RansomwareRansomware is a type of malware that has become a significant threat to U.S. businesses and individuals during the past two years. Most of the current ransomware variants encrypt files on the infected system/network (crypto ransomware), although a few variants are known to erase files or block access to the system using other methods (locker ransomware). Once access to the system is blocked, the ransomware demands a ransom in order to unlock the files, frequently $200 – $3,000 in bitcoins, though other currencies and gift cards are occasionally reported. Ransomware variants almost always opportunistically target victims, infecting an array of devices from computers to smartphones. Show
Infection VectorsThe majority of ransomware is propagated through user-initiated actions such as clicking on a malicious link in a spam e-mail or visiting a malicious or compromised website. In other instances, malware is disseminated through malvertising and drive-by downloads, which do not require user engagement for the infection to be successful. While almost all ransomware infections are opportunistic, disseminated through indiscriminate infection vectors such as those discussed above, in a few very rare instances cyber threat actors specifically target a victim. This may occur after the actors realize that a sensitive entity has been infected or because of specific infection attempts. The Federal Bureau of Investigation (FBI) refers to these instances as extortion, rather than ransomware, as there is almost always a higher ransom amount that coincides with the strategic targeting. This was the case in spring 2016, when several hospitals infected with strategically targeted ransomware made the news. Additional CapabilitiesIn the past year, ransomware variants features have expanded to include data exfiltration, participation in distributed denial of service (DDoS) attacks, and anti-detection components. One variant deletes files regardless of whether or not a payment was made. Another variant includes the capability to lock cloud-based backups when systems continuously back up in real-time (a.k.a. during persistent synchronization). Other variants target smartphones and Internet of Things (IoT) devices. Although not as common, some variants claim to be from a law enforcement agency and that the user owes a “fee” or “fine” for conducting illegal activities, such as viewing pornography. In an effort to appear more legitimate these variants can use techniques to identify the victim’s rough geographic location in order to use the name of a specific law enforcement agency. No U.S. law enforcement agency will ever remotely lock or disable a computer and demand a fine to unlock it. How to Mitigate the Risk of Ransomware InfectionsThese recommendations are not comprehensive but provide general best practices. Securing Networks and Systems
Securing the End User
Responding to a Compromise/Attack
What are domain policies?Default Domain Policy — Establishes baseline settings for all users and computers in a domain in three key areas: password policy, account lockout policy and Kerberos policy. Default Domain Controllers Policy — Establishes baseline security and auditing settings for all domain controllers in a domain.
What are the recommended best practices for setting the account lockout threshold?The account lockout threshold should either be set to 0, so that accounts will not be locked out (and Denial of Service (DoS) attacks are prevented), or to a sufficiently high value so that users can accidentally mistype their password several times before their account is locked, but which still ensures that a brute ...
How do I protect my domain controller?Here are some tips to protect Domain Controllers:. Secure Domain Controllers physically. ... . Implement a mechanism to administer Domain Controllers. ... . Limit network access to Domain Controllers. ... . Use the most updated version of Windows Server. ... . Implement effective security measures. ... . Limit what is run on Domain Controllers.. What is the use of policies in Active Directory?Microsoft Active Directory allows you to use group policies to define user or computer settings for an entire group of users or computers at one time.
|