How to Avoid Wasting Time on False Positives

False positives. Those annoying notifications that make you panic at first, but after further investigation, turn out to be nothing to worry about. At first, they may seem like a minor inconvenience, but what happens when you have hundreds—or even thousands—of them occurring every day and you find yourself wasting 75 percent (or more) of your time?

Unfortunately, this is exactly what’s happening to cybersecurity analysts in security operation centers (SOCs) all over the world, because they are following a traditional, reactive approach to security-threat monitoring.

Within most SOCs, false positives are a major problem. It’s not only because they take time and resources to address, but also because they distract security analysts from dealing with legitimate security threats. And when security analysts become desensitized to alerts because they’re wasting time reacting to too many false positives, they start to miss true indicators of cyber attacks.

What causes false positives?

The most common source of false positives are poorly configured or poorly tuned security tools, such as security information and event management (SIEM) solutions, intrusion detection systems (IDS)/intrusion prevention systems (IPS), and endpoint detection and response tools. Each of these technologies uses a variety of techniques to detect attacks based on a set of pre-defined rules, known signatures, patterns, expected user behaviors, and so on. A false positive typically originates within one of these tools when a rule, signature or pattern is defined too broadly, or is missing some logic. As a result, it incorrectly identifies events that match the current logic—even though they aren’t legitimate security threats.

With that in mind, here are seven basic habits that organizations can follow to help minimize false positives:

1) Be proactive. Be proactive in your threat-management approach. If all you do is wait for alerts and alarms to go off, you will spend more time chasing false positives than you will on identifying real threats. Get ahead of it. That is the only proven approach for detecting the most advanced cyber threats.

2) Begin with the end in mind. Alerting technologies can significantly improve your ability to identify suspicious or malicious activity when used correctly. Unfortunately, many organizations use them too broadly. The key is to focus on the types of threats you intend to detect. Assess the risk and security needs of your business, and then focus your alerting technologies on the highest-risk threats. Focusing on your end goal—the most relevant threats you want to detect—will help reduce false positives.

3) Prioritize high-risk alerts. Prioritization is one of the best tools a SOC can use to minimize time spent on false positives. Alerts that have the highest reliability, and are associated with detecting high-risk events, should obviously be assigned a higher priority. That frees up analysts to work the queue from highest priority to lowest, ensuring the events of the greatest risk are addressed first.

4) Think win-win. This means seeing life through the lens of a cooperative arena, not a competitive one. Choose collaborative intelligence sources that will bring different fidelity, relevance, and value to your security operations. (Choose wisely though; blindly integrating intelligence feeds without evaluating their fidelity and false positive rates could hurt your security operations, if you’re not careful.)

5) Seek first to understand. Addressing the issue of false positives should start with a thorough understanding of what threats a given tool is intended to address, as well as how it functions. When implementing a tool, ensure that you fully understand why you’re deploying it, rather than making assumptions about ‘common’ use cases, or worse…installing a tool with default settings.

6) Synergize (use correlation). In many cases, an event may not be interesting unless it’s observed along with one or more other events of interest. In such cases, you should use a set of clearly defined correlation rules and only send an alert to your work queue if all related correlation criteria are satisfied.

7) Sharpen the saw. Review all alerts and develop better alerting rules based on lessons learned. By reviewing every alert that goes into your queue, you’ll learn how to tune and improve your rules. Today's threats are sophisticated and require intelligent, targeted, insightful alert logic to extract events of concern while minimizing false positives. Continuously working to tune this logic is critical for minimizing false positives.

Although false positives will always exist in cybersecurity operations, it is possible to minimize their quantity and impact by following the seven basic habits described above.

Source: https://www.rsaconference.com/blogs/how-to-avoid-wasting-time-on-false-positives


Joomla 3.4.6 Fixes Zero-Day Remote Execution Bug Used in the Wild

The Joomla security team has fixed a highly critical zero-day bug, which appears to have already been used in the wild to compromise and take over Joomla sites.

Just two hours ago, the Joomla security team released version 3.4.6, along with security patches for older versions of the CMS, even if some of them reached EoL (End of Life) and were not officially supported anymore.

Remote code execution flaw via the user agent string

The reason behind this out-of-the-ordinary security release is a critical zero-day bug that allows attackers to insert code into the Joomla database and later execute it.

The entry point for the malicious code is the user agent string, which is advertised by each site visitor's browser to let websites know the user's technical makeup and deliver the best or the most appropriate version of the site.

Apparently, this string is stored in the Joomla database, but not properly sanitized to detect malicious code.

With the help of special applications and scripts that can broadcast fake user agent strings, attackers can very easily craft a custom string and append malicious code to it.

Zero-day bug used in the wild for more than two days

Security specialists from Sucuri are claiming to have observed attacks in the wild that leverage this technique.

The first attacks started on December 12, but "today (Dec 14th), the wave of attacks is even bigger, with basically every site and honeypot we have being attacked. That means that probably every other Joomla site out there is being targeted as well," said Daniel Cid, Founder & CTO of Sucuri.

To mitigate the danger, Mr. Cid advises website owners to update as soon as possible to version 3.4.6 or apply the security patches offered by the Joomla team. All versions of the CMS, starting with 1.5.x, are affected.

Additionally, to see if they have been compromised, webmasters should search their logs for requests from, or, from where most of the attacks originated, until now. The malicious user agent string contains the "JDatabaseDriverMysqli" or the "O:" strings.

The latest version of the Joomla CMS is available from Github or via a download mirror hosted on Softpedia. The security patches for older Joomla versions can be found on the Joomla documentation pages.


Enable this Setting in Windows 10 to Secure your Computer from Macro-based Malware and Ransomware

Do you deal with MS Word files on the daily basis? 

If yes, then are you aware that even opening a simple doc file could compromise your system?

It is a matter to think that the virus does not directly affect you, but it is you who let the virus carry out the attack by enabling deadly "Macros" to view the doc contents that are generally on eye-catching subjects like bank invoice.

How Macros are Crippling your System?

The concept of Macros dates back to 1990s. You must be familiar with this message: "Warning: This document contains macros."

A Macro is a series of commands and actions that help to automate some tasks. Microsoft Office programs support Macros written in Visual Basic for Applications (VBA), but they can also be used for malicious activities like installing malware.

Hackers are cleverly using this technique on the shade of social engineering by sending the malicious Macros through doc file or spreadsheet with an eye-catching subject in the mail to the corporate networks.

Once a user opens the malicious Word document, the doc file gets downloaded to its system. However, danger comes in when the user opens the file, and a popup window appears that states "Enable Editing" to view the content.
Once the users click Enable Editing, the malicious file then begins to perform the notorious activities in the system such as to get embedded into other doc files to proliferate the attacking rate that results in crippling your system network.

All those actions would depend upon payload program defines inside the Macro.

Dridex and Locky are Warning Bells!!!

No other incidents could get you the clear picture on the potential threat of Macro viruses apart from Dridex Malware and Locky Ransomware. Both malware had made use of the malicious Macros to hijack systems. 

Over 20 Million Euro had been stolen from the UK banks with the Dridex Malware, which got triggered via a nasty macro virus. The infectious bar of Locky ransomware had also seen an exponential growth in a couple of hours.

How to Protect Yourself from Macro-based Malware?


Step 1: Configure Trusted Location

Since disabling Macros is not a feasible option, especially in an office environment where Macros are designed to simplify the complex task with automation.

So, if your organization relies on Macros, you can move files that use Macros into the company’s DMZ (Demilitarized Zone), also called Trusted Location.

To configure the trusted location, you can navigate via:
User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations
Once configured, the Macros that does not belong to the trusted location would not run in any way, beefing up your system’s security.

Step 2: Block Macros in Office Files that came from the Internet

Microsoft had recently unveiled a novel method by implementing a new tactical security feature to limit the Macro execution attack in MS Office 2016, ultimately preventing your system from hijacking.

The new feature is a group policy setting that lets enterprise administrators to disable macros from running in Office files that come from the Internet. 

The new setting is called, "Block macros from running in Office files from the Internet" and can be navigated through the group policy management editor under:
User configuration > Administrative templates > Microsoft Word 2016 > Word Options > Security > Trust Center
It can be configured for each Office application. 

By enabling this option, macros that come from the Internet are blocked from running even if you have 'enable all macros' in the Macros Settings. 
Moreover, instead of having the option to 'Enable Editing,' you'll receive a notification that macros are blocked from running, as the document comes from an Untrusted Source.

The only way to run that particular Office file is to save it to a trusted location, allowing macros to run.


Hackers can easily breach into your smartphone and mobile network

SS7 has been in the network controlling wire-line and wireless calls since the mid 1980s and now we are talking about its vulnerabilities. A lot of people think we should only be focused of the evolution to LTE/EPC Diameter based networks however; the legacy SS7 protocol based networks serve the vast majority of wireless subscribers. Current indications are SS7 will be around for quite some time and as such any vulnerabilities should be addressed immediately. Before we can address these threats we must first understand them and how they are even possible given the longevity of the network and protocol. The topic of discussion in this post will be limited to those threats that are directly related to subscribers. Additional threats such as denial of service against networks elements such as Mobile Switching Centers will be discussed in subsequent posts.

In this discussion I will group these 8 threats into 4 broad categories so the impact to the subscriber and ultimately the network operator can be easily determined. These categories are:

Obtaining Subscriber Information
Eavesdropping on subscriber (SMS and calls – incoming and outgoing)
Financial theft
Disruption of subscriber service

This post is merely an overview of these eight threats, during the research for this post and the associated eBook “SS7 Vulnerabilities” I quickly found my mind wondering mind — I was able to take these threats and extend them and the knowledge gained and come up with many more.

Note: In my of experience with the SS7 protocol and network, I have never seen access to the network, technical protocol and network information, and protocol message generation capabilities as easy and inexpensive to obtain.
Obtaining Subscriber Information
The information gained in the threats associated with this category open the door to the remaining threats discussed in this post. Additionally, this information can be used by the attacker or sold on the open market as a source of revenue. There are two types of information gained in this category: the International Mobile Subscriber Identity (IMSI) and the location of the subscriber whether at home or roaming.

Vulnerability 1. Obtaining the Subscriber IMSI
The IMSI uniquely identifies a subscriber within the mobile network. Since the IMSI can lead to other threats it is not transmitted over the “Air Interface” rather a randomized Temporary Mobile Subscriber Identity (TMSI) is used over the air. However, if an attacker is able to obtain the TMSI over the air interface and has access to the SS7 network, all they have to do is use the SS7 protocol and ask what the IMSI is that is associated with the TMSI. Enough said about the TMSI and the air interface – we are going to focus on the SS7 protocol and messaging for this discussion. An attacker can use the SS7 Mobile Application Part (MAP) and its normal procedure for delivering a text message to a subscriber to obtain the IMSI. Once the attacker knows the IMSI, due to its format they also know the home country where subscriber resides and their home mobile network operator. All the attacker had to have is the telephone number of the target subscriber, access to the SS7 network, and a little knowledge about the target subscriber’s home SS7 network – all of which are readily available.

Vulnerability 2. Determining the subscribers location
There are at least two SS7 methods for determining a subscriber’s location within the global mobile network. The first utilizes a message and procedure known as Any Time Interrogation, which would return the subscribers location parameters. However a large number of network operators have stopped their equipment from responding to these messages. In the next procedure the attacker poses as a Fake Home Location Register and uses the normal MAP messages and procedures known as Provide Subscriber information. The information received from this process yields the Cell ID, the Mobile Country Code (MCC), Mobile Network Code (MNC) and the Location Area Code all related to the target subscribers current location.

Eavesdropping on subscriber calls (incoming and outgoing)
There are three vulnerabilities in this category that would allow the intruder to listen to or record a subscribers conversation on incoming/outgoing calls or to intercept and or modify incoming text messages to a target subscriber. Each of these attacks could be performed without the knowledge of the target subscriber. The initial information required by the intruder is the mobile telephone number of the target subscriber, some knowledge of the target subscriber’s home network, and access to an SS7 network. The remainder of the information required can be accessed from the network using the initial information. Also the attacker can be located anywhere in the world – they do not have to be part of the target subscribers network.

Vulnerability 3. Intercepting and monitoring an outgoing call
This is a multi-stage attack where the attacker poses as different mobile network elements to implementing different scenarios at each stage. This threat uses the Customized Applications for Mobile networks Enhanced Logic Application Part (CAP) protocol and logic that allows network operators to define services over and above the standard Global System for Mobile communications (GSM) and Universal Mobile Telecommunication Systems (UMTS) standard services. The CAMEL logic and network is based on the SS7 Intelligent Networks (IN) used in wire-line networks. In this threat the intruder has the outgoing call routed to their bridging/monitoring/recording system and then places a second call leg to the original callED party and subsequently bridges the two call legs together with the intruder being the “Man in the Middle”.

Vulnerability 4. Intercepting and monitoring an incoming call
This threat uses the SS7 MAP messaging and procedures for an everyday subscriber call forwarding feature, however, it is activated at the SS7 level without the target subscriber knowledge. This vulnerability like the one described in “Intercepting and monitoring an outgoing call” is a multi-staged attack. It also uses a bridging/monitoring/recording system to bridge two calls together. The intruder call forwards (at the SS7 MAP Message level) the target subscribers calls to their bridging/monitoring/recording system. The intruder then cancels call forwarding (at the SS7 MAP Message level) then places a second call leg to the original callED party. The intruder bridges the two call legs together with their bridging/monitoring/recording system all without the knowledge of either party involved in the call.

Financial theft
Vulnerability 5. Intercepting a subscribers SMS (Text) Messages
The premise for this attack is — the intruder will pose as an MSC/VLR and send MAP-Update-Location (UL) Request message directly to the subscribers HLR. Upon completion of this procedure SMS messages will be sent to the intruder acting as a Fake MSC serving the target subscriber. This attack can be used to obtain target subscribers passwords, reset passwords and once the passwords are reset the intruder has Carte Blanche to the target subscribers accounts.

Vulnerability 6. Manipulating USSD Request
Unstructured Supplementary Service Data (USSD) is currently being used for mobile prepaid, online banking and other financially sensitive applications. Fraud linked to USSD can cause severe financial impacts to subscribers, network operators, financial institutions and many others. In this multi-staged attack the intruder first poses as a Short Message Service Center (SMSC) to obtain the Global Title Address (GTT) of the target subscribers Home Location Register (HLR), the IMSI of the target subscriber and the current serving Mobile Switching Center (MSC). In the next stage the intruder poses as an MSC acting on behalf of the target subscriber and requests the subscriber current account balance. After receipt of the account information the intruder poses as the MSC acting on behalf of the subscriber and requests a transfer of funds from the target subscribers account to the intruders account. Normally an SMS message is sent to the subscriber indicating the transfer however if this attack is coupled with “Vulnerability 5. Intercepting a subscribers SMS (Text) Messages” then the SMS never reaches the target subscriber.

Disruption of subscriber service
The two vulnerabilities described in this section can be used to interrupt service to any subscriber or to activate or change billing, thus enabling fraudulent calls to be made from the mobile station. Either of these scenarios can cause a significant financial impact on the mobile network operator. One for pure fraud and the other for subscriber churn due to a perceived lack of service.

Vulnerability 7. Disruption of subscriber availability
In this attack the intruder will pose as an MSC/VLR and send MAP-Update-Location (UL) Request message directly to the subscribers HLR. Once the Update Location procedures are complete the Subscriber will not be able to receive incoming messages or calls until they move to another MSC/VLR or reboot the phone or place an outgoing call. These procedures are part of the normal mobility management when the subscriber moves to a new area served by different MSC. The intruder spoofs the network into believing that they are the new MSC.

Vulnerability 8. Manipulating a subscribers profile in the Visitor Location Register (VLR)
Any time an intruder has access to the subscriber identity (MSIDN, IMSI) the address of the serving (MSC/VLR) and the format of the subscriber profile they can alter billing routing allowing:

Disruption of the subscriber service
The use of the subscriber’s mobile station to make fraudulent calls.
In this attack, the intruder poses as an HLR and sends a fraudulent subscriber profile to the serving MSC/VLR invoking intruder desired services. These services can include:

Bypassing billing services
Turning on or off call forwarding
Barring calls to the target subscriber
And many, many more

As you can see by the examples provided in this blog – vulnerabilities and fraud within the SS7 protocol and network is a very serious issue. Some might say, “Let’s change the protocol and network” — that cannot happen for many reasons as discussed. The solution to these protocol and network issues is to place a security firewall into the network. This firewall should include the policies required to address the current defined threats and be easily modified to address future threats, as they are found. In order to accomplish these tasks the SS7 signaling firewall should have real-time monitoring capabilities to help detect defined and future threats.


BadTunnel: a vulnerability all Windows users need to patch

A security researcher has uncovered a serious vulnerability that affects every version of Microsoft’s Windows operating system from Windows 95 to Windows 10.

The vulnerability could give attackers a way to set up man-in-the-middle attacks against victims by getting them to click on a link, open a Microsoft Office document or plug in a USB drive.

In an interview with Dark Reading, Yang Yu, who earned a whopping $50,000 bug bounty for the discovery he’s nicknamed BadTunnel, described the impact in grandiose terms:

This vulnerability has a massive security impact – probably the widest impact in the history of Windows. Microsoft released a fix for the vulnerability on Tuesday in security bulletin MS16-077. Users of unsupported Windows versions such as Windows XP should disable NetBIOS over TCP/IP.

The nuts and bolts of how the vulnerability works haven’t been revealed but it has been described as a technique for NetBIOS-spoofing across networks that bypasses firewalls and NAT (Network Address Translation) devices.

In other words, it can expose you to attackers who aren’t on your network, and your firewalls won’t save you, unless you block UDP on port 137 between your network and the internet.

According to Yu, it relies on a chain of elements including “a transport layer protocol, an application layer protocol, a few specific usage of application protocol by the operating system, and several protocol implementations used by firewalls and NAT devices.”

Microsoft’s bulletin appears to break the final link in the chain by fixing a vulnerability in WPAD (Web Proxy Autodiscovery Protocol) that was first reported in 2007.

WPAD is a way for computers to discover web browser configuration files automatically by searching specific addresses on a computer’s local network. An attacker who could find a way to occupy one of those addresses, or to change the addresses being searched, could supply their own configuration files and instruct the victim’s browser to route traffic through a man-in-the-middle attack.

Until BadTunnel, the attacker had to gain access to a victim’s network (or rely on opportunistic domain name collisions) which made it a difficult trick to pull off.

Yu plans to reveal the full gory details of BadTunnel in a presentation at the upcoming BlackHat conference:

This presentation will introduce a new threat model. Based on this threat model, we found a flaw in the Windows system. It affects all Windows released in the last two decades, including Windows 10. It also has a very wide range of attacks surface. The attack can be performed on all versions of Internet Explorer, Edge, Microsoft Office, many third-party software, USB flash drives, and even Web server. When this flaw is triggered, YOU ARE BEING WATCHED.


Cash stolen from 15K ATMs in Japan in coordinated attack

As many as 100 people are believed to have taken part in a heist of nearly $13 million (USD) from cash machines in Japan, according to The Guardian.

Between 5 a.m. and 8 a.m. on the morning of May 15, thousands of withdrawals were made at 15,000 convenience stores using phony credit cards – with purloined account data from a bank in South Africa. Each culprit in the coordinated action withdrew 100,000 yen – the maximum that the cash machines allow – in Tokyo and other regions.

Because cards issued in a foreign country were used, as well as on a day when the banks were closed, the perpetrators had enough time to flee the country, authorities believe. None have been apprehended.

The Japanese police have contacted South African authorities, through Interpol, to determine how the miscreants might have acquired the credit card information.

"ATM fraud remains a leading cause of losses for banks, and this will likely increase in the U.S. as the shift to EMV cards at retail drives fraud to other channels, such as the ATM," John Gunn, vice president of communications at VASCO Data Security, said in a statement emailed to SCMagazine.com. "We are already seeing large banks moving to integrate ATM security measures into their mobile banking app. It is easy for fraudsters to buy stolen cards to make unauthorized withdrawals, but it's nearly impossible to commit theft if they must also have the intended victim's mobile phone physically at the ATM machine at the same time."

Gunn predicted that banks will in the future leverage customers' mobile phones to reduce fraud across all channels.


Ransomware and Recent Variants

Systems Affected

Networked Systems


In early 2016, destructive ransomware variants such as Locky and Samas were observed infecting computers belonging to individuals and businesses, which included healthcare facilities and hospitals worldwide. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it.
The United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), is releasing this Alert to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.



Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems. Ransomware variants have been observed for several years and often attempt to extort money from victims by displaying an on-screen alert. Typically, these alerts state that the user’s systems have been locked or that the user’s files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The ransom demanded from individuals varies greatly but is frequently $200–$400 dollars and must be paid in virtual currency, such as Bitcoin.
Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.
Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access into an organization’s network.


The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and users systems can become infected with additional malware. Ransomware displays intimidating messages similar to those below:
  • “Your computer has been infected with a virus. Click here to resolve the issue.”
  • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”


In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.
This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced, including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives. These variants are considered destructive because they encrypt users’ and organizations’ files, and render them useless until criminals receive a ransom.
In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to healthcare facilities and hospitals in the United States, New Zealand, and Germany. It propagates through spam emails that include malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip). The malicious attachments contain macros or JavaScript files to download Ransomware-Locky files.
Samas, another variant of destructive ransomware, was used to compromise the networks of healthcare facilities in 2016. Unlike Locky, Samas propagates through vulnerable Web servers. After the Web server was compromised, uploaded Ransomware-Samas files were used to infect the organization’s networks.


Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.
The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.


Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including
  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.
Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.


Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.
US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:
  • Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
  • Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
  • Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
  • Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
  • Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits and Safeguarding Your Data for additional details.
  • Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks for more information.
Individuals or organizations are discouraged from paying the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center.



  • March 31, 2016: Initial Publication