How Modern Applications Nullify Ransomware

  • So we are having a discussion on security in another thread, and ransomware is of course discussed. And in the context of local admin privileges. This is interesting because I work in a space where ransomware is non-threatening because of modern software design so I thought that it should be discussed. This is also going on while we are having a discussion of office suites and it was mentioned that the widespread use of office documents was itself, archaic, and I should mention that, too.

    In the "old days", it was common for users to do the majority of their work from files. Literally using spread sheets, word processors, and similar to do their jobs and doing so requires that this data either reside locally on the users' machines or be locally accessible as through an SMB mapped drive. This "direct accessibility" means that ransomware, running with the same rights as the office suite or other tool, can encrypt any files that the office suite can use. Users are "directly accessing" the data storage layer and that's dangerous (and cumbersome.)

    Modern software design (meaning the same as used by enterprise applications) can change this. It can be used to change office documents, but no one is really doing this yet (you can test this theory with locally installed NextCloud and CODE, but it is awkward). But office documents are rarely a good tool, just the tool that we have. Many, or most, businesses have standard work flows and even for single users or small numbers of users, modern design can protect them against ransomware.

    Imagine how something like SaaS applications on the web do not fear ransomware from their end users - the end user is abstracted from the raw data by the application itself. This can be, and is often, done for end user applications, too.

    It's becoming increasingly common in modern desktop apps to install as the administrator with a web server which runs automatically when the system boots, and to present a common web-based or API based interface to the end user which is extremely fast, and does not require any Internet connection, but abstracts raw data through an application so that the end user is never working with raw files manipulating underlying files. This has many benefits.

    Obvious benefits is that local apps and hosted apps become effectively transparent - user need not learn two separate things. Apps are also business and industry specific, not trying to use general tools for specific tasks.

    But the one that we are talking about here: ransomware. Ransomware works by gaining access to raw data files to encrypt them. In a modern app design, it is trivial (and expected) that the application will be installed to run in a different account (and not likely an admin account) from the end user(s). This allows for multiple users on a single machine to share data safely, allows for security isolation, makes it far easier for IT to maintain, and if users are not running as local administrators - makes ransomware have no effective way to access the data.

    Ransomware depends on old fashioned data access using office file formats. So much so that many ransomwares only affect those or target them. By avoiding their use, we can essentially nullify ransomware. Moving from a user-owned spreadsheet, to a locally hosted database can completely change how we approach and are concerned with ransomware.

    Ransomware is a modern threat to legacy infrastructure practices. Modern infrastructure is not without threats, but naturally avoids the majority of threats as bulk threats target low hanging fruit.

  • I agree.

    Ransomware naturally is only a threat to ransom files that are accessible by the context of which it runs, not necessarily the user. If the ransomeware runs in the local system context, it can ransom pretty much any file on the local system. With the user context, it can ransom any file the user has access to (including all files if elevated and local admin), and any remotely accessible files via SMB file shares for example.

    SaaS apps, where the data is ALSO abstracted by the SaaS app do prevent that data from ransomware from the end-users' device.

    But this does require that all work be done this way and there aren't exceptions, or at least those exceptions can be mitigated in other ways known to prevent ransomware, such as requiring scrips to be signed to be ran locally, white-listing, File History, Windows Security, etc.

    So yeah, as long as all company data is basically abstracted by SaaS as you described, and this data isn't accessible other ways (and if it is, has things enabled like version control like Google Drive/OneDrive), you're basically ransomware-proof (from your side).

  • @Obsolesce Something like 50% of our clients or more have all (effectively all) of their data this way. They might have one off files here and there, but super rare. Everything that they do comes down to databases and applications that display the data from them.

  • @scottalanmiller

    Whole article is great but the last 2 lines are 👍 👍

    Shame that NextCloud + OnlyOffice is not really there, I tried it when I was working with MSFF... definitely interesting but needs some time.