As I was coaxing myself awake this morning with my usual jolt of strong coffee, I checked my favorite news sites & was informed of yet another ransomware attack. This one, which is believed to have originated from Ukraine, was first thought to be a variation of last year's Petya ransomware outbreak, but upon further investigation, it appears that today's malware is a new type - a worm that some computer experts are referring to as "NotPetya". This attack demands a smaller ransom (in comparison to other attacks) of approximately $300, and then begins to serve its primary purpose - to wipe files on the computer. According to researchers at Symantec, this attack used the same National Security Agency hacking tool, Eternal Blue, that was used in the WannaCry outbreak, as well as two other methods to spread the attack. According to information provided by this article on CNN, if you've installed all of the latest Windows patches, you should be safe from this particular strain of malware, however, by no means is this a reason to be complacent. Administrators and end users must still be mindful of safety precautions.
Due to the proliferation of Malware as a Service (MaaS), just about anyone with the desire and the funds can initiate a malware attack, making new & emerging threats a real concern for the foreseeable future. This presents a good opportunity to review best practices for avoiding ransomware - for end users, and for administrators via the tools available in MDaemon and Security Gateway.
How can end users protect themselves from ransomware?
End users should be aware of the following 18 email safety tips, which originally appeared in this post.
- Change your password often.
- Use strong passwords. Never use a password that contains “password” or “letmein”.
- Use a different password for each of your accounts. If you use the same password for your bank account as you do for your email account, you become much more vulnerable to data theft.
- Don’t open an attachment unless you know who it is from & are expecting it. Many of today's social engineering tactics rely on the ability to trick users into opening attachments.
- Be cautious about email messages that instruct you to enable macros before downloading Word or Excel attachments. This article provides a good overview of why you should not enable macros in Microsoft Word.
- Use anti-virus software on your local machine, and make sure it’s kept up-to-date with the latest virus definitions.
- If you receive an attachment from someone you don’t know, don’t open it. Delete it immediately.
- Learn how to recognize phishing:
– Messages that contain threats to shut your account down
– Requests for personal information such as passwords or Social Security numbers
– Words like “Urgent” – false sense of urgency
– Forged email addresses
– Poor writing or bad grammar
- Hover your mouse over links before you click on them to see if the URL looks legitimate.
- Instead of clicking on links, open a new browser and manually type in the address.
- Don’t give your email address to sites you don’t trust.
- Don’t post your email address to public websites or forums. Spammers often scan these sites for email addresses.
- Don’t click the “Unsubscribe” link in a spam email. It would only let the spammer know your address is legitimate, which could lead to you receiving more spam.
- Understand that reputable businesses will never ask for personal information via email.
- Don’t send personal information in an email message.
- Don’t reply to spam. Be aware that if you reply to a spam email, your reply most-likely will not go back to the original spammer because the FROM header in the spam message will most-likely be forged.
- Don’t share passwords.
- Be sure to log out.
How can administrators protect their systems from ransomware?
The battle against ransomware cannot be fought by users alone. Administrators must also take steps to lock down their email infrastructure. These best practices will help protect your network and users.
Best Practices for MDaemon Administrators
- Enable account hijack detection. This feature will automatically disable an account if a designated number of messages are sent from it via an authenticated session in a given period of time. When the account is disabled, the administrator receives a notification so that corrective action can be taken. Instructions for configuring account hijack detection can be found in this knowledge base article.
- Enable dynamic screening. Dynamic screening is a feature that blocks future connections from a connecting server or client based on its behavior. Instructions for configuring dynamic screening can be found here.
- Configure the IP Shield. The IP Shielding feature allows administrators to assign an IP address (or IP address range) to email messages from a given domain. Messages claiming to come from a specific domain must originate from one of the approved IP addresses. Exceptions can be made for users connecting from outside of the network who are using SMTP authentication. Click here for instructions.
- Require SMTP Authentication. This helps ensure that the user authenticates with a valid username and password. Instructions can be found here.
- Use DKIM & SPF to detect spoofing. DKIM uses a private/public key pair to authenticate a message. When an incoming message is signed with DKIM, a DNS record lookup is performed on the domain taken from the signature and the private key taken from the signature is compared with the public key in the domain's DNS records. SPF uses a DNS record that lists hosts that are allowed to send mail on behalf of a domain.
- Enable DMARC & configure your DMARC record. DMARC (Domain-Based Message Authentication, Reporting & Conformance) allows domain owners to instruct receiving servers on how to handle messages claiming to come from their domain that did not pass DKIM and SPF lookups. Learn more here.
- Ensure that all connections (SMTP, POP, IMAP), are using SSL. SSL (Secure Sockets Layer) is a method for encrypting the connection between a client and server, as well as between to servers. Learn more here.
- Have a backup strategy. If by chance malware still manages to infect your network, your last resort is to have a reliable backup strategy. Ideally, you should have your systems backed up off-site and, for added safety, secondary backup data should be saved to media that is not connected to the network.
More information on these settings can be found in the following guide on best practices for protecting your users:
Best practices for Security Gateway administrators
Security Gateway provides an extra layer of anti-spam, anti-spoofing and anti-malware security, in addition to your mail server's built-in security settings. These best practices will help keep ransomware and other malicious content from reaching your mail server. Each item includes a link with more information.
- Require strong passwords.
- Query a user verification source to ensure that users are valid.
- Require SMTP authentication to prevent unauthorized account access.
- Prevent unauthorized mail relaying.
- Protect your domain with IP Shielding.
- Require SSL encrypted connections.
- Configure backscatter protection.
- Don't whitelist local addresses. If a spam messages was spoofed with one of your local addresses, this could allow the spam message to bypass various security features. This why it is recommended that no local addresses be added to your whitelist.
- Enable spam & virus Outbreak Protection.
These steps are discussed in more detail in the following guide:
Of course, no system is 100% fool-proof, which is why user education is so important. Remember - your network and email infrastructure are only as secure as their weakest link. It is the responsibility of all parties involved - administrators and end users, to help ensure a secure messaging and collaboration environment.