Defending Against Crypto-Ransomware with Netwrix

Hi, today we will discuss about data governance and more especially a software called: Netwrix Auditor.

Netwrix Auditor is a visibility and governance platform that enables control over changes, configurations, and access in hybrid cloud IT environments to protect unstructured data regardless of its location. The platform provides security analytics to detect anomalies in user behavior and investigate threat patterns before a data breach occurs.

Netwrix Auditor includes applications for Active Directory, Exchange, Office 365, Windows file servers, EMC storage devices, NetApp filer appliances, SharePoint, SQL Server, VMware and Windows Server. Empowered with a RESTful API and user activity video recording, the platform delivers visibility and control across all of your on-premises and cloud-based IT systems in a unified way.

In complement Netwrix released this last month is latest version: Netwrix Auditor X with some news features & enhancement:

  • Detect threats to sensitive data in less time and speed security investigations with new sensitivity context available in alerts and search
  • Enhance cloud security with new reports on Azure AD users and their roles.
  • Instantly access the most critical information using the new customizable home screen
  • And more….

Visit the release page:

I don’t know any Chief Information Security Officer, System Administrator or IT Manager not facing one of this challenges:

  • We struggle to find the data that needs protection and secure it properly.
  • Knowledge workers put sensitive data wherever they want, so we can’t protect it
  • We don’t have enough visibility to identify IT security risks and reduce the likelihood of a breach
  • When we get hit by a breach, we won’t be able to detect, investigate, report it and ultimately ensure it won’t happen again
  • We don’t have enough resources to address new compliance requirements while doing our day-to-day jobs
  • Why this account is locked for the fifth times today? Who deleted this critical folder? ….

Netwrix empowers us to minimize the risk of a data breach and ensure regulatory compliance by accurately discovering sensitive information, proactively reducing its exposure and promptly detecting policy violations and suspicious user behavior.

This brings several advantages like :

  • Prevent a data breach by proactively improving data security posture and detecting abnormal user behavior and policy violations
  • Maintain compliance with less effort and expense and slash time required to prepare for audits by up to 85%

Netwrix helps to resolve the challenges bellow :

  • IDENTIFY: Which information is sensitive ? Where it resides ? Is it at risk ?
  • PROTECT: Who has access to sensitive folders ? Who has a full controll on it ?
  • DETECT: Who is violating security principles or acting strangely ? What exactly was changed or viewed, when and where in my environment, and who must be held accountable?
  • RESPOND: Should we report a security incident as a data breach ? What can we do to prevent this incident from happening again?
  • RECOVER: What data needs to be recovered ?

Let’s see how Netwrix can limit the damage from crypto-ransomware.

1.   Introduction

51 % of organization have experienced a security incident in the past two years. 270 Days is the average time to identify then contain a breach. Encryption ransomware is now one of the most common online criminal enterprises. Instead of stealing information, this malware encrypts a victim’s data and then demands a ransom to unlock the encrypted files.

While ransomware attacks have been around for years, security experts report they’ve become far more dangerous recently because of advances in encryption and other technologies. A crypto-ransomware attack can take hostage not only data stored on a company’s individual computers, but also the files on its servers and cloud-based file-sharing systems, leading to financial losses, stopping business in its tracks.

Advice : Do not pay the hacker, a lot of compagnie did and regret it, there is no guarantee that paying a ransom will unlock your systems! Worst it argues that payment of a ransom may even increase vulnerability to future attacks by demonstrating ‘weakness’.

2.   How Ransomware is delivered to a User’s Computer

We meet two types of attack today the opportunistic and the targeted.  An opportunistic attack does not target a particular entity. Their goal is to attack as many systems as possible in the hope of reaching more. The perpetrators of opportunistic attacks act often through e-mailing containing a link to a malicious website or an attachment infected with malicious program.
The targeted attacks are potentially the most dangerous, as the hacker prepares his attack by exploiting a vulnerability he has identified in his target. Targeted attacks therefore target a specific entity.

The first method to propagate ransomware is accomplished only with one Email. A simple method where the malware arrives in an email attachment or the mail contain a link to download a file. The email often purports to be from a known entity, such as a bank, a partner or colleague. The document name often includes a common extension such as “.doc or .xls” to deceive the user. For example, the full file name might be “Invitation.doc.exe” but the user will see only “Invitation.doc” and be misled into thinking the file is harmless if display of file extensions is disabled in the system settings. Another trick the attachment might be a .doc file but include malicious macros.

Files containing malware or malicious macros can also be provided to potential victims on disks or other malvertising. Once the user opens the file, the ransomware spreads. “Oh look this beautiful USB key on the table, let’s see what’s inside” …. “Oupsy”

Another one, hackers use web redirects and exploit software vulnerabilities to deliver malware. Users become victims simply by visiting a compromised web page.

3.   Steps of Ransomware Infection

Here a step by step for a ransomware infection:

  1. Open the gate

A user opens the malicious file propagated via email or compromised website, thereby releasing a ransomware client.

  1. Installation

The malware copies itself into various locations in the system (like: <%appdata%>, <%rootdrive%> /random_folder/) and edit the registry so it will start automatically after every system reboot.

  1. Encryption key generation

The ransomware client builds an SSL connection with a command-and-control server and generates a public-private key pair to encrypt its victim’s files.  Sometimes the key pair could be generated locally.

Crypto-ransomware uses strong encryption modes such as RSA-2048, which virtually eliminates the possibility of the user discovering the key to decrypt the files.

  1. Scan and Data encryption

The malware scans all available physical and cloud-based drives for files to encrypt and encrypts them.

  1. Extortion

“Give me money”, the malware displays a note with instructions for how the victim can pay to unlock this encrypted data.

If you are facing to a ransomware, do not pay! Most companies that pay receive a second attack on the spot. And in almost half of the cases, it’s the same ransomware. This malware is used equally in targeted attack. The hacker after stealing the information, will lock the system, in this kind of attack hacker have a very good knowledge about the technology used to protect your organization. That why it’s really important to protect your backup environment to avoid finding your backup files encrypted or deleted.

4.   How to prevent infection

As reminder, please find below some recommendations to avoid being in the ransomware trouble.
Analysis of reported attacks reveals several reasons why the attacks were successful:

  • Systems were weakly protected.
  • Employees had little or no cyber security education, so they would click on almost anything.
  • The organizations were using outdated software and equipment with a lot vulnerabilities to be exploited.
  1. Educate your employees about Cybersecurity. It’s important to establish a sensibilization program. Test their knowledges with fake phishing campaign for example.
  2. Install the latest patches and updates. It’s important to have the operating system and applications up-to date.
  3. Backup your systems, your backup solution must be secure by design and respect the 3-2-1 rules. More informations here:
  4. Install an antivirus
  5. Properly configure access to share folders. Make sure that access is restricted to the fewest users and systems possible. Otherwise, the infection of one computer can lead to the encryption of all documents in all folders on the network. Restrict user permission to “Read” whenever possible. (Less Privileged)
  6. Configure Group Policy to: Block macros, block executable extensions, Autoplay, Blacklist applications
  7. Configure Firewall to block TOR IP Addresss.
  8. Implement mail protection to detect phishing, spam etc…

5.   How Netwrix Auditor can help?

In cybersecurity, we don’t install only one security protection, we build multiple layers of security. IT defense uses the same strategy as military defense: several layers of security are erected between the attacker and the position to be defended. These defenses are not just technical!

Benefits: Avoid business downtime, financial losses, and damage to your reputation.

Netwrix Auditor platform enables you to mitigate the risk of malware spreading across your network, detect activity indicative of a malware attack in progress.

5.1 Implement the Least-privilege Model

It’s important to review the account permissions to ensure that the permissions assigned to each user account accord with the employee’s role. Netwrix will help you with this task with predefined reports.

Identify users with permissions for files and folders that they do not use. Remove those excess permissions to limit the infection area in case of an attack.

Check if folder have permissions assigned to “Everyone” or “Authenticated Users” and remediate to limit the scope.

Review changes permissions in security group membership, to detect and remediate improperly delegated access rights in a timely manner.

5.2 Control the applications & GPO

Review changes to Group Policy, for example check the Password Policy or Software Restriction Policy settings to ensure your application whitelist are not modified improperly.

Privileged users have the ability to make changes that can lead to unavailability of critical systems and security breaches. Therefore, it’s essential to keep privileged users accountable by monitoring their activity in critical systems and applications.Detect abnormal change in the server configuration, like an application installation.

You could also spot and investigate unauthorized changes with Video Recording of User Activity

5.3 Detect and optimize the data recovery process

You could create custom alerts based on the audits, for example you could receive an email if someone delete a lot of files in a really short period, or when an account is added to a privilege group.

If you have an existing SIEM solution, it’s possible to integrate Netwrix auditor to it.

Used predefined view, to detect abnormal spikes in user activity on your files servers and quickly drill down into detail to gain more insight

Get a complete list of files and folders that were deleted by the infected user account and restore them
granularly from backup instead of having to restore all file servers.

6. Conclusion

Today we need to add a maximum layers of security to protect our environnement. Netwrix can help you for a lot of things.

Attacks are becoming more and more sophisticated. Backups are now the new  targets of ransomware. If it’s not already done read this article:

Fun Fact (Or not): I recently saw a company victim of ransomware that saw all of their printers print the ransom note until the paper ran out. The imagination of attackers is limitless. All that to say that attention need to be apply to every components and it’s important to change the factory values.

Thanks for the read.


Please follow and like us:

1 ping

  1. […] (Data Management & Security Eneginner @ Monaco Digital), we published the first blog post about Netwrix (Active Directory Security and Data Protection) and the first blog post about Quantum (LTO9 & […]

Leave a Reply


Enjoy this blog? Please spread the word :)