The exception is delivering via RDP (or any other vulnerable service) ports found on the Internet as a means to infiltrate & spread within the affected internal networks.
Threat-actors want victims to pay-up.
More damage for Local-Administrator accounts
Most Ransomware incorporate User Access Control bypasses because source-codes are freely available at sites like https://github.com/hfiref0x/UACME.
Many home-users are running as local admins especially if it is the first & only user account.
UAC bypass allows malware to escalate privilege & wipe Windows backups, making it irrecoverable.
Initial Code-Execution runs in NON-privileged mode
Even for local-admin accounts. Few will run-as Admin for Browsers, MS-Word, Outlook... on a daily basis ;)
Malware tend to write more files for further execution & persistence. Files written by a non-privileged process will always be owned by the current-user .
Which is why Ransomware does not need privileged-rights to encrypt all files that belong to the users!
Solution
If you still have security budget, good for you! But if you don't, what can OpenEDR do to protect against Ransomware?
Disrupt Initial Code-Execution
Code-Execution boils down to Executable-File-Based & "File-less" , without writing malicious executable-files to disk. You can find out more from Cyren's deck on Fileless Ransomware. The two most commonly used executable-file extensions are .EXE & .DLL.
Typical Approach & Pain-points
OpenEDR's Approach & Advantage
For File-Based malware, pay for signature-based-subscriptions which won't block customised malware.
What if your environment is a "closed-network" or air-gapped?
Who will figure out Windows AppLocker or Software Restriction Policies so that there's no loop-holes?
Non-privileged mode processes (eg. Winword, Browsers, Email apps...) will write the files that are owned by the user. We can use this file-ownership property to deny ANY malware that are delivered to a standard-user because in a managed environment, deployed software should be READ-ONLY to users. If users can overwrite, so can attackers!
OpenEDR denies any EXE/DLL/MSI files that user has write-access but allows executables that are owned by SYSTEM, TrustedInstaller or Administrators Group.
Easy to understand & manage, no need signature updates whatsoever. No whack-a-mole games!
For "Fileless" malware, upgrade to another "Next-Gen" subscription if you have the budget.
Otherwise, try to harden or restrict by meddling with Microsoft Group-Policy-Objects.
Users waiting for IT to "sign" their office-macros?
Allow Office-macro that are created by user with MS-Office applications but strip macros from files written by non-Office processes.
Deny child processes created by Office applications. There are two layers of protection with Win10, first by Microsoft ASR rules & if evaded somehow, OpenEDR will step in to terminate the child-process.
Deny LNK (shortcut) files that are not created from user's desktop session. One of the easiest & often used method to abuse System Tools for further Code-Execution (aka Living-off-the-Land).
Associate commonly abused scripting file-extensions to view with notepad instead of executing scripts when double-clicked.
*Disrupting "Fileless" offensive methods without meddling with GPOs. Even junior staff can understand & deploy!
TL;DR
Problem
There are many variants of Ransomware but most of them have common characteristics:
Most Ransomware are delivered to victims directly
The exception is delivering via RDP (or any other vulnerable service) ports found on the Internet as a means to infiltrate & spread within the affected internal networks.
More damage for Local-Administrator accounts
Most Ransomware incorporate User Access Control bypasses because source-codes are freely available at sites like https://github.com/hfiref0x/UACME.
Many home-users are running as local admins especially if it is the first & only user account.
Initial Code-Execution runs in NON-privileged mode
Even for local-admin accounts. Few will
run-as Adminfor Browsers, MS-Word, Outlook... on a daily basis ;)Which is why Ransomware does not need privileged-rights to encrypt all files that belong to the users!
Solution
If you still have security budget, good for you! But if you don't, what can OpenEDR do to protect against Ransomware?
Disrupt Initial Code-Execution
Code-Execution boils down to Executable-File-Based & "File-less" , without writing malicious executable-files to disk. You can find out more from Cyren's deck on Fileless Ransomware. The two most commonly used executable-file extensions are
.EXE&.DLL.What if your environment is a "closed-network" or air-gapped?
Who will figure out Windows AppLocker or Software Restriction Policies so that there's no loop-holes?
OpenEDR denies any EXE/DLL/MSI files that user has write-access but allows executables that are owned by SYSTEM, TrustedInstaller or Administrators Group.
Easy to understand & manage, no need signature updates whatsoever. No whack-a-mole games!
Otherwise, try to harden or restrict by meddling with Microsoft Group-Policy-Objects.
Users waiting for IT to "sign" their office-macros?
Turn on Win-10 (Pro & beyond) Attack-Surface-Reduction Rules upon OpenEDR installation, a precaution for environments that need to keep Office-macros (ie. switch off macro-stripping).
Deny child processes created by Office applications. There are two layers of protection with Win10, first by Microsoft ASR rules & if evaded somehow, OpenEDR will step in to terminate the child-process.
Deny LNK (shortcut) files that are not created from user's desktop session. One of the easiest & often used method to abuse System Tools for further Code-Execution (aka Living-off-the-Land).
Associate commonly abused scripting file-extensions to view with notepad instead of executing scripts when double-clicked.
*Disrupting "Fileless" offensive methods without meddling with GPOs. Even junior staff can understand & deploy!
What's Next?