Ransomware: How to reduce your risk of being hit

How do you prevent zero day ransomware?  The answer is surprisingly simple, and it’s built into most copies of Microsoft Windows.  Design and implement an AppLocker Policy.  Now, I will admit, without proper training, AppLocker can be challenging to setup and configure (so I’ll talk about how we make it very simple in a minute) but let’s talk about AppLocker conceptually.  AppLocker functions as a firewall between an application executable, PowerShell script, or .dll and the Memory pages of the Windows Operating System.  Before loading an executable into RAM, AppLocker checks a set of rules to determine whether or not the user’s security context should be allowed to load that executable.  If the executable, script or .dll does not match a rule, it is blocked from loading into memory.

So now let’s think about the implications of this.  Let’s suppose you have a computer system with AppLocker configured to only allow the applications installed by the IT administrator to run.  When a user unknowingly downloads a zero day ransomware executable through some hypothetically unpatched exploit in Windows, AppLocker performs a “preflight check” before the executable is allocated memory resources.  Because the executable is not recognized, it is blocked from loading into RAM.  Because the user is not the administrator, the user’s security context, and thus the exploit, cannot override this feature.  The ransomware is stopped in its tracks.  No antimalware signature detection required from an intrusion detection system or antimalware agent.

So how do we actually do this in production so that IT Administrators can roll this out in less than 5 minutes?  At CloudConnect, we built AppLocker configuration baselines into our virtual Desktop Configuration Utility.  When administrators deploy a user group on CloudConnect using virtual desktops, the MSP, or IT professional, specifies whether or not to enable the CloudConnect AppLocker baseline policy (it’s literary a checkbox option and that’s it).  The Desktop Configuration Utility then creates AppLocker rules that prevent non-administrator users from loading executables that are not part of a previously installed program approved by the IT Professional.

The results?  Quite effective.  I can say with confidence that as of the time of this publication, no business organization using the CloudConnect Platform with the CloudConnect AppLocker Baseline feature enabled has ever fallen victim to a ransomware attack.  Let me say that again, no one.  Does that mean it can’t happen?  Well, I suppose there could be vulnerabilities in the AppLocker mechanism itself (and there have been), but this is a much smaller attack surface than what traditional ransomware seeks to attack.

While AppLocker compliments antimalware agents in Windows, given the choice between an antimalware agent or AppLocker, I would choose AppLocker any day of the week.  To learn more how the CloudConnect Platform helps organizations everywhere prevent zero day ransomware, visit www.cloudconnect.net or download our latest White Paper.