Ransomware is targeted at user workstations and often uses social engineering to get the user to initiate the ransomware. System/network administrators and developers are targeted using polluted utilities. Find out more at https://www.osirium.com

1. Ransomware: Understanding the threat and
blocking lateral movement

2. 2
Ransomware is a serious problem that starts in
user space and migrates across infrastructure
until an organisation cannot function.
Ransomware is targeted at user workstations
and often uses social engineering to get the user
to initiate the ransomware. System/network
administrators and developers are targeted using
polluted utilities.
This all means that it is very hard to defend the
various perimeters in your infrastructure. You'll
need to rely on full coverage of currently updated
anti-malware on ALL systems that access your
infrastructure - this means not only your staff, but
your contractors, vendors, auditors and any
other third-party granted access.

3. 3
It's generalisation, but there are three 'bands' of
ransomware:
User space: Typically, end-user workstations and laptops.
Often, the ransomware needs no special privileges and
tends to encrypt files normally seen by the user
immediately and asks for the ransom once it has
encrypted documents and images. It will continue to
encrypt whilst the demand banner is up.
System space: The shared IT systems, services and data
that are key to the business operations. This variety of
ransomware uses the underlying file system or device
drivers to encrypt local files. It then infects files migrates
on to user shares. It continues to serve files to the user for
weeks, so that both encryption and infection are well
embedded into the backup cycle. Once the trigger day has
passed the demand banner is shown on all infected
systems. Systems that are returned from an infected
backup will immediately show the demand banner. This is
the most dangerous type of attack.
Pop-up nuisance: This merely pops up a banner over the
entire screen demanding the bitcoin ransom. In reality, it
has done nothing to the file system, it is mostly designed
to fool home users and harvest a little bitcoin as well.

4. 4
Once running, ransomware seeks to infect and
encrypt all the files it can find.
The initial spread of ransomware is limited to
whatever 'patient zero' can access.
Ransomware seeks out network file shares
which means other users can pick up the
infection thus causing the spread.

5. 5
There are two important factors here. If 'patient zero'
has administrator rights - they can access a lot more
than a regular user. The second factor is time.
Ransomware generally has a delay so that other
users can get infected and thus increase the reach of
the attack.
Ransomware is a specific type of malware - so anti-
malware tools are the first line of defence. However,
all organisations should realise that 100% coverage
of all workstations is impossible and there are always
new variants that elude anti-malware. Thus, the
second line of defence is vital.

6. 6
In cybersecurity, we first need to know which
data assets are the most important to the
organisation, and which assets if lost would stop
the company from operating.
These then drive our backup policy - given that
we have to take into account that we could be
backing up assets that are already polluted with
ransomware.
Knowledge of the critical assets will also drive
our file sharing and permissions policy. Critical
systems should never use the same file shares
as the general user base

7. 7
Typically, once the ransomware has found the
accounts and data that is most valuable, it will
then hunt out backup systems.
The ransomware could infect the backup files or
even delete the backups. It will lie dormant until
a typical multi-tier backup cycle has completed to
make it hard for the victim to restore their
systems.
It’s only once the backups are compromised that
the attack become active and starts encrypting
data.

8. 8
Multiple layers of protection are needed. As the
starting point for most attacks are user’s
workstations, a good place to start is removing
any standing Local Admin rights as that lets the
malware be installed.
Osirium Privileged Endpoint Management (PEM)
solution does just that – remove local admin
rights, but let users run approved applications
with elevated privileges when needed.

9. 9
Osirium Privileged Access Management (PAM) is
the “virtual air gap” that prevents ransomware
spreading from infected workstations to critical
infrastructure such as backup management
systems.
Using automation as an insulating layer between
users and critical systems is by far the safest
long-term protection. Osirium Automation (built
on Osirium’s PPA platform) wraps processes as
a series of tasks run on a secure appliance on
the requesting user’s behalf. This is the best
separation you can get.
The combination of PEM, PAM and PPA from
Osirium creates a series of security cells around
your systems that help prevent lateral movement
of Ransomware from the user's workstations to
your more critical systems.

10. 10
Osirium offer a special bundle of access
management to protect backup systems from
Ransomware, known as Osirium Fast Protect.
It protects up to 10 devices for 3 years and
includes professional services to get the service
running fast.
A special, time-limited offer makes this protection
available for just £4,995.
To get protect your infrastructure and critical data
against ransomware attacks, visit
https://www.osirium.com/osirium-fast-protect.