As many of you may know, during the last few days, the media have reported a series of attacks in organizations such as La Ser or Everis due to a ransomware organizations such as La Ser or Everis due to a ransomware that has encrypted most of the files stored in their workstations and even their infrastructure.
This type of situation has been caused on a massive scale over the last few months due, in large part, to the resurgence of an old acquaintance like Emotet, which started a specific infection campaign in Europe during the second half of September and has wreaked havoc in many national companies during this period of time.
Over the past month, Midway has helped many companies manage these crisis situations and ensure the successful removal of such ransomware, not only through automated threat cleanup, but also by establishing specific action plans to prevent as much as possible future infections using the same attack vectors.
What we would like to share with you in this blog post are a series of measures that we strongly urge you to take, as they could reduce a high percentage of future infections and lateral movements within your company.
Before starting, it is important that we are clear about the phases ollowed to infect a computer in a company and then spread laterally to infect more computers:
Our recommendations are focused on mitigating the first part ofthe infection process as, by doing so, we will prevent to a great extent the "trigger" of the whole sequence:
1. Disable Powershell. It can be done by means of a GPO through the Software Restriction Policies (SRP) by applying this policy to the OU/OUs where all the computers of our organization are located:
NOTE: Note that this GPO can be avoided by copying powershell.exe to a different path in the operating system- However in such case, a malware running powershell through an embedded macro is unlikely (though not impossible) to copy powershell to a different location before running it. Ideally, a combination of Path + File Hash would be a must, but the latter would require more maintenance because in some updates the powershell.exe file could change and therefore its hash would change as well.
2. Disable Macros in Office. At least in Word and PowerPoint. As Excel could have an impact on certain legitimate processes in your company. It is recommended to perform an analysis and exclude those users who do need to use macros in Excel. To achieve this, we simply need to create the following GPO and link it to the OU/OUs where all the users of our organization are located with the following configuration:
NOTE: The Office version for which this GPO applies is for Office 2016 (16.0) in the Key column. In case you want to apply this configuration for older versions of Office simply change the 16.0 in each registry key for the appropriate number. To know the number that corresponds to each version of office, see the list below:
3. Cloud Delivery Protection and Automatic Sample Submission. In case you are using Windows 7, 8 or 10 with Defender installed, you should enable this option to upload a potentially suspicious file to the Microsoft Cloud and confirm whether it is a malicious file. More information at the following link.
Known Folder Move (KFM) in OneDrive. In case you use Windows 10 and have Office 365 as your productivity platform, we recommend you to activate the free OneDrive feature that will allow you to automatically copy your relevant information (Desktop, Downloads, Images, Documents, etc.) to OneDrive. In case of encryption, you will be able to recover it quickly.
If you also have Windows 10 version 1709 or higher, enable the Ransomware Protection feature, which automates the entire recovery process. For more information on how it works and how to configure, click the following link.
You already know that at Midway we are improving day after day so that, through the implementation of basic security measures and without making large investments, our customers can be able to reduce as much as possible the infections in their corporate environments by using any of the security solutions of Microsoft 365 and Microsoft Azure.
If you have any questions, you are affected by any kind of malware or simply want us to advise you and help you in the remediation and/or implementation of specific action plans to increase the security of your systems, do not hesitate to contact us.
