Freely subscribe to our NEWSLETTER

Oliver Pinson-Roxburgh, SE director EMEA at Alert Logic
“Layered security is key for organisations to protect themselves from this type of threat. One of the trends is to attach .js files to emails during phishing campaigns. All too many organisations do not use effective file type blocking ( although not infallible)is a decent control as a low hanging fruit countermeasure.
While it’s not impossible to block it, in order to do it right controls can start to impede parts of the businesses ability to operate the way they are used to, a challenge for security professionals always have to overcome in a pragmatic way. Security should be an enabler to do business faster.
Another way to protect users is to limit the chance of drive by attacks through effective content filtering.
One thing that organisations often miss is considering how users could be exposed to this sort of attack and why. In some cases the only way you can implement effective controls is to think like the attacker and understand your adversaries. For Opportunistic attackers granted this is tough but they are ultimately trying to hit critical systems encrypt them and hold you to ransom so think how could that possibly happen and plug the gaps with people, process and technology
One criterial consideration for organisations is how you allow users to access critical infrastructure, often we see users that have had their critical server drives mapped land up with massive issues because the malware will reach out to the servers through the mapped shares and encrypt them too. Restrict access to critical infrastructure with least privileges and monitor server access for sensitive data leakage. I have seen some malware creating back doors into the environment and my guess is that in some cases the ransomware is a smoke screen to keep IT busy while they target critical assets.”

Simon Crosby, CTO and co-founder at Bromium
“As long as endpoints execute code from untrusted sources – like the web, documents, USB sticks, attachments and so on – attackers will find the ability to break out of the application to attack the user. Unfortunately the richness of the web demands that endpoints execute untrusted code, so there’s no simple way to ban it. The only way to address this problem is by isolating the execution of untrusted code so that it cannot escape and inflict damage on the endpoint itself.”

Rob Sobers, Director at Varonis: In this case blocking JavaScript is a total non-starter. The vast majority of modern websites, and especially web applications, rely on JavaScript to function. The programming language is not the threat. To execute RAA, the target has to open a malicious file. This is a pattern we see over and over again: victims opening malicious attachments. Whether it’s C++ or JavaScript or an Excel Macro, organisations have to train their users to be extremely sceptical of email attachments and unfamiliar files.
It’s possible to defend against this attack. Good email SPAM filters can help: most will block JavaScript attachments (though they won’t prevent a user from downloading the JavaScript from a website). IT can also restrict the context in which JavaScript files can run on a user’s computer using Group Policy and related tools.
What’s really scary is that some JS-based ransomware attacks are orchestrated as drive-by attacks—the user doesn’t have to click on a malicious attachment to be infected, they simply have to visit an affected website. These types of attacks are much harder to defend against and we talk about them in-depth in our ransomware training course (https://info.varonis.com/introduction-to-ransomware).
For organisations it’s also a good idea to have user behaviour analysis (UBA) in place to detect ransomware behaviour and lock the user account. UBA is a much more resilient approach—rather than trying to stamp out particular variants of ransomware, UBA is designed to spot the signs of *any* unusual and potential dangerous behaviour.