lolloj - Fotolia
The ransomware worm ZCryptor self-replicates by placing autorun files on removable storage devices and network drives, spreading it to other devices and systems. Microsoft claims that systems can be protected by upgrading to Windows 10. What are some other mitigation steps enterprises can take? And how big of a threat is this ransomware worm compared to conventional ransomware?
Not every security issue can be mitigated by upgrading to the most recent version of an operating system or applying the most recent patch. Both are important security controls and must be included as part of an enterprise security program, but are not complete fixes. The security program should cover how to respond to a ransomware worm like ZCryptor when the enterprise can't or hasn't upgraded to the most recent version of the operating system. ZCryptor has functionality to drop malware on USB drives or file shares, including an autorun.inf file to get vulnerable systems to run the malware when opening the directory. ZCryptor is also distributed via malicious emails where an attachment with embedded macros would execute the malware. With the rise in cloud file storage, file shares can include any automated mechanism for saving files in an external location that eventually allows a user to directly open a file and potentially execute the malicious code.
As all enterprises are vulnerable to ransomware like ZCryptor, taking mitigation steps is a necessary process for yours. First, check to see if and how your endpoint security suite protects against ransomware and has functionality such as the CryptoDrop tool developed by researchers at the University of Florida. Having protection against ransomware, as well as the necessity of having good backups has been covered extensively, but taking two additional steps on top of following the Microsoft recommendations can minimize the chance that a compromised endpoint will affect the entire enterprise. Enterprises should ensure users have only the write access they need for file share stores and also disable autorun. Limiting user access to only the needed files will lead to the ransomware only encrypting those files and potentially leaving the other files unaffected. Disabling autorun is a standard antimalware recommendation which can stop the malware from autorunning on a system.
Learn how frequent data backups can help during ransomware attack recovery
Find out how Locky ransomware uses DGA in attacks on banks
Read how cloud DR can fit into your ransomware recovery strategy
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading