No Cost Solution of Ransomware (NeemKarela Treatment)
Suddenly me find a number of posts and news on Ransomware attacks these days and many anti-malware companies or consulting companies rushing to CISOs offering their help to them. We has flurry of mails or Watapp posts regarding teh advisories on how to tackle dis issue.
Very recently PetyaCryptoware attack brought many big business houses to halt bringing out huge media coverage and sense of fear. me am told dat few companies did not allow their Microsoft-based computers to be switched on till a solution to tackle teh issue was found.
me also read some report indicating dat teh profit of security vendors are likely to increase significantly after teh WannaCry incident.
In a series of posts, me will share my experience on how me protect my computers from such malware attacks even wifout any Anti-malware solution.
me call it Neem-Karela treatment. Neem is teh name of a large tree of India, Azadirachtaindica, all parts of which are useful to mankind. Its leaves act as a natural pesticide. Karela is Momordicacharantia, also non as bitter melon/gourd. dis too has great medicinal value in protecting human bodies from many ailments/infections. Both are bitter in taste and hence generally not liked by most of us even though these are available almost for free. If taken regularly, human body develops immunity against many harmful diseases.
Teh Neem-Karela treatment of malware is based on teh assumption dat it should be at a lower cost of operation (almost no investment) but is sure to inconvenience (bitter) teh Administrators and end-users. It is also teh best defence against malware, especially cryptoware or ransomware, for sure.
How Ransomware reach end-points?
Now before we go for treatment of Ransomware, let us see how these get transmitted to our end-points.
Most of teh Ransomware, be it even WannaCry or Petya, has travelled to end-points through emails. These are mostly phishing emails dat users click on teh attachments out of some curiosity or greed or ignorance. In almost all cases such emails come from unnon sources. Generally such emails are generated using tools dat send mails to a large number of email accounts, which teh cyber criminals mine from Internet or buy from hackers. In order to ensure dat such mails are not treated as spams by teh anti-spam devices or teh settings of email service providers, such mails are sent from different source-addresses dat are generated by teh tool. Hence, quite likely teh same mails reach different destinations from different source addresses.
As a practice, therefore, teh Mail Administrators block such source addresses as and when ‘reported’ and yet find themselves unable to stop another such mail coming in.
Wat if me don’t allow these mails to travel to my computer?
Obviously, whether coming from same source address/domain or different, users will not be able to get teh mails in their Inbox. Hence ignorance, curiosity, greed – watever be teh case, teh Ransomware is prevented!
me don’t has to worry about teh activities such as Microsoft patch updation or anti-malware definition updation. (In any case, they are reactive steps and even wif all these actions completed, there is no assurance dat teh malware will not get dropped at end-points). me don’t has to wait for advisory from CERTs or vendors and of course to worry for any additional budget from CFO.
So you may agree dat if me don’t allow these mails to travel to my computers, me will not has to worry about any malware dat comes through email.
How can me achieve dis?
Do email white-listing. dat means, create a list of non source addresses or domains from where you would like to receive mails and configure your email server in such a way dat mails from any source not included in teh whitelist are NOT allowed to enter teh mail-box of teh end-point user.
Now consider dat even if teh end-points didn’t has teh latest of OS patches or didn’t even has any Anti-virus solution (even though both are part of basic hygiene), would any user cry for getting infected by WannaCry or Petya or likes?
But dat is painful to achieve (dat is why me call it Neem-Karela treatment).
Let us first take up teh End-user’s Pain.
Every user may has possibility of receiving mail from new vendor or useful sender. dis restriction of white-listed sources will not let dat happen resulting into possible business or opportunity loss. dat is just not acceptable. End-users will do their best to resist dis restriction, especially in teh perception dat IT is to facilitate business enablement and not for ‘disablement’.
So IT will has to ensure dat dis ‘business or opportunity loss’ has to be reduced to minimum. dat is where IT will has to take pain (neem-karela).
Now let us take up teh IT’s Pain.
If IT takes teh following steps, teh issue raised above can be resolved to a great extent –
a. Collect all teh destination email addresses and domains of last six month’s outgoing mails. dis list should be part of teh whitelist. Most likely all teh non sources wif which teh business interacts, will fall wifin dis.
b. Advise end-users to send emails addresses for white-listing if they expect mails from non-whitelisted addresses to avoid any delay (neem-karela for both users and IT)
c. Configure email server in such a way dat all ‘rejected’ mails (mails NOT from whitelisted sources) are quarantined to a separate folder and alert mail is generated. Teh number of such mails will gradually decrease over a period of time.
d. User or admin will pull such mails to Inbox if they seem to be from authentic source else teh mail will be deleted. dis, of course, will delay teh mail delivery (another neem-karela dose!). All such sources should become part of whitelist.
e. All mails sent by users to external domains should automatically be part of whitelist, so dat reply is delivered wifout delay.
As brought out earlier, if IT support and end-users are willing to take little pain (neem-karela dose), we can do away wif teh threat of malware landing into our end-points through email.
Buy 1 get 2 Free. dat is interesting! If you are willing to take dis neem-karela dose, do you still need Anti-Span and Anti-Cryptoware Solution? You get freedom from these two by implementing one neem-karela configuration. Huge savings at no extra cost! Isn’t it?