It’s a nightmare scenario for any user or organization: in the middle of an ordinary day, your screen is taken over by an alert that your data has been encrypted and your computer’s essential functions have been locked down. You have two choices: pay a ransom—or accept that you’ll never see your data again, including any sensitive or regulated information they may contain (which, in turn, may well be leaked or sold to the highest bidder). A countdown clock shows how little time you have left to make your decision. You may be able to determine later how it got to this point—a phishing email? An infected file or web page? An exploit kit?—but you’d do anything to have prevented it from happening in the first place. Fortunately, there are steps you can take now to lower the risk of ransomware, and to minimize its impact in the event of an attack.
Citrix solutions enable four highly effective measures for reducing your exposure to ransomware and keeping your apps and data accessible to authorized users—not hackers and their clients. Virtualization, enterprise mobility management and enterprise file synchronization make it possible to insulate computers, tablets, smartphones and other endpoints against ransomware infection, and to recover quickly in the event of a breach. • Shield users of web apps from infection and keep sensitive data off the endpoint by publishing virtualized, sandboxed and hardened browsers rather than relying on the locally installed, over-configured and over-connected browser. • Prevent email-borne ransomware from compromising the endpoint by publishing a virtualized, sandboxed and hardened email client. • Protect mobile devices against attack with measures including containerization, encryption, blacklists and whitelists, and device compliance checks • Ensure the rapid recovery of ransomware-encrypted data with a secure and robust enterprise file sync and sharing service. Data taken hostage—a crime that pays handsomely Recent years have seen the Internet swarmed with more than 50 variants of ransomware with names like Locky, KeRanger, Cryptolocker, CryptoWall and TeslaCrypt. Initially targeting consumers, these scripts increasingly target victims with highly sensitive, high-value data such as healthcare, banking, legal and finance organizations. Once activated by an unwitting user, the ransomware calls home to a command-and-control server to acquire a unique, randomly created AES encryption key, then applies it to critical files found on local, network and cloud-connected drives. At that point, this data is entirely under the control of the hacker, who demands the prompt payment of a ransom to recover it or prevent its disclosure. This amount may range from hundreds of dollars for individual consumers to many thousands for a business. Payments are often demanded in Bitcoin, further complicating a business response. Citrix.com | White Paper | Ransomware: Four Ways to Protect Data Now 3 As an illicit business model, ransomware is as effective as it is simple, reportedly earning hundreds of million of dollars for the Cryptowall script alone. For the victim organization, recovering access to data and systems can literally be a matter of life and death, as in the case of a hospital where electronic medical records (EMR) as well as the systems responsible for CT scans, documentation, lab work and pharmacy functions have been rendered unavailable. Targeted companies in every industry, including education, utilities, retail, finance and government, face dire consequences as well, including losing access to core business functions such as email and payroll; the customer information to deliver services; and the production data on which operations depend.
Even without the countdown timer displayed by most ransomware, the urgency of a response is all too clear. Paying the ransom, typically in Bitcoin through a self-service process, is an unappealing prospect; doing so incurs a cost, rewards criminal activity and strengthens the incentive for such attacks throughout the industry. Still, at least the victim can be reasonably confident that they will be given the needed decryption key—or will they? Reports have begun to surface of “boneidleware,” malware that emulates ransomware and elicits payment, but deletes data rather than encrypting it, leaving paid-up victims empty-handed. Refusing to pay can be even worse. IT must respond quickly by shutting off systems and networks to prevent ransomware from spreading—a considerable disruption—and restoring encrypted data from the most recent backup. Even then, the encrypted data still remains in the hands of the hacker, who will doubtless punish the uncooperative victim and aim to monetize the attack another way through its sale or leak. The traditional approach for mitigating ransomware revolves around user education, antimalware, frequent backups—and keeping a supply of Bitcoin on hand just in case. These are sensible measures, but they’re not nearly enough, as proven by numerous spectacular failures. What’s needed is a more robust, systems-level approach designed to keep data out of harm’s way entirely. Citrix has long helped customers secure their apps, data and systems against attack through a more secure architecture complemented with robust technologies for secure access control, secure mobility, data protection, risk management and business continuity. As the threat of ransomware continues to grow, Citrix provides solutions and best practices to help prevent breaches, and to ensure that data remains available in the event that an attack does occur. We strongly recommend the four following components of the Citrix Workspace as essential methods of a complete enterprise strategy for security and data protection.
Four ways to kidnap-proof your data 1. Publish virtualized, sandboxed and hardened browsers Browsers serve as the front end for modern applications across web, cloud, mobile and embedded platforms, making them a prime attack vector. A user’s computer can become infected simply by visiting a site that hosts malware disguised as a download or plugin update, coded in active content, or even silently embedded in an image or video. Browser virtualization provides an abstracted architecture to insulate business data and corporate networks from web-based malware such as ransomware. By using Citrix XenApp to run a hosted browser, IT can introduce a layer between the corporate environment and the Internet to shield the trusted computer and its data from attack. The virtualized browser also keeps sensitive data off the endpoint. As a further step, IT can isolate the browser through containerization or sandboxing. All web usage, including hyperlinks in emails and social media apps, are redirected to open in a onetime-use virtual browser within the container or sandbox. This browser instance does not have access to other applications, the endpoint, file shares or other sensitive resources, limiting the Citrix.com | White Paper | Ransomware: Four Ways to Protect Data Now 4 reach of ransomware to the current browser session. As a result, no data beyond the current browser session is vulnerable to third-party encryption, and the malware used to deliver the attack will not penetrate the rest of the enterprise environment or persist beyond the current session. Content inspection, whitelisting and other security measures can also be integrated with the isolated browser to reduce the risk of ransomware and other forms of malware. Use case-specific browsers allow further hardening against infection, reducing the attack surface for illicit software. By configuring a separate virtual browser for each application and use case, IT can disable extraneous settings, unnecessary active content and other capabilities not currently required, such as Flash, Silverlight or Java. As an added benefit, multiple browsers such as Internet Explorer and Chrome can be published, and multiple versions can be maintained as needed by specific applications. 2. Publish a virtualized, sandboxed, and hardened email client Similar to the publication of hosted browsers, IT can use XenApp to deliver a virtual email client to protect against infection via email links and attachments. This can be either a traditional native client such as Microsoft Outlook, or web-based email including Google Gmail and Microsoft Office 365. Publishing the email client ensures that all required security settings are configured and consistent for all users and specific to use cases. Antivirus, DLP (data leakage protection), whitelisting and other technologies are integrated with the published email application and are therefore not endpoint-dependent or limited. Only the pixels representing the email app are sent to the endpoint, not actual messages, attachments or other data, ensuring that ransomware does not infect the user’s computer and thus gain a foothold within the enterprise environment for further penetration and attack. 3. Protect mobile devices against attack with containerization As mobile devices become ubiquitous in the enterprise, they also become a prime attack vector for ransomware and other malware—especially when both personal and business apps are used on the same device.
To prevent infection, IT can use Citrix XenMobile to create a separate container on the smartphone or tablet for business data and corporate apps, making it possible to centralize management, security and control for apps as well as data and settings without interfering with any personal content on the device. For example, IT can define contextual security policies that provide access only in approved scenarios to reduce exposure to malware. Whitelists and blacklists can prevent the installation of known malicious apps on the device, including those known to deliver ransomware. Similarly, XenMobile checks to ensure that the device has not been jailbroken or rooted to allow the installation of pirated or non-validated apps, a common vector for malware designed to acquire super admin status. Non-compliant devices are blocked prior to enrollment, ensuring that any ransomware or other malware they may contain will not enter the corporate network. To keep pace with constantly changing malware definitions and security trends, and protect devices proactively against any ransomware, malicious app or profile, XenMobile natively integrates with security vendors such as Skycure, Palo Alto Networks and Zimperium. 4. Provide a secure and robust enterprise data sync and sharing service The rise of ransomware is a stark reminder of the critical importance of data. When users can’t access their files, work comes to a halt—customers can’t be served, development and production can’t proceed, and the business simply can’t function. An enterprise data sync and sharing service like Citrix ShareFile can help keep data out of reach of ransomware without impeding productivity. Instead of being stored on a local device or network drive, data can be stored, managed, secured and accessed elsewhere—while still appearing as if it resides locally from the user’s perspective for optimal convenience and ease of use. For added protection, organizations should take steps to ensure that clean, up-to-date data will always remain available no matter what happens.
In the event a file is encrypted by ransomware, IT can revert to the most recent uncompromised version, eliminating the need for a hacker’s decryption key. Both protecting data against attack and ensuring that an uncompromised version of data is always available, ShareFile provides multilayered protection against ransomware and other malware. Proven protection Citrix customers are already using these methods to avoid the damage and disruption of ransomware. One healthcare industry IT leader reports that he has already counteracted numerous ransomware attacks through the secure Citrix architecture in place. “We probably see at least one ransomware attack a week of some kind or another, and 99.99 percent of the time, we have been successful in containing that to just the workstation.” The organization simply swaps in a newly imaged hard drive for the workstation and restores its data from an enterprise file sync and sharing service, and work proceeds as usual. In this case, the users in question are doctors and other medical professionals for whom access to data can literally be a matter of life and death. The Citrix approach to ransomware protection keeps hackers from holding the organization and its patients hostage—so the delivery of care can continue. Conclusion Ransomware is one of the most serious security threats organizations face today, and calls for an equally robust response—well beyond simply cautioning users about suspicious links. Citrix recommends a multilayered approach designed to reduce exposure to ransomware attacks, as well as to recover encrypted data more quickly and effectively. Citrix supports this approach through Citrix Workspace solutions, providing an integrated and flexible framework to secure apps, data and the network from infection by malware of all kinds. By publishing virtual web browsers and email clients with Citrix XenApp, IT can isolate endpoints from the corporate network and ensure that infected hosts are unable to further spread ransomware and place more of the organization’s data at risk. Citrix XenMobile enables secure mobility through containerization to protect data on smartphones and tablets. Citrix ShareFile captures versions of files in real time to ensure that a clean version is always available to replace a file that has been encrypted by ransomware. In this way, IT can protect the business and its data, minimize disruptions and avoid rewarding hackers for their illicit activity. To learn more, please visit citrix.com/secure. About Citrix Secure Digital Workspaces Only a Citrix Workspace offers a truly integrated solution to enable people to securely access their apps, desktops and data from anywhere. The Citrix digital workspace includes end user computing and networking technologies that are industry-recognized leaders in their individual categories. You can rely on Windows app security and delivery from XenApp, high performance virtual desktops from XenDesktop, mobile productivity apps and device security from XenMobile, secure data sync and share with ShareFile, and network security with NetScaler. The Citrix Workspace can be delivered on-premises through Citrix Workspace Suite, or as a full cloudbased solution through Citrix Workspace Service
Citrix solutions enable four highly effective measures for reducing your exposure to ransomware and keeping your apps and data accessible to authorized users—not hackers and their clients. Virtualization, enterprise mobility management and enterprise file synchronization make it possible to insulate computers, tablets, smartphones and other endpoints against ransomware infection, and to recover quickly in the event of a breach. • Shield users of web apps from infection and keep sensitive data off the endpoint by publishing virtualized, sandboxed and hardened browsers rather than relying on the locally installed, over-configured and over-connected browser. • Prevent email-borne ransomware from compromising the endpoint by publishing a virtualized, sandboxed and hardened email client. • Protect mobile devices against attack with measures including containerization, encryption, blacklists and whitelists, and device compliance checks • Ensure the rapid recovery of ransomware-encrypted data with a secure and robust enterprise file sync and sharing service. Data taken hostage—a crime that pays handsomely Recent years have seen the Internet swarmed with more than 50 variants of ransomware with names like Locky, KeRanger, Cryptolocker, CryptoWall and TeslaCrypt. Initially targeting consumers, these scripts increasingly target victims with highly sensitive, high-value data such as healthcare, banking, legal and finance organizations. Once activated by an unwitting user, the ransomware calls home to a command-and-control server to acquire a unique, randomly created AES encryption key, then applies it to critical files found on local, network and cloud-connected drives. At that point, this data is entirely under the control of the hacker, who demands the prompt payment of a ransom to recover it or prevent its disclosure. This amount may range from hundreds of dollars for individual consumers to many thousands for a business. Payments are often demanded in Bitcoin, further complicating a business response. Citrix.com | White Paper | Ransomware: Four Ways to Protect Data Now 3 As an illicit business model, ransomware is as effective as it is simple, reportedly earning hundreds of million of dollars for the Cryptowall script alone. For the victim organization, recovering access to data and systems can literally be a matter of life and death, as in the case of a hospital where electronic medical records (EMR) as well as the systems responsible for CT scans, documentation, lab work and pharmacy functions have been rendered unavailable. Targeted companies in every industry, including education, utilities, retail, finance and government, face dire consequences as well, including losing access to core business functions such as email and payroll; the customer information to deliver services; and the production data on which operations depend.
Even without the countdown timer displayed by most ransomware, the urgency of a response is all too clear. Paying the ransom, typically in Bitcoin through a self-service process, is an unappealing prospect; doing so incurs a cost, rewards criminal activity and strengthens the incentive for such attacks throughout the industry. Still, at least the victim can be reasonably confident that they will be given the needed decryption key—or will they? Reports have begun to surface of “boneidleware,” malware that emulates ransomware and elicits payment, but deletes data rather than encrypting it, leaving paid-up victims empty-handed. Refusing to pay can be even worse. IT must respond quickly by shutting off systems and networks to prevent ransomware from spreading—a considerable disruption—and restoring encrypted data from the most recent backup. Even then, the encrypted data still remains in the hands of the hacker, who will doubtless punish the uncooperative victim and aim to monetize the attack another way through its sale or leak. The traditional approach for mitigating ransomware revolves around user education, antimalware, frequent backups—and keeping a supply of Bitcoin on hand just in case. These are sensible measures, but they’re not nearly enough, as proven by numerous spectacular failures. What’s needed is a more robust, systems-level approach designed to keep data out of harm’s way entirely. Citrix has long helped customers secure their apps, data and systems against attack through a more secure architecture complemented with robust technologies for secure access control, secure mobility, data protection, risk management and business continuity. As the threat of ransomware continues to grow, Citrix provides solutions and best practices to help prevent breaches, and to ensure that data remains available in the event that an attack does occur. We strongly recommend the four following components of the Citrix Workspace as essential methods of a complete enterprise strategy for security and data protection.
Four ways to kidnap-proof your data 1. Publish virtualized, sandboxed and hardened browsers Browsers serve as the front end for modern applications across web, cloud, mobile and embedded platforms, making them a prime attack vector. A user’s computer can become infected simply by visiting a site that hosts malware disguised as a download or plugin update, coded in active content, or even silently embedded in an image or video. Browser virtualization provides an abstracted architecture to insulate business data and corporate networks from web-based malware such as ransomware. By using Citrix XenApp to run a hosted browser, IT can introduce a layer between the corporate environment and the Internet to shield the trusted computer and its data from attack. The virtualized browser also keeps sensitive data off the endpoint. As a further step, IT can isolate the browser through containerization or sandboxing. All web usage, including hyperlinks in emails and social media apps, are redirected to open in a onetime-use virtual browser within the container or sandbox. This browser instance does not have access to other applications, the endpoint, file shares or other sensitive resources, limiting the Citrix.com | White Paper | Ransomware: Four Ways to Protect Data Now 4 reach of ransomware to the current browser session. As a result, no data beyond the current browser session is vulnerable to third-party encryption, and the malware used to deliver the attack will not penetrate the rest of the enterprise environment or persist beyond the current session. Content inspection, whitelisting and other security measures can also be integrated with the isolated browser to reduce the risk of ransomware and other forms of malware. Use case-specific browsers allow further hardening against infection, reducing the attack surface for illicit software. By configuring a separate virtual browser for each application and use case, IT can disable extraneous settings, unnecessary active content and other capabilities not currently required, such as Flash, Silverlight or Java. As an added benefit, multiple browsers such as Internet Explorer and Chrome can be published, and multiple versions can be maintained as needed by specific applications. 2. Publish a virtualized, sandboxed, and hardened email client Similar to the publication of hosted browsers, IT can use XenApp to deliver a virtual email client to protect against infection via email links and attachments. This can be either a traditional native client such as Microsoft Outlook, or web-based email including Google Gmail and Microsoft Office 365. Publishing the email client ensures that all required security settings are configured and consistent for all users and specific to use cases. Antivirus, DLP (data leakage protection), whitelisting and other technologies are integrated with the published email application and are therefore not endpoint-dependent or limited. Only the pixels representing the email app are sent to the endpoint, not actual messages, attachments or other data, ensuring that ransomware does not infect the user’s computer and thus gain a foothold within the enterprise environment for further penetration and attack. 3. Protect mobile devices against attack with containerization As mobile devices become ubiquitous in the enterprise, they also become a prime attack vector for ransomware and other malware—especially when both personal and business apps are used on the same device.
To prevent infection, IT can use Citrix XenMobile to create a separate container on the smartphone or tablet for business data and corporate apps, making it possible to centralize management, security and control for apps as well as data and settings without interfering with any personal content on the device. For example, IT can define contextual security policies that provide access only in approved scenarios to reduce exposure to malware. Whitelists and blacklists can prevent the installation of known malicious apps on the device, including those known to deliver ransomware. Similarly, XenMobile checks to ensure that the device has not been jailbroken or rooted to allow the installation of pirated or non-validated apps, a common vector for malware designed to acquire super admin status. Non-compliant devices are blocked prior to enrollment, ensuring that any ransomware or other malware they may contain will not enter the corporate network. To keep pace with constantly changing malware definitions and security trends, and protect devices proactively against any ransomware, malicious app or profile, XenMobile natively integrates with security vendors such as Skycure, Palo Alto Networks and Zimperium. 4. Provide a secure and robust enterprise data sync and sharing service The rise of ransomware is a stark reminder of the critical importance of data. When users can’t access their files, work comes to a halt—customers can’t be served, development and production can’t proceed, and the business simply can’t function. An enterprise data sync and sharing service like Citrix ShareFile can help keep data out of reach of ransomware without impeding productivity. Instead of being stored on a local device or network drive, data can be stored, managed, secured and accessed elsewhere—while still appearing as if it resides locally from the user’s perspective for optimal convenience and ease of use. For added protection, organizations should take steps to ensure that clean, up-to-date data will always remain available no matter what happens.
In the event a file is encrypted by ransomware, IT can revert to the most recent uncompromised version, eliminating the need for a hacker’s decryption key. Both protecting data against attack and ensuring that an uncompromised version of data is always available, ShareFile provides multilayered protection against ransomware and other malware. Proven protection Citrix customers are already using these methods to avoid the damage and disruption of ransomware. One healthcare industry IT leader reports that he has already counteracted numerous ransomware attacks through the secure Citrix architecture in place. “We probably see at least one ransomware attack a week of some kind or another, and 99.99 percent of the time, we have been successful in containing that to just the workstation.” The organization simply swaps in a newly imaged hard drive for the workstation and restores its data from an enterprise file sync and sharing service, and work proceeds as usual. In this case, the users in question are doctors and other medical professionals for whom access to data can literally be a matter of life and death. The Citrix approach to ransomware protection keeps hackers from holding the organization and its patients hostage—so the delivery of care can continue. Conclusion Ransomware is one of the most serious security threats organizations face today, and calls for an equally robust response—well beyond simply cautioning users about suspicious links. Citrix recommends a multilayered approach designed to reduce exposure to ransomware attacks, as well as to recover encrypted data more quickly and effectively. Citrix supports this approach through Citrix Workspace solutions, providing an integrated and flexible framework to secure apps, data and the network from infection by malware of all kinds. By publishing virtual web browsers and email clients with Citrix XenApp, IT can isolate endpoints from the corporate network and ensure that infected hosts are unable to further spread ransomware and place more of the organization’s data at risk. Citrix XenMobile enables secure mobility through containerization to protect data on smartphones and tablets. Citrix ShareFile captures versions of files in real time to ensure that a clean version is always available to replace a file that has been encrypted by ransomware. In this way, IT can protect the business and its data, minimize disruptions and avoid rewarding hackers for their illicit activity. To learn more, please visit citrix.com/secure. About Citrix Secure Digital Workspaces Only a Citrix Workspace offers a truly integrated solution to enable people to securely access their apps, desktops and data from anywhere. The Citrix digital workspace includes end user computing and networking technologies that are industry-recognized leaders in their individual categories. You can rely on Windows app security and delivery from XenApp, high performance virtual desktops from XenDesktop, mobile productivity apps and device security from XenMobile, secure data sync and share with ShareFile, and network security with NetScaler. The Citrix Workspace can be delivered on-premises through Citrix Workspace Suite, or as a full cloudbased solution through Citrix Workspace Service