In the past few weeks, the rate of ransomwareattacks has increased dramatically. Even in the popular news, weve seen several hospitals report major infections and both the United States and Canada issuing warnings. Here are some quick tips to prevent ransomware infections.

Prevent Execution of Files in %AppData% Directories

Generally, most large-scale ransomware runs rely on either exploit kits or spam engines. In both cases, for the malware to execute it usually resides in various temporary directories in Windows (%AppDada%). It is possible to disable the ability to execute binaries in these directories via Group Policy or Security Policy which means when a user double-clicks on Invoice.exe, the malware will not run. This is accomplished with Software Restriction Policies and an example is shown on this blog in how to enable this.

The advantage of doing this is that it also can prevent some other forms of malware from executing also.

Fully Patched Systems, Java, Shockwave, Flash (et al)

Exploit kits rely on vulnerabilities on the client machine to get malware to execute. Usually this involves vulnerabilities in Java, Shockwave, Flash, andAdobe Reader. With Windows Update, many systems are now automatically configured to get updates. It wasnt until recently, for instance, that Flash integrated an auto-updater. Making sure these are updates will prevent exploit kits from being successful. That being said, occasionally exploit kits do use 0-day exploits but it is a relatively rare occurrence.

Disable E-mails with Executable Attachments

Many ransomware emails use attachments with executables, simply disabling e-mails with executables will prevent users from receiving. Also look for emails with double file extensions. Another common trick is attachments with a zip file that may include an executable or an html document (using other tricks to download an executable). Teach users to spot these abnormal e-mails so they do not execute them is key.

Maintaining Strong Backups

Lastly, the importance of strong backups is key. If a ransomware infection happens, there are only two choices for the organization: restore from backup or pay the ransom. If backups are available, it may be a hassle but the eye-popping ransom demands are no longer the only path to a full recovery.

Use of Vaccines

All ransomware families need some mechanism to ensure that a victim machine is not encrypted using multiple keys. A typical mechanism is to store the public key in registry (or other artifacts) so subsequent infections (or executions of the same malware binary) only use the original obtained key. There have been attempts to create vaccines that abuse this need of the attackers to otherwise inoculate victim machines. These may warrant investigation on a case-by-case basis to see if they provide value.

Chime in with comments if there are other techniques youve used to help stop the spread in your organizations.

John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


CNBC shows how not to handle a security screwup
At this point in the disaster, hackers and infosec passersby on Twitter started actively @ replying CNBC and the article's author, CNBC data journalist Nicholas Wells. People were overwhelmingly angry at CNBC and calling for the password tool's removal.

and more »

(credit: Aurich Lawson)

The teenager who grabbed headlines earlier this week for hacking a fake game listing on to Valve's Steam store says there are "definitely" more vulnerabilities to be found in the popular game distribution service. But he won't be the one to find them, thanks to what he sees as Valve "giv[ing] so little of a shit about people's [security] findings."

Ruby Nealon, a 16-year-old university student from England, says that probing various corporate servers for vulnerabilities has been a hobby of his since the age of 11. His efforts came to the attention of Valve (and the wider world) after an HTML-based hack let him post a game called "Watch paint dry" on Steam without Valve's approval over the weekend.

Once that exploit was fixed and publicized, Nealon quickly discovered a second Steam exploit, which Valve has since fixed. This one took advantage of a cross-site scripting hole to hijack a Steam admin's authentication cookie through Valve's own administrative Steam Depot page. Before it was reported and patched, this exploit could have given attackers unprecedented control of Steam's backend, basically letting them pretend to be a Valve administrator.

Read 12 remaining paragraphs | Comments



New iPhone hack will free up at least 1-2GB of your valuable memory
iPhone is very popular but it has one genuine problem. Fixed memory! A 16GB or 32GB iPhone can hold only so much albums, videos and images. Most users have to often delete their favourite videos/photos to make space for new images/videos.

and more »

(credit: MGM)

On Thursday, the US Department of Defense announced the launch of a pilot bug-bounty program for the DOD's public-facing websites. Called "Hack the Pentagon," the bounty program will be managed by HackerOne, the disclosure-as-a-service company founded by Alex Rice and Michiel Prins.

Since Hack the Pentagon is a pilot, its budget and duration are fairly modest by DOD standards. The Pentagon has budgeted $150,000 for the monthlong bug hunt, which will begin on Monday, April 18 and end by Thursday, May 12. Payouts for accepted bugs will come from HackerOne and will be doled out by June 10.

Pentagon Press Secretary Peter Cook did not specify which DOD sites would be considered fair game for Hack the Pentagon. "The program will target several DoD public websites which will be identified to the participants as the beginning of the challenge approaches," he said. "Critical, mission-facing computer systems will not be involved in the program."

Read 3 remaining paragraphs | Comments


Compuware and CorreLog Give Enterprise Security and Compliance Teams Vital Application-Level Mainframe Insight
GlobeNewswire (press release)
In addition to enhancing enterprise SIEM implementation with rich, timely insight into mainframe application activity, the Hiperstation/CorreLog integration will also allow InfoSec and compliance staff to actually replay any user application sessions ...

and more »


Bug Bounty Hunters and the Companies That Pay Them
There's another side, a quieter side that doesn't really get featured in the news as much. But the ... In many cities there is an active open community called 'null' , where infosec people gather once in week or month, and share their knowledge ...

and more »
WebKitGTK+ Security Advisory WSA-2016-0003
APPLE-SA-2016-03-31-1 iBooks Author 2.4.1
Python v2.7 v1.5.4 iOS - Filter Bypass & Persistent Vulnerability

Community Extra: Calendar for April 1-9, 2016
... Learn about cracking passwords and the internal workings of your hard drive at a Technology Exposition, 9 a.m.-5 p.m. April 2 at Edmonds Community College, 20000 68th Ave. W, Lynnwood. Free, but reservations required. More info: infosec.edcc.edu.

and more »
Internet Storm Center Infocon Status