Cyber security experts are all on high alert due to the latest cyber attack. The WannaCry ransomware started attacking user files on Friday, demanding a ransom of $300 to restore access. According to the The New York Times the attack hit 200,000 computers in more than 150 countries. And no industry was exempt as it hit corporations, hospitals and universities. Though pundits credit the UK cybersecurity researcher @malwaretechblog for halting the attack, many cyber security experts fear that the worse is yet to come. How can companies better protect themselves from ransomware attacks? What role do workers play in the susceptibility of these attacks?
Since we often hear from customers that we’ve protected their environments from malware and previous ransomware attacks, we put RES ONE Workspace to the test against WannaCry, using a scenario where a user would introduce the malware into the environment. We tested against the common example of a user receiving the initial dropper file via email, typically through an email phishing scam. Here is the setup:
- A clean install of RES ONE Workspace 10.0 with clean database. Only the RES ONE Security module has been enabled
- Standard user on Windows 7
- Files and folder security are set to known file extensions of WannaCry.
We tested a few different scenarios:
1. RES ONE Workspace in learning mode
This demo shows what RES can monitor and log to better identify what should be approved and what should be blocked. Learning mode has been enabled and the demo clearly shows the malware entering the workspace and exposing vulnerabilities. The goal should be to block these malicious files from entering the workspace, but learning mode does help identify the good from the bad. Most organizations only use learning mode for a short time before configuring security controls. That leads us to our second demo.
2. RES ONE Workspace with Security Module enabled
In this example, the Managed Applications AND Files and Folder security capabilities are active and set to block specific file types – including this strain of malware. In the demo, an unsuspecting user clicks the malware. The file was directly blocked because of RES’ security configurations. Then, as an administrator I authorize that file and try to run it again after a refresh workspace. This still doesn’t work because the security settings are blocking the extraction of the key malware files that wreak havoc on an environment. So even when an admin is authorizing malicious files (either accidentally or intentionally), the environment is still protected. In this demo, we know the file extensions we wanted to block, but that’s not always the case. Our third scenario tackles situations when a threat is coming from an unknown file extension.
3. RES ONE Workspace with whitelisting enabled
With whitelisting activated and configured, the user’s attempt to open the file containing malware is blocked, even with an unknown file extension. In most cases, this will prevent the introduction of malware from unsuspecting users as the file type is not on the approved whitelist. From this point, RES typically suggests that IT give a worker the option of contacting IT or directly requesting review of the file via self service. That’s a great opportunity for organizations to formalize and automate security scans and review processes to add file types to the whitelist. Users can have full visibility into the status of their requests, and IT teams can proactively vet suspicious files, catching infected files and executables before they enter the environment.
This month WannaCry dominates the headlines, but we have reason to believe that ransomware attacks may become more commonplace than anyone would like. RES provides a much needed layer of protection at the user level, reducing the number of risks that workers can unknowingly introduce into their environment.
* Please note the videos and Malware prevention shared assume the malware came through email as a phishing scam.