a non-privileged process will always be owned by the current-user .
Which is why Ransomware does not need privileged-rights to encrypt all files that belong to the users!
If you still have security budget, good for you! But if you don't, what can OpenEDR do to protect against Ransomware?
Code-Execution boils down to Executable-File-Based & "File-less" , without writing malicious executable-files to disk. You can find out more from Cyren's deck on Fileless Ransomware. The two most commonly used executable-file extensions are .EXE & .DLL.
| Typical Approach & Pain-points | OpenEDR's Approach & Advantage |
|---|---|
| For File-Based malware, pay for signature-based-subscriptions which won't block customised malware. What if your environment is a "closed-network" or air-gapped? Who will figure out Windows AppLocker or Software Restriction Policies so that there's no loop-holes? |
Non-privileged mode processes (eg. Winword, Browsers, Email apps...) will write the files that are owned by the user. We can use this file-ownership property to deny ANY malware that are delivered to a standard-user because in a managed environment, deployed software should be READ-ONLY to users. If users can overwrite, so can attackers! OpenEDR denies any EXE/DLL/MSI files that user has write-access but allows executables that are owned by SYSTEM, TrustedInstaller or Administrators Group. Easy to understand & manage, no need signature updates whatsoever. No whack-a-mole games! |
| For "Fileless" malware, upgrade to another "Next-Gen" subscription if you have the budget. Otherwise, try to harden or restrict by meddling with Microsoft Group-Policy-Objects. Users waiting for IT to "sign" their office-macros? |
* Allow Office-macro that are created by user with MS-Office applications but strip macros from files written by non-Office processes. * Turn on Win-10 (Pro & beyond) Attack-Surface-Reduction Rules upon OpenEDR installation, a precaution for environments that need to keep Office-macros (ie. switch off macro-stripping). * Deny child processes created by Office applications. There are two layers of protection with Win10, first by Microsoft ASR rules & if evaded somehow, OpenEDR will step in to terminate the child-process. * Deny LNK (shortcut) files that are not created from user's desktop session. One of the easiest & often used method to abuse System Tools for further Code-Execution (aka Living-off-the-Land). * Associate commonly abused scripting file-extensions to view with notepad instead of executing scripts when double-clicked. Disrupting "Fileless" offensive methods without meddling with GPOs. Even junior staff can understand & deploy! |
- Next up, how to configure auto-recover endpoints with OpenEDR?