Ransom, Where? Your Virtual Machines. Avoid Ransomware Pitfalls
If Liam Neeson was a security administrator and starred in a movie about ransomware, this would likely be his most-famous quote:
|I don’t know who you are…|
I don’t know what you want…
If you are looking for ransom, I can tell you I don’t have money…
But what I do have is a unified set of security technologies, technologies I have acquired from 5nine Software…
Technologies that make me a nightmare for malware like you…
In all seriousness, ransomware has quickly become one of the most-dangerous cyberthreats, and attacks against small and large organizations are on the rise. According to Symantec’s Ransomware and Business Report for 2016, nearly 43% of all ransomware victims were organizations; Windows users continue to dominate the ransomware landscape, and the trend is likely to continue.
Virtualized desktop and server environments are especially vulnerable to ransomware propagation – unsuspecting users may be targeted through several different vectors such as email, network traffic and application communications. An inadvertent click – which could open a malicious file or an embedded URL, may result in a complete lockout of workloads and data. The cost of this could be astronomical, and could potentially cause public embarrassment and significant downtime.
Fortunately, the FBI has provided a number of ways in which organizations can proactively defend against ransomware:
- Set anti-virus and anti-malware programs to conduct regular scans automatically.
- Configure firewalls to block access to known malicious IP addresses.
- Implement an awareness and training program. Because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.
- Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
- Patch operating systems, software, and firmware on devices. Consider using a centralized patch management system.
- Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.
Organizations need the ability to detect, protect and recover from ransomware attacks. The FBI’s recommendation does not mention virtualization – traditional physical security solutions have gaps in their ability to defend against ransomware. These solutions fail to address the gaps in virtualized environments.
To effectively detect ransomware, you must regularly schedule AV/AM scans, which is easier said than done. The problem here is that too many simultaneous scans on the same host can cause high resource consumption, especially CPU utilization. The result of which is slow performance for every VM on the host, which forces administrators to only schedule scans during off hours (otherwise end users end up stopping them manually). This infrequency increases the risk of not detecting a ransomware threat early enough. 5nine Cloud Security has patented agentless technologies that allow for up to 70% faster scans then using AV/AM endpoint solutions in each VM. This enables our customers to scan frequently without the high resource consumption.
To protect, the above suggestion is to configure network appliance or perimeter firewalls to block malicious IPs. Should the ransomware come from an unknown address, it could still get inside your environment. Once there it could then propagate throughout even if the network appliance or perimeter firewalls have rules to block unwanted traffic. This is because traffic between VMs on the same host (east west traffic) never reach the physical network. 5nine Cloud Security’s firewall operates on the host’s virtual switches which all VM traffic must pass through. This allows customers to implement microsegmentation allowing only the required traffic communication. This isolates the VMs making it very difficult for the ransomware to spread in the virtualized environment.
Recovery is another key to not being held hostage should an attack be successful. If you are able to restore the compromised VMs quickly and easily you remove all leverage from the attackers and are back in business. You will need to ensure you have frequent backups and that they are protected as well. 5nine partners with Veeam software for VM backup and recovery. We have a version of our management software that allows you to see and manage your VM backups with Veeam.
Don’t worry. There’s light at the end of the tunnel. Our 5nine Cloud Security solution is designed to address vulnerabilities across every part of your Hyper-V environment, which includes ransomware. Every virtual machine is immediately and automatically protected, ensuring the virtualized attack surface is always accounted for. Learn more and download a free trial here.