Ransomware is a severe, growing threat facing organizations of all sizes. More so than in other attacks, preparing for ransomware attacks in advance can dramatically reduce the damage done. Read on to understand the ransomware threat, and discover a four-step plan to comprehensively protect your organization against ransomware.
This is part of our series of articles about ransomware protection.
What are Common Types of Ransomware?
There are several variations on the ransomware model. The classic type is encrypting ransomware that locks access to files on an endpoint.
Other types include screen-locking ransomware that locks users out of a computer, sometimes claiming that the computer was locked by the authorities, and doxware which threatens to share a user’s public information publicly if a ransom is not paid.
The following are common malware kits used to conduct ransomware attacks:
- Cerber— a “ransomware as a service” platform, which attackers can use to carry out attacks, splitting the ransom with the creator. It is relatively new but has already affected millions of users. It targets cloud-based Office 365 users through phishing techniques.
- Locky — a ransomware that spreads via email messages, typically disguised as an invoice. The user is instructed to enable macros and if they comply, the ransomware starts encrypting files.
- WannaCry — the first ransomware to come with a propagation mechanism based on EternalBlue, an exploit of a Windows file protocol. It infected over 230,000 computers in one day, including major organizations such as the UK National Health Service, FedEx and Deutsche Bahn.
- CryptoLocker — distributed as an attachment to an email supposedly sent by a reputable company, containing an executable disguised as a PDF file. CryptoLocker was also spread using the Gameover ZeuS Trojan.
There are many more ransomware kits including CryptoWall, the FBI Virus and TeslaCrypt. Each of these has spun off thousands of variants.
Are you a Potential Target for a Ransomware Attack?
Here are several factors that might make you a potential target of ransomware attacks:
- Using old devices
- Using devices with outdated software
- Using operating systems and browsers that are not being patched anymore
- Not having an effective backup plan
- Not having a concrete cyber security plan or proper security measures in place
Even one of the above factors is a significant risk that may make you a target of a ransomware attack.
4-Step Plan for Ransomware Prevention
The best way to deal with ransomware is to prevent it from infecting your systems and preparing measures to prevent damage if you are infected. Here are preventive measures you can take to help at each stage of a ransomware attack: pre-execution, post-execution but pre-damage, damage, and post-damage.
1. Educate Users to Prevent Infections
Here are several practices that can help end users prevent infections:
- Never click on unsafe links – end users should not click on any link found in spam messages or any unknown website. If users do click on a malicious link, it could trigger an automatic download that may infect the device.
- Avoid disclosing personal information – end users may receive calls, text messages, or emails from untrusted sources. If these sources request any personal information, end users should not reply. Cybercriminals might try to collect this information, and then use it to customize phishing schemes specifically to the user. When in doubt as to the legitimacy of the message, the user should directly reach out to known contacts.
- Do not open suspicious email attachments – email attachments may contain ransomware. Users should avoid opening suspicious-looking attachments. To ensure an email is trustworthy, users should verify the sender is legitimate by validating the address is correct. In general, users should never open attachments that prompt them to run macros. If an attachment is infected, opening can run a malicious macro that provides malware with control over the device.
- Never use unknown USB sticks – users should never connect any storage media, including USB sticks, to a computer without validating that the source is trustworthy. Cybercriminals can infect storage mediums, placing it in a public place to trick users into connecting it to devices.
- Keep your programs and operating system up to date – users should constantly update operating systems and programs in order to protect against malware. Additionally, it is important to ensure users download the most recent security patches. This can make it difficult for cybercriminals to exploit vulnerable systems and applications.
- Use only known download sources – users can reduce the risk of ransomware downloads by never downloading any software or media files from unknown sites. Users should only use trustworthy and verified sites for downloads. Trustworthy websites, for example, usually use HTTPS encryption and portray a lock or shield symbol in the address bar of the browser.
- Use VPN services on public Wi-Fi networks – it is critical that users are aware of the risks of using public Wi-Fi networks and use these networks with due caution. A public network exposes devices to attacks. To remain protected, users can connect through a secure VPN or avoid public networks altogether.
2. Preventing Ransomware Pre-Execution
To prevent ransomware completely, follow these best practices:
- Deploy gateway defenses — firewall or Web Application Firewall (WAF), email protection and spam filtering, and Intrusion Prevention / Intrusion Detection Systems (IPS/IDS).
- Employee education and anti-phishing tests — train employees on the dangers of phishing and conduct regular drills to test if employees are alert and able to identify and avoid phishing attacks.
- Use next-generation antivirus (NGAV) — legacy antivirus software is a bare minimum. Leverage next-generation antivirus, which are capable of detecting and blocking malware even if it does not match a known signature.
- Use a CASB — Cloud Access Security Brokers (CASBs) can help manage the implementation of policies for your organization’s cloud infrastructure. CASB enhances visibility, compliance, data security and threat protection when protecting data.
- Sandbox testing — a common way for security analysts to test new or unrecognized files is to use a sandbox. The sandbox provides a safe environment for testing files while isolating them from a larger network.
- Off-site backups — to withstand ransomware attacks, you must store backups in an off-site location. You need to backup up regularly, keep multiple copies of backups, and ensure that backups are consistent and can be reliably restored. This is typically the best way to recover your data in case of an attack.
3. Stopping Ransomware Attacks at Runtime
To isolate a ransomware attack once it has already begun, prevent it from spreading and encrypting additional files, follow these best practices:
- Segment network access — ensure that your entire network is not compromised in a single attack.
- Use Endpoint Detection and Response (EDR) — EDR tools can detect anomalous behavior on an endpoint indicating a ransomware attack, quarantine the endpoint and lock down network access, and automatically stop malicious processes.
- Create an incident response plan — prepare an incident response plan specific to a ransomware attack scenario. Define who is responsible and what needs to be done in the first few minutes, hours and days after an attack. Train staff on the plan and ensure everyone knows what to do to minimize damage from an attack.
4. Recovering Quickly After an Attack Without Paying Ransom
To enable speedy recovery from future ransomware attacks, do the following:
- Forensic analysis — after ransomware is detected, it is necessary to examine the time and point of entry of ransomware into the environment to ensure that the ransomware has been completely removed from all devices.
- Ensure backup is working and operational — every organization should have a backup system, test yours and ensure it is working and backing up essential data at regular intervals.
- Set up a robust disaster recovery system — beyond backup, it is highly recommended to have a complete replica of your production environment in the cloud or in a geographically remote data center. This will allow you to fully recover production systems by discarding infected machines and switching operations to the replica.
- Decryptor and malware removal tools — prepare tools in advance that will help you remove ransomware from affected computers. There are decryptors available for many ransomware strains. Select a ransomware removal solution and practice, to ensure you can use it quickly and effectively if an attack strikes.
All-in-One Ransomware Protection with Cynet
Cynet 360 is an Advanced Threat Detection and Response platform that provides protection against threats, including ransomware, zero-day attacks, advanced persistent threats (APT), and trojans that can evade signature-based security measures.
Cynet provides a multi-layered approach to stop ransomware from executing and encrypting your data:
- Pre-download—applies multiple mechanisms against exploits and fileless malware, which typically serves as a delivery method for the ransomware payload, preventing it from getting to the endpoint in the first place.
- Pre-execution prevention—applies machine-learning-based static analysis to identify ransomware patterns in binary files before they are executed.
- In runtime—employs behavioral analysis to identify ransomware-like behavior, and kill a process if it exhibits such behavior.
- Threat intelligence—uses a live feed comprising over 30 threat intelligence feeds to identify known ransomware.
- Fuzzy detection—employs a fuzzy hashing detection mechanism to detect automated variants of known ransomware.
- Sandbox—runs any loaded file in a sandbox and blocks execution upon identification of ransomware-like behavior.
- Decoy files—plants decoy data files on the hosts and applies a mechanism to ensure these are the first to be encrypted in a case of ransomware. Once Cynet detects that these files are going through encryption it kills the ransomware process.
- Propagation blocking—identifies the networking activity signature generated by hosts when ransomware is auto-propagating, and isolates the hosts from the network.
Learn more about how Cynet 360 can protect your organization against ransomware and other advanced threats.