The simultaneous greylisting of applications and removal of local admin rights works as the best protection against ransomware. This is the result of a study executed by CyberArk Labs, published in August 2016.
The company tested more than 23 000 samples of the most popular types of ransomware looking for a solution to the wide-spread problem with malware locking files and machines and demanding ransom to reverse the action. Samples of malware families including Petya, Locky and Cryptolocker were analyzed by experts in their attempt to learn more about the ways ransomware infects and encrypts files and systems. During the study different strategies to fight ransomware were tested and one proved to be 100% working – app control coupled with removal of local admin rights.
CyberArk Research Outlines App Greylisting and Admin Rights Removal As an Adequate Method against Ransomware
CyberArk Labs tested various strategies to mitigate the effects of ransomware but most of them proved only partially working. For example, the traditional anti-virus software which is based on blacklists, proved ineffective. At the opposite – whitelisting proved effective stopping ransomware but it showed some serious negatives as it appeared inconvenient for dynamic users. Asking the admin to whitelist business apps all the time proved not to be a suitable solution. Instead, greylisting proved a convenient and secure strategy for protecting servers from ransomware.
Researchers were also studying how ransomware is related to local administrator rights. They found out that many of the modern malware need to be executed under local admin rights but a lot of other strains would not need that. The study found that 70% of the tested ransomware tried to obtain admin rights but only 10% of it would fail to execute without such rights.
Researchers concluded that using more than one strategy simultaneously will increase the chance of fighting malware because ransomware are different and behave differently. The proven working combination appears to be removal of administrator rights, together with greylisting of apps. Greylisting means denial of reading, writing and modifying file privileges to unknown apps or applications that are not trusted.
To mitigate the negative effects on user productivity the researchers recommend that administrators elevate account privileges for specific tasks only without giving the user unnecessary rights.
Another action blocking ransomware is cutting Internet access, researchers say. “Without Internet access, the ransomware was unable to access its key server. This resulted in 20 percent of ransomware failing immediately and 70 percent being forced to attempt encryption using a default key,” the researchers found.
However, no matter what security measures are being taken, regular backups of the system are strongly recommended by researchers. They are essential to restore the system in case of a major attack if all the other protection measures prove ineffective.
Ransomware became popular in Russia in 2013 and spread worldwide in recent years. Between 2012 and 2013 the number of unique samples of crypto malware circulating doubled, a study by the security software vendor McAfee found. Ransomware attacks may cost tens of millions of dollars to the affected users. One of the most popular such malware – CryptoWall, caused $18 million of damage by June 2015. Another similar malware – CryptoLocker, caused at least $3 million of damage.