Posted by jonas on

The Hydro cyber attack: How you can protect against it

Earlier this week, Hydro was hit by a ransomware attack. It seems like LockerGoga was utilized by the criminals to encrypt/destroy files on Hydros computers. Even though we don’t have all the details about this specific attack, I have compiled a list of measures that are likely to stop LockerGoga and similar ransomware before they can do any harm.

  • Enable AppLocker.
  • Remove local admin rights from end user accounts.
  • Add privileged accounts to the “Protected Users” group.
  • Disable Office macros.
  • Backup.

Enable Applocker.

LockerGoga seem to have been spread as an exe-file. In that case, a well configured AppLocker policy would have denied it from running. Effectively blocking any harm. I have written about AppLocker in this article. One problem with AppLocker is that it can be bypassed by an local admin. So to make sure AppLocker is effective, you must ensure that your end users don’t have local admin rights.

Remove local admin from end user accounts.

I wrote an article about local admin rights that describe why it’s smart to remove it from end users. And as stated in the paragraph above, it is necessary to remove those rights to make sure AppLocker is effective. But if your ICT team is using their privileged accounts (ex. domain admins) on clients and servers, an attacker could get hold of their credentials. And if an attacker have domain admin access, they can just disable all your security measures before launching an attack. Read on to learn how to protect against that.

Add privileged accounts to the “Protected Users” group.

As I wrote in this article, you can deny your privileged accounts from storing their password hashes on systems they log into. This will make it much harder for an attacker to get hold of credentials with domain admin rights.

Disable Office macros.

Another important measure is to block Office macros from running on your computers. Macros has been flagged as a huge security issue, and could be used to infect your computers. You can block macros in Group Policy.

Backup.

Since no security measure will protect you 100%; make sure you have a good backup routine. This will allow you to restore files that have been encrypted/destroyed. But make sure your backup is safe. Ransomware could destroy backup files as well, if not stored in a safe manner.