Tag Archives: Ransomware

Your Ransomware Strategy 2021: Prevention or Bow to the Inevitable?

1 January 2021

This morning I read the transcript of the Threatpost webinar ” What’s Next for Ransomware”.[1] Becky Bracken hosted the webinar some weeks ago, panelists were Limor Kessem (IBM Security), Allie Mellen (Cyberreason) and Austin Merritt (Digital Shadows). The discussion focused on incident response:

“While IT departments will undoubtedly lead efforts to shore up defenses against attacks, including backups, patching, updating and employee-awareness training, our panel of experts agree that preparing a critical-response plan which includes the entire organization — from the executives on down the org chart — is the best way to minimize cost, damage and downtime.”

Having a well-crafted and trained incident response plan in place is, from my point of view, an indispensable means to recover from all kind of cyber-attacks. But is it “the best way to minimize cost, damage and downtime” in the case of Ransomware?

Response plans come into play when a ransomware attack is detected. But during the time until detection, the ransomware may cause damage to the network and the data. Once detected, incident response kicks in by taking appropriate actions to

  • containing the attack,
  • investigating the network for yet undetected instances of the ransomware,
  • repairing the already done damage, etc.

This is close to Gartner’s[2] approach to defend ransomware, so industry standard. But is this reactive approach the best way to minimize the economic impact of an attack?

The Cyber Security and Infrastructure Security Agency (CISA) describes in its Ransomware Guide[3] a more preventive approach. Backup, patching, cyber-hygiene, awareness training and cyber incident response plan are the building blocks. In addition, CISA recommends to “Use application directory allowlisting on all assets to ensure that only authorized software can run, and all unauthorized software is blocked from executing”.[3] This is a clear step towards prevention of attacks. Since ransomware comes from external sources e.g., through internet, e-mail, usb-devices, it commonly is not part of the allow-list, thus blocked.

The Department of Homeland Security (DHS) goes one step further in its 2016 published paper “Seven Strategies to Defende ICS”.[4] The first strategy is “Implement Application Whitelisting” because it “can detect and prevent attempted execution of malware uploaded by adversaries”.

Finally, the Australian Cyber Security Centre (ACSC) recommends Application Whitelisting as Number One of Essential Eight[5][6] strategies to prevent malware delivery and execution.

Neither Gartner nor the experts in the Threatpost webinar mentioned preventive controls to deal with ransomware. DHS and ACSC recommend them as central part of a cyber-security strategy.

From my point of view, application whitelisting is a must have to minimize the economic impact of an attack. If execution of malware is prevented, the costs to cleanup and recover from a ransomware attack are minimized.

The baseline security costs are for certain increased because application whitelisting solutions must be managed like any other application. This holds even if the Windows built-in tools AppLocker or Software Restriction Policies are used. But this will be balanced by the fact that application whitelisting will prevent also zero-day malware or PUA from execution.

CISA and ACSC provide useful hints on dealing with ransomware without big invest in new tools. It makes sense to take them into account when revising your security roadmap for 2021.

Happy New Year!

And have a great weekend.


[1] Bracken B. What’s Next for Ransomware in 2021? [Internet]. threatpost. 2020 [zitiert 1. Januar 2021]. Verfügbar unter: https://threatpost.com/ransomware-getting-ahead-inevitable-attack/162655/

[2] Sakpal M, Webber P. 6 Ways to Defend Against a Ransomware Attack [Internet]. Smarter with Gartner. 2020 [zitiert 1. Januar 2021]. Verfügbar unter: https://www.gartner.com/smarterwithgartner/6-ways-to-defend-against-a-ransomware-attack/

[3] Cyber Security and Infrastructure Security Agency. Ransomware Guide [Internet]. CISA Publications Library. 2020 [zitiert 8. Oktober 2020]. Verfügbar unter: https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf

[4] U.S. Department of Homeland Security. Seven Strategies to Defend ICSs [Internet]. DoD’s Environmental Research Programs. 2016 [zitiert 13. Oktober 2020]. Verfügbar unter: https://www.serdp-estcp.org/serdp-estcp/Tools-and-Training/Installation-Energy-and-Water/Cybersecurity/Resources-Tools-and-Publications/Resources-and-Tools-Files/DHS-ICS-CERT-FBI-and-NSA-Seven-Steps-to-Effectively-Defend-Industrial-Control-Systems

[5] Australian Cyber Security Center. Strategies to Mitigate Cyber Security Incidents [Internet]. 2017 [zitiert 1. Dezember 2020]. Verfügbar unter: https://www.cyber.gov.au/acsc/view-all-content/publications/strategies-mitigate-cyber-security-incidents

[6] Australian Cyber Security Center. Essential Eight Explained [Internet]. [zitiert 1. Dezember 2020]. Verfügbar unter: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-explained

Think Before You Sync. Why just moving to the cloud does not solve the ransomware threat.

27 July 2019

On May 7th, 2019 the city of Baltimore was hit by a ransomware attack.  Although the city hired Microsoft and five other firms it has not fully recovered from the attack yet.(1)

Since the city’s email system was down officials started to use Gmail accounts for communications.(1)(2) This makes sense in the case of an emergency. Not communicating in the case of a publicly visible cyber-attack commonly has a large financial impact on businesses; but in the case of cities this may result in the loss of public security.

The ransomware attack on Norsk Hydro on March 19th, 2019 impressively shows the effect of good communications(3)(4): Investor’s confidence was not endangered at any time, the share price remained unchanged.

But from a strategic point of view, just moving to the whatever cloud is not a good idea. Google’s idea behind ChromeOS was simply clever: If everything (applications and data) is stored in the cloud the impact of e.g. ransomware will be negligible because the malware cannot jump across the https barrier to your cloud storage. The same holds for O365.

Unfortunately, users are not used of this way of working in the browser. It’s often slow, requires a change in working habits, travelling requires extra preparation, etc. So, Microsoft invented OneDrive and Google came up with Sync for Windows. Similar tools are available for Box and DropBox, and for all desktop operating systems, even for Linux.

Linux Setup Online Accounts

Linux setup online accounts during first login

With these syncing tools, the data stored in the cloud is made available on the user’s desktop. Changes to local files are synchronized immediately to the cloud and vice versa. And with this, the ransomware problem still exists because if a ransomware encrypts the synchronized files on the local copy the change is immediately synchronized to the cloud.
Game over.

So, if you want to take advantage of the cloud you have to run a vast change project: The whole working environment with all forms, templates, etc. must be provided in the cloud. And the employees must get used of the new way of working.

We need change!

We need change!

But the effort pays off: Your network becomes more resilient against cyber-attacks, workstations can be easily exchanged, the endpoint complexity can be reduced, windows domains and in the end, the campus network, will become dispensable.

So, think before you sync!

Have a great weekend.


  1. Duncan I. Google Pitches to Baltimore after Ransomware Attacks [Internet]. Government Technology. 2019 [zitiert 27. Juli 2019]. Verfügbar unter: https://www.govtech.com/computing/Google-Pitches-to-Baltimore-after-Ransomware-Attacks.html
  2. Cyber-spies tight-lipped on Baltimore hack. BBC News [Internet]. 27. Mai 2019 [zitiert 27. Juli 2019]; Verfügbar unter: https://www.bbc.com/news/technology-48423954
  3. Norsk Hydro. Update: Hydro subject to cyber attack [Internet]. 2019 [zitiert 24. Mai 2019]. Verfügbar unter: https://www.hydro.com/de-DE/medien/news/2019/update-hydro-subject-to-cyber-attack/
  4. Norsk Hydro ASA. Norsk Hydro: Update: Hydro subject to cyber-attack – 19.03.19 – News – ARIVA.DE [Internet]. de. 2019 [zitiert 24. Mai 2019]. Verfügbar unter: https://www.ariva.de/news/norsk-hydro-update-hydro-subject-to-cyber-attack-7476743

Some thoughts on “Protecting against ransomware using PCI DSS and other hardening standards”

20 May 2018

Post “Protecting against ransomware using PCI DSS and other hardening standards” (1) published this week by Paul Norris in SC Media UK is really worth reading. Hardening is a proven method to reduce the attack surface of a computer network. If well done, the spreading of ransomware and thus the impact on an organization can be limited.

Hardening, patching, etc. serve a common goal in cyber war: Describing the limits of conflict. Everett Dolman writes in chapter 5 of “Pure Strategy: Power and Principle in the Space and Information Age” (2):

“Tactical thinkers seek to define and describe situations. Decision-making in real-time tactical mode requires it. The more knowledge of the limits to conflict, the more creatively the tactical genius can deploy, maneuver, and engage forces. Knowing completely what cannot be done allows for an investigation what can be done.”

Hardening, patching, etc. decrease the number of options / attack vectors an attacker can use for getting on and exploring a network. IT security groups can then focus on the remaining attack vectors, and prepare for the unknown.

Let me give two examples to illustrate this.

  1. If all external storage devices are technically blocked in your organization an attacker cannot use them for delivery of weaponized documents. Furthermore, if users have no chance to change this your IT security group can focus on investigating other attack vectors.

  2. If you implemented the measures for mitigation of high and medium risk findings described in the DoD “Windows 7 Security Technical Implementation Guide” (3) you can be sure that attacks based on bypassing UAC to get elevated privileges are no longer possible.

But be aware that the attacker also knows what cannot be done after a standard is implemented…

Have a great week.


  1. Norris P. Protecting against ransomware using PCI DSS and other hardening standards [Internet]. SC Media UK. 2018 [cited 2018 May 20]. Available from: https://www.scmagazineuk.com/opinion/protecting-against-ransomware-using-pci-dss-and-other-hardening-standards/article/761956/

  2. Dolman EC. Pure Strategy: Power and Principle in the Space and Information Age [Internet]. Taylor & Francis; 2004. (Strategy and History)

  3. Department of Defense. Windows 7 Security Technical Implementation Guide [Internet]. STIG Viewer | Unified Compliance Framework®. 2017 [cited 2018 May 20]. Available from: https://www.stigviewer.com/stig/windows_7/

Ransomware for Industrial Control System – Digital Carelessness

19 March 2017

Ransomware for Industrial Control Systems (ICS) is a scaring idea. The research paper ‘Out of Control: Ransomware for Industrial Control System‘ by David Formby, Srikar Durbha and Raheem Beyah from the Georgia Institute of Technology is really worth reading.

The researchers study several attack vectors and run a proof of concept (POC). In addition, they give some hints for mitigation of this new risk in the ICS / SCADA domain.

In the simplest case, if the PLC is connected to the internet, the cyber-criminal can attack the PLC directly. A more dangerous, but also very promising way is to start an attack on a workstation located in the corporate network and use this system as base camp for the access to the production network.

In the past weeks I prepared a speech for a workshop about “Safety and security in plant safety”. In the IIoT, the digital world acts upon the physical world. With this, flaws in the IIoT software may create a safety problem. For example, if a PLC or other SCADA components are attached to the internet, cyber criminals can exploit such flaws and compromise the integrity of the systems or implement ransomware on the systems. In the worst case, if e.g. the SCADA system controls a critical infrastructure like a power grid, this may result in a blackout. And operators of critical infrastructures will pay definitely any ransom to avoid a blackout.

The attack vectors described above are the native way for accessing industrial facilities and critical infrastructures. Besides the PLC, lots of other components like switches or HMI panels are connected more or less intentionally to the internet today. My colleague Christoph Thust from Evonik calls this the Digital Carelessness.

A plain SHODAN search for ‘SCALANCE‘ results in 213 hits. These network switches are more or less exposed to the internet. If a cyber attacker can hijack such a switch, he gains full control of the production network.

Shodan Scalance Search

Shodan Scalance Search. Click to enlarge.

A search for ‘SIMATIC HMI‘ results in 103 hits. This HMI panels are directly attached to the internet, lots of them can be viewed with WinVNC, some of them can be fully operated by EVERYONE.

Shodan Search HMI

Shodan Search HMI. Click to enlarge.

And, above all, HMI panels attached to the internet can be used as base camp for an attacker’s lateral movement in the production network.

Although ransomware is a really big issue today, the effort to rollout ransomware in a SCADA environment is high compared to the effort of plain attacks to unsecured SCADA system components.

The good news is, that the vendors of SCADA components already offer the elementary technology and strategies for their secure operation. But improvement of the basic security technologies is of crucial need for efficient use in the production domain.

The bad news is, that neither the engineering service providers nor the plant operators are fully aware of cyber-threats and their impact on plant operations and safety. The above examples make clear that the mitigation measures and defense strategies provided by the technology vendors are not followed.

From my point of view we need to start early in the construction process with considerations of cyber security. Security gates must be added to each construction phase. And during handover to the operator, a final pen test must be performed. As soon as Security by Design becomes an integral part of the Industrial Plant Life Cycle, the era of digital carelessness will end.

Have a good weekend.

Locky deployment methods just changed – Who cares?

30 July 2016

The Post ‘Locky Dropper Now Comes Embedded in the Loader’, published July 28, 2016 in the ReaQta Security Blog, clearly shows that the cyber criminals continuously develop and improve their products. In the past, Locky downloaded the encryption program from a command & control server. In the latest version the encryption program is embedded in the email attachment as strings. The moment the victim runs the loader, the encryption program is extracted from the strings to the User Space and executed from User Space.

This is no rocket science; simply the application of well-known obfuscation methods to the latest Locky variant.

And, with AppGuard installed on top of the security stack, this new Locky variant represents no real danger.

In my opinion, the next generation endpoint protection solutions available on the market will all deal effectively with this sort of zero-day malware. The example of AppGuard shows: It is simply install and forget.

With this, we will gain valuable time for the right and important things like the implementation of Two Factor Authentication or privileged accounts management, or the design of effective security procedures or user training. Unfortunately, the paradigm shift from prevention to detection prevents us from implementing and doing the right and important things. It’s time for a paradigm change…

Have a good weekend.

Webinar Digital Extortion: Will you pay the ransom?

27 July 2016

I attended the IBM Security Webinar “Digital Extortion: Will you pay the ransom?” this evening. Limor Kessem talked about the history of and the latest trends in ransomware. Robert Lelewski provides an overview of the means to guard against and to recover from ransomware attacks.

Robert Lelewski showed a really remarkable slide:

Train users to beware of threats

Train users to beware of threats

The message is simple: Your users are the first line of defense. User training is the most effective means of combating cyber-attacks.

For more details, see the IBM ransomware landing page.

Have a good day.

New developments in the field of ransomware

11 June 2016

During my test of AppGuard some new variants of ransomware showed up in the wild.

ReaQta reported a new and massive worldwide Locky ransomware spam campaign. The new variant downloads the payload in encrypted form from the attacker’s command and control server and decrypts it before execution on the victim’s system. This makes it harder for traditional anti-malware systems to identify the payload as malicious.

Since the decrypted version is executed from User Space AppGuard blocks the execution.

Microsoft reported a new variant called ZCryptor which behaves like a worm:

‘ZCryptor can initially infect targets through traditional phishing schemes, macros or fake installers, but also has the ability to place autorun files on removable storage devices. can initially infect targets through traditional phishing schemes, macros or fake installers, but also has the ability to place autorun files on removable storage devices. This means the ransomware can spread itself to other machines on portable storage devices, rather than relying on more targets to fall victim to phishing, according to Microsoft’s security advisory.’

I had to deactivate all Windows 10 security features on my test system to download the malware sample from malwr.com to the User Space of my account:

Timestamp MD5 File Name File Type Antivirus
May 27, 2016, 6:43 p.m. d1e75b274211a78d9c5d38c8ff2e1778 zcrypt.ex_ PE32 executable (GUI) Intel 80386, for MS Windows 39/57

AppGuard runs out-of-the-box in protection mode Protected with default User Space settings.

Again, AppGuard blocked the execution of z_crypt.exe, thus prevented the malware from becoming persistent and from encrypting my documents:

AppGuard stops ZCryptor

AppGuard stops ZCryptor

Even if one receives ZCryptor on a portable device AppGuard will block the execution due to the default Removable Media rule:

AppGuard Removable Media default rule

AppGuard Removable Media default rule

More about AppGuard next week.

Have a good weekend.

Attention! Attention! Ransomware Cerber talks to you

16 April 2016

I use Adobe Flash Player only if there’s no other way. The plugin is deactivated by default, and activated only in the case I view an SC Magazine seminar.

Nevertheless, the latest security flaws, in particular CVE-2016-1019, must be patched as soon as possible. Because this bug was being exploited in drive-by download attacks that infect computers with ransomware Cerber after visiting tainted websites.

New on Cerber is that it has a computer-generated voice. And, that the malware is delivered by a drive-by download. With this, the first line of defense, your users, is of limited effectiveness because they are unable to determine that they were tricked.

From my point of view, a next generation endpoint protection tool, that containerizes all applications which connect to the Internet, is the means of choice in the defense of drive-by attacks. Since I am a strong advocate of the Zero-Trust Network concept, I recommend to containerize applications even if they access internal network resources only.

In addition, containerization frees us from the patching treadmill, at least to some extent, since we are no longer forced to install every patch on thousands of computers.

Unfortunately, Microsoft missed the opportunity to run Flash Player more secure in Windows 10.

Process Explorer View of Edge and FLashPlayer

Process Explorer View of Edge and Flash Player. Click to enlarge.

Edge runs by default at integrity level AppContainer. This makes sure that access to system resources is widely blocked. By contrast, Flash Player has access to lots of system resources because it runs at Medium Integrity Level.

Have a good weekend, and patch your Flash Player!