Image

Image

- “PwndLocker” Ransomware, March 2020
- “Nemty” Ramsomware, February 2020
- “DoppelPaymer” Ransomware, February 2020
- Ransomware Attack at Natural Gas Compression Facility, February 2020
- “Ransomwared” Ransomware, February 2020
- University pays 30 million, February, 2020
- “Emotet” Trojan, enabling ransomware, February 2020
- “WannaCry” continued fallout at NHS, January 2020
- “Ryuk” Ransomware, January 2020
- “Ako” Ransomware, January 2020
- “SNAKE” Ransomware, January 2020
- Marketing company detrimentally affected by Ransomware, January 2020
Ransomware in Industrial Control Systems
Now that we’ve established that ransomware is running wild in enterprise networks, it’s important to establish the fact that the threat isn’t just present in the office and datacenter setting; malware is making its way into ICS networks due to the fact that we are seeing increased connectivity of these once-disparate networks. Even if you aren’t an asset owner in the manufacturing, petrochemical, transportation or energy verticals, there’s a good chance you have industrial control systems in your environment. (Think building automation control systems like HVAC, elevators, backup generators and a myriad of other electrical control systems.) Whether it’s intentional or not, ransomware perpetrators have declared war on control networks. These include several specific cases like Norsk Hydro, the above-mentioned instance at a Natural Gas Compression Facility and an event at EVRAZ steel in North America caused a plant shutdown and according to some sources resulted in temporary layoffs. The moral of the story here is this: don’t forget to implement ransomware prevention steps on IT-like systems (Windows servers and workstations) that exist either in your industrial networks (such as HMIs, engineering workstations, etc.) or that have access to industrial networks (such as historians, MES, exchange, active directory, remote access servers, etc.).Use Tripwire Enterprise to verify your configurations
Image

- AntiVirus/Malware Status
- Verify That Anti-Virus Software Is Installed
- Verify That Anti-virus Software Is Running Correctly
- AppLocker Enforcement
- AppLocker EXE Enforcement Mode: Enforcing Rules
- Validate That the 'AppIDSvcStatus' Is Running
- Validate That vssadmin.exe Is Denied by AppLocker
- Validate That wscript.exe Is Denied by AppLocker
- Backup Software Status
- Verify That Backup Agent Software Is Installed
- Verify That Backup Agent Software Is Running
- Credential Hardening
- Credential Protection
- Admin Approval Mode for the Built-in Administrator Account: Enabled
- Apply UAC Restrictions to Local Accounts on Network Logons: Enabled
- Run All Administrators in Admin Approval Mode: Enabled
- WDigest Authentication: Disabled
- Password Complexity
- Maximum Password Age Is Greater than 0 and Less than or Equal to 60
- Minimum Password Age Is Greater than or Equal to 1 Day
- Minimum Password Length Is Greater than or Equal to 14 Characters
- Password Complexity: Enabled
- Password History Memory Is Equal to 24
- Password Reversible Encryption: Disabled
- File Server Resource Manager (FSRM)
- FSRM Configuration
- FSRM File Group - Ransomware Extensions Configured
- FSRM File Screen - Exists
- FSRM File Screen Templates - Ransomware Blocking Exists
- FSRM File Screen Templates - Screening Type Active
- Windows Feature Installation
- FS-FileServer Installed
- FS-Resource-Manager Installed
- Hidden File Extensions
- User File Extensions Hidden is Disabled
- Operating System Updates
- Missing Patches: None Missing
- Powershell Settings
- PowerShell Script Execution Disabled
- Remote Desktop Protocol
- RemoteInteractiveLogonRight: Doesn't Contain Administrators
- Require User Authentication for Remote Connections by Using Network Level Authentication: Enabled
- Set Time Limit For Active Remote Desktop Services Sessions: Enabled
- Set Time Limit For Active but Idle Remote Desktop Services Sessions: Enabled
- Set Time Limit For Disconnected Sessions: Enabled
- Terminate Session When Time Limits Are Reached: Enabled
- SMBv1 Configuration
- Verify That the SMBv1 Protocol Is Disabled on SMB Client
- Verify That the SMBv1 Protocol Is Disabled on the SMB Server
- Windows Admin Shares
- Default share: Not Shared
- Remote Admin: Not Shared
- Remote IPC: Not Shared
- Server Service: Disabled
- Windows Defender
- Windows Firewall – Blacklisted Ports Blocked
- Windows Firewall - Enable Firewall
- Windows Firewall - Inbound: Blocked (Default)
- Windows Firewall - Log Dropped Packets: Enabled
- Windows Firewall - Log File Is Configured
- Windows Firewall - Log Size Is Equals Or Greater Than 16M
- Windows Firewall - Log Successful Connections: Enabled
- Controlled Folder Access: Enabled
- Windows Remote Management
- WinRM Service: Disabled
- FSRM Configuration
- Credential Protection
Image
