en-US
search-icon

Knowledge Base

Best Practices to protect against Ransomware

Description

The following article outlines the best practices for defending networks against ransomware exploits. Ransomware has evolved heavily over the past few years to include several new network exploits, including modified polymorphic front end, and zero-day worm propagation techniques.

On May 12, 2017, a variant of ransomware known as WannaCry was successful in infecting more than 200,000 systems in over 150 countries. Preventing ransomware and other zero-day exploits is achievable, however, requires steadfast security monitoring and network configurations.

The following is a brief guide to configuration SonicWall Network Security Appliances (Firewalls) to prevent ransomware.

Please note that many of the steps included in this best practice guide are also relevant with many of other security best practices that organizations should be deploying to inspect traffic and prevent breaches. The following guide applies to SonicWall TZ SOHOW through SuperMassive 9800 (Generation 6) Appliances, running firmware 6.2.7.1x and higher. SonicWall Capture Advanced Threat Protection is available on TZ 300 and higher.

Resolution

1. Security Services Subscription

For all SonicWall appliances it is highly recommend to include the Advanced Gateway Security Suite (AGSS), which includes active subscriptions for Gateway Anti-Virus, Intrusion Prevention, Anti-Spyware, Content Filtering, Botnet Filter, Geo IP Filter, Application Firewall, DPI-SSL, DPI-SSH, and Capture. If this subscription is not active then updates and configurations will not be possible.

2. Enable Gateway Anti-Virus

  • Make sure that GAV is updated with latest signatures
  • Enable GAV
  • Enable Cloud GAV
  • Enable Inspection on Inbound and Outbound for all HTTP, FTP, IMAP, SMTP, POP3, CIFS/NetBIOS, and TCP Stream

Image

Inside the Settings of the protocols make sure that you have enabled the option to block:

  • Restrict Transfer of password-protected ZIP files
  • Restrict Transfer of MS-Office type files containing macros (VBA 5 and above)
  • Restrict Transfer of packed executable files (UPX, FSG, etc.,)

Image

  • Click on Configure Gateway AV Settings
  • Enable the option to Block files with multiple levels of zip/gzip compression
    Image

3. Enable Intrusion Prevention
Many of today's modified ransomware exploits include malicious Trojans and worm elements, exploiting network communications, and impacting systems. Intrusion Prevention is an essential cornerstone of preventing these attacks in networks.

  • Make sure that the SonicWall has the latest signature updates from the SonicWall Capture Labs.
  • Enable the IPS Service
  • Enable Prevention for (at a minimum) of High and Medium Threats, but may need to include Low Priority based on additional requirement and compliance regulations based on the network being deployed.
    Image
  • Enable Intrusion Detection if log data of intrusion information is required. SonicWall Intrusion Detection is responsible for providing the log event of Intrusions. If not selected log data will not be created.

 

4: Enable Geo-IP Filter
Geo-IP Filter is able to control traffic to and from various countries, and is a core component of the CGSS/AGSS security subscription.

  • Enable Geo-IP Filter
    • This can be setup on 'All Connections' or 'Firewall Rule Based???.
    • All Connections will include all traffic, but default rules would be to exclude Firewall Subnets
    • Firewall Rule Based requires enabling the service on individual rules within Firewall Access Rules. If this method is applied, any rules for WAN->WAN, WAN->LAN, and LAN->WAN should be enabled.

Image

  • Make sure that traffic to 'Anonymous Proxy / Private IP' is selected at a minimum from the country list.
  • Make sure that 'Block all UNKNOWN subnets' is also enabled. This is often referred to as BOGON Subnets.

 

5: Enable Botnet Filter
Botnet Filter is able to prevent traffic to or from known malicious hosts that act as Botnet networks.

  • Enable Botnet Filter
    • This can be setup on 'All Connections' or 'Firewall Rule Based???.
    • All Connections will include all traffic, but default rules would be to exclude Firewall Subnets.
    • Firewall Rule Based requires enabling the service on individual rules within the Firewall Access Rules. If this method is applied, any rules for WAN->WAN, WAN-> Internal or Internet->WAN should be enabled.

Image 

6: Enable DPI-SSL Client Inspection
The DPI-SSL Feature of the firewall delivers the ability to inspect within encrypted communications on multiple protocols and applications. DPI-SSL enables the firewall to act as a proxy to inspect encrypted communications such as webmail, social media, and other web contact leveraging HTTPS connections. The settings for DPI-SSL specifically as it applies to this Knowledge Base best practice is relatively simple. For questions on the setup and deployment of DPI-SSL please consult the SonicWall Knowledge Base.

  • Enable SonicWall DPI-SSL on the firewall
  • Ensure that the services is enabled for all sub-functions including:
    • Intrusion Prevention
    • Gateway Anti-Virus
    • Gateway Anti-Spyware
    • Application Firewall
    • Content Filter

Image 

7. Configure Content Filtering Service
The Content Filtering rules outlined here apply to configurations for Firmware 6.2.7.1, and are based on CFS v4.0. For the purposes of best practice of preventing ransomware, it is recommended to block access to the following categories: Malware, Hacking / Proxy Avoidance, and Not Rated.

Please note that blocking the category 'Not Rated' can be management intensive as not all websites that specific networks use has been rated. Submissions for Not Rated Sites can be submitted online at MySonicWall.com.

Ensure that default and custom policies for user groups are all set to Block Malware, Hacking / Proxy Avoidance, and Not Rated

Image 

8: Enable Application Firewall Rules
In order to safeguard against common methods of newer generation of obfuscation leveraging traditional applications, it is recommended to enable various Application Firewall Rules. In order to prevent malware such as ransomware from being able to circumvent enforced communications, it is advised to build rules to restrict DNS, SSH, and Proxy-Access Applications.

  • While DNS is typically TCP/UDP 53, the DNS protocol can be used on non-standard ports. Malicious applications will leverage DNS Cache Poisoning, or redirect traffic to illegitimate sites. It is advised to lock down not only access rules to specify 'Trusted' DNS Hosts, but to also create an Address Object and Application Rule to restrict the DNS protocol to only the 'Trusted' DNS Host.
  • This security mechanism can also be applied with SonicWall's DNS Proxy configuration as an alternative, however this will still require Application and Access Rules to restrict DNS to untrusted sources.

Image

  • The next application rule would be to restrict SSH Connections to only trusted and trained users, from only trusted sources, or to only trusted destinations.
  • It is advised to create this control as an Application Firewall rule, as it is possible to deviate from the standard SSH TCP 22 configuration.

Image 

  • The last Application Firewall policy that should be created is the prevention of all Proxy-Access Applications

Image 

  • By blocking this entire category there is the potential for legitimate applications to also break or cease to function properly. It is advised that these applications be reviewed and exceptions be created where applicable for the source and destination specific information for those specific applications.

9: Enable Capture

Given the dynamic and constant creation of new malware, it is highly advised that the SonicWall Capture solution. Be advised this requires the AGSS (Advanced Gateway Security Suite) License.
Image

  • Enable Capture, and ensure that Gateway Anti-Virus is enabled on all services
  • Ensure that all file types are selected for inspection

Image

  • For best practice it is recommended to enable Capture to 'Block until verdict???. This will prevent malware from passing through the system until properly tested.

Additional best practices to prevent ransomware exploits may include, but not limited to:

  • Installing end-point Anti-Virus software and keeping it updated with the latest signatures
  • Updating host Operating Systems, browsers, and browser plugins with the latest security patches.
  • Performing regular offline (cold) system back-ups
  • Educating users on the dangers of opening unknown files from unknown sources, etc.


Resolution for SonicOS 6.5 and Later

SonicOS 6.5 was released September 2017. This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 and later firmware.

 

1. Security Services Subscription

For all SonicWall appliances it is highly recommend to include the Advanced Gateway Security Suite (AGSS), which includes active subscriptions for Gateway Anti-Virus, Intrusion Prevention, Anti-Spyware, Content Filtering, Botnet Filter, Geo IP Filter, Application Firewall, DPI-SSL, DPI-SSH, and Capture. If this subscription is not active then updates and configurations will not be possible.

2. Enable Gateway Anti-Virus

  • Make sure that GAV is updated with latest signatures
  • Enable GAV
  • Enable Cloud GAV
  • Enable Inspection on Inbound and Outbound for all HTTP, FTP, IMAP, SMTP, POP3, CIFS/NetBIOS, and TCP Stream

Image

Inside the Settings of the protocols make sure that you have enabled the option to block:

  • Restrict Transfer of password-protected ZIP files
  • Restrict Transfer of MS-Office type files containing macros (VBA 5 and above)
  • Restrict Transfer of packed executable files (UPX, FSG, etc.,)

Image

 

  • Click on Configure Gateway AV Settings
  • Enable the option to Block files with multiple levels of zip/gzip compression

Image


3. Enable Intrusion Prevention
Many of today's modified ransomware exploits include malicious trojans and worm elements, exploiting network communications, and impacting systems. Intrusion Prevention is an essential cornerstone of preventing these attacks in networks.

  • Make sure that the SonicWall has the latest signature updates from the SonicWall Capture Labs.
  • Enable the IPS Service
  • Enable Prevention for (at a minimum) of High and Medium Threats, but may need to include Low Priority based on additional requirement and compliance regulations based on the network being deployed.

Image

  • Enable Intrusion Detection if log data of intrusion information is required. SonicWall Intrusion Detection is responsible for providing the log event of Intrusions. If not selected log data will not be created.

4: Enable Geo-IP Filter
Geo-IP Filter is able to control traffic to and from various countries, and is a core component of the CGSS/AGSS security subscription.

  • Enable Geo-IP Filter
    • This can be setup on 'All Connections' or 'Firewall Rule Based???.
    • All Connections will include all traffic, but default rules would be to exclude Firewall Subnets
    • Firewall Rule Based requires enabling the service on individual rules within Firewall Access Rules. If this method is applied, any rules for WAN->WAN, WAN->LAN, and LAN->WAN should be enabled.

Image

  • Make sure that traffic to 'Anonymous Proxy / Private IP' is selected at a minimum from the country list.
  • Make sure that 'Block all UNKNOWN subnets' is also enabled. This is often referred to as BOGON Subnets.

 Image


5: Enable Botnet Filter
Botnet Filter is able to prevent traffic to or from known malicious hosts that act as botnet networks.

  • Enable Botnet Filter
    • This can be setup on 'All Connections' or 'Firewall Rule Based???.
    • All Connections will include all traffic, but default rules would be to exclude Firewall Subnets.
    • Firewall Rule Based requires enabling the service on individual rules within the Firewall Access Rules. If this method is applied, any rules for WAN->WAN, WAN-> Internal or Internet->WAN should be enabled.

  Image


6: Enable DPI-SSL Client Inspection
The DPI-SSL Feature of the firewall delivers the ability to inspect within encrypted communications on multiple protocols and applications. DPI-SSL enables the firewall to act as a proxy to inspect encrypted communications such as webmail, social media, and other web contact leveraging HTTPS connections. The settings for DPI-SSL specifically as it applies to this Knowledge Base best practice is relatively simple. For questions on the setup and deployment of DPI-SSL please consult the SonicWall Knowledge Base.

  • Enable SonicWall DPI-SSL on the firewall
  • Ensure that the services is enabled for all sub-functions including:
    • Intrusion Prevention
    • Gateway Anti-Virus
    • Gateway Anti-Spyware
    • Application Firewall
    • Content Filter

 Image


7. Configure Content Filtering Service
The Content Filtering rules outlined here apply to configurations for Firmware 6.2.7.1, and are based on CFS v4.0. For the purposes of best practice of preventing ransomware, it is recommended to block access to the following categories: Malware, Hacking / Proxy Avoidance, and Not Rated.

Please note that blocking the category 'Not Rated' can be management intensive as not all websites that specific networks use has been rated. Submissions for Not Rated Sites can be submitted online at mysonicwall.com.

Ensure that default and custom policies for user groups are all set to Block Malware, Hacking / Proxy Avoidance, and Not Rated


8: Enable Application Firewall Rules
In order to safeguard against common methods of newer generation of obfuscation leveraging traditional applications, it is recommended to enable various Application Firewall Rules. In order to prevent malware such as ransomware from being able to circumvent enforced communications, it is advised to build rules to restrict DNS, SSH, and Proxy-Access Applications.

  • While DNS is typically TCP/UDP 53, the DNS protocol can be used on non-standard ports. Malicious applications will leverage DNS Cache Poisoning, or redirect traffic to illegitimate sites. It is advised to lock down not only access rules to specify 'Trusted' DNS Hosts, but to also create an Address Object and Application Rule to restrict the DNS protocol to only the 'Trusted' DNS Host.
  • This security mechanism can also be applied with SonicWall's DNS Proxy configuration as an alternative, however this will still require Application and Access Rules to restrict DNS to untrusted sources.

 Image

  • The next application rule would be to restrict SSH Connections to only trusted and trained users, from only trusted sources, or to only trusted destinations.
  • It is advised to create this control as an Application Firewall rule, as it is possible to deviate from the standard SSH TCP 22 configuration.

 Image

  • The last Application Firewall policy that should be created is the prevention of all Proxy-Access Applications

 Image

  • By blocking this entire category there is the potential for legitimate applications to also break or cease to function properly. It is advised that these applications be reviewed and exceptions be created where applicable for the source and destination specific information for those specific applications.

9: Enable Capture

Given the dynamic and constant creation of new malware, it is highly advised that the SonicWall Capture solution. Be advised this requires the AGSS (Advanced Gateway Security Suite) License.
 

  • Enable Capture, and ensure that Gateway Anti-Virus is enabled on all services
  • Ensure that all file types are selected for inspection

  Image

  • For best practice it is recommended to enable Capture to 'Block until verdict???. This will prevent malware from passing through the system until properly tested.

Image

Additional best practices to prevent ransomware exploits may include, but not limited to:

  • Installing end-point Anti-Virus software and keeping it updated with the latest signatures
  • Updating host Operating Systems, browsers, and browser plugins with the latest security patches.
  • Performing regular offline (cold) system back-ups
  • Educating users on the dangers of opening unknown files from unknown sources, etc.