Crushing Cryptowall/Locker with AppSense Application Manager
- February 18, 2016
- Posted by: Brian Ham
- Category: Information Strategies Tips
As an IT guy you may have found yourself getting calls from everyone in the organization complaining they cannot open files or finding when they open a file in office it appears corrupt. You quickly find out that you’re seeing “DECRYPT_INSTRUCTION.TXT” files everywhere in all of the company shared drives and sub folders. If you’re familiar with the Cryptowall, CryptoLocker and any other ransomware. You’ll know that if you don’t act quickly ransomware will encrypt your entire file servers offered shares or the shares the user that opened the infected file had access too.
What if I have the best anti-virus and my definitions are frequently up to date?
Over the last few years I’ve seen ransomware circumvent even the most up-to-date and restrictive anti-viruses software to date. Ransomware is a constantly evolving entity with new revisions popping up constantly. According to Intel Corp.’s McAfee Labs Ransomware is projected to grow in 2016.
My users aren’t local administrators on their machines? What about user right Management?
Even though you have ensured most users in your organization don’t have local administrator rights to their machines and or servers, it won’t help you much. Most ransomware requires no admin rights. Anything your users have the ability to modify file wise i.e. their home/personal drives and company shared drives are vulnerable to the ransomware once it executes.
User Rights Management by Microsoft can be used to restrict ransomware and unauthorized executables but at the cost of user experience. It is normally configured as a catch all to block users from executing applications in the users AppData portion of their profile. This can lead to user’s application crashes, users are unable to elevate an application if needed and a management headache from IT perspective.
I have a great backup in place and system restore process I can care less if they open ransomware?
From experience, when ransomware enters the system and the user knows they’ve opened something they shouldn’t have. They tend to panic and either log off or shut down their system in the middle of the attack, yes shutting down the system stops the ransomware. The problem is damage has already taken place on either the user’s machine or somewhere on company shared drives. Months down the road you may realize someone had gotten the attack but never notified IT. At that point your retention period for your backups has been pasted. Blocking the attack from the first place is the best course of action.
How can AppSense Application Manager help prevent present and future Ransomware?
First off let’s start off with what AppSense’s Application Manager is. Application manager is a state of the art user right/privilege management technology that integrates at the granular level. Also preventing unauthorized code execution and enforcing software licensing. It works by injecting itself into the application prior to the application executing. This allows for granular control over what the application can do to the system as the user if at all. In our case for this article great for preventing malicious software from executing in the first place.
Let’s get started with Trusted Owner.
Trusted Owner is a feature of Application Manager that checks the current NTFS file ownership of the file attempting to be executed. You may notice the check box that says “Change a file’s ownership when it is overwritten or renamed” This is a great feature for those semi tech savvy users who think they know how to get around by changing the file name or replacing the ownership with a trusted one. When a user does that Application Manager is smart enough to realize it and still prevent the application from executing. This section is also great for Enterprises who use SCCM or something similar to deploy applications as you can add those service accounts here to be able to execute/install onto the users endpoint. It’s important to note that if a user is a local administrator they can still execute files even when they have ownership of an executable file.
What does this look like from a user’s perspective?
This is a sample message I’ve configured you can note I’ve configured it to have a message to contact our helpdesk if needed to open this application. You can also have an option for users to self-elevate if you have identified a group of users who should be able to open what they need or want to.
So what do I do if a user is a local administrator and they need it to open certain business applications?
For starters we can remove them from the local administrators group and use a future called User Rights Discovery Mode included in AppSense. The feature in Application Manager helps us identify those troublesome applications and create the appropriate elevation groups in Application Manager. The elevate future I will cover more in a future blog.
This is just a small taste of what an Application Manger can do for your organization. In some future blogs I will cover more of the use cases like meeting corporate compliances with licensing and creating one gold image to rule them all and still have the ability to control what users are able to open.
Get in touch with SōtirIS today so we can show you what AppSense Application Manager can do for your organization.