Gearing up to Fight Ransomware Attacks

by Abhishek Rai
10.05.2017   Ransomware

What can we learn from recent ransomware attacks
In 2017 alone, hundreds of thousands of computers across the globe have been affected by ransomware attacks; draining enterprises of millions of dollars. Those who have been affected all offer the same advice; protect yourself before it happens to you! While you may already be using anti-ransomware software, researchers have identified several new ransomware threats that your security software may not be equipped to fight with (Ovidly Stealer, Hackshit, Satan and Cerber, to name a few). So, what can we learn from the most prominent ransomware attacks of 2017?

Recent ransomware attacks

A couple of ransomware attacks that were prominent recently are WannaCry and Petya (or NotPetya).

The WannaCry ransomware worked by encrypting data and threatening to delete records and files from the infected systems. Not long after the WannaCry fallout, Petya hit the US and European markets. This attack was even graver by some accounts because, unlike its predecessor, it did not have a “kill switch.”

What is the solution? Security experts who have experience in dealing with such cases suggest that, as a first step, organizations should apply security patches to their Windows Operating Systems. Without this, it is just a matter of time before another ransomware attack spreads. Based on these recent attacks, I’ve outlines five practical, actionable tips you can take to stop the spread of similar strains of ransomware from crippling your environment.

Five tips to secure your organization from ransomware attacks

1. Have restoration capability

Even with the most advanced security measures in place, you can never completely defend against ransomware. If malware sneaks through your cyber security, your best bet is to have a stringent backup policy in place so that you can restore data (even if it is corrupted, stolen or is under siege). For more sensitive data, have a secondary backup in place (preferably cloud storage).

2. Monitor data flow

Continuously monitor data flow to see how files and folders move around your network or leave the corporate domain. Though this will not prevent an attack, you will be able to respond to it quicker if you can catch it early.

3. Educate users

Train users about the dangers of phishing attacks. In the past, many breaches have happened through phishing emails. Training on this threat must be a regular occurrence. The more you train users about the possibilities of phishing attempts and the ensuing business losses, the smaller the chance that someone will fall prey to one.

4. Use the latest and best-in-class defense utilities

Purchase the latest antivirus solution that goes beyond signature-based detection techniques to incorporate behavior monitoring. Those who have opted for signature-based detection tools must keep updating their software, as a simple rescan after a software update can mitigate many of the threats.

5. Use multi-factor authentication tools

Many ransomware attacks originated from stolen login credentials. Multi-factor authentication software is a security system that uses more than one type of authentication to establish the users’ identity. Used correctly, it can make it near impossible to break into an administrative account.

Using LepideAuditor to fight ransomware

You can use LepideAuditor to instantly audit Active Directory, Group Policy, Exchange Server, Windows File Systems and NetApp Filer configuration changes. The solution will enable you to detect the spread of ransomware attacks in your network via real-time and threshold alerts. Here’s a bit more detail about how LepideAuditor can specifically help you detect and prevent the spread of ransomware:

Secure Group Policies

LepideAuditor can help you to track important Group Policy changes; such as software restrictions and password policies changes. It can send both real-time and threshold-based alerts when important changes are detected, and allows you to restore the entire Group Policy Object in just a few clicks.

1. Group policy changesFigure 1: Group policy changes

Spot unusual changes instantly

Ransomware attacks usually cause suspicious changes, particularly to files and folders. If such changes go undetected, then you’re too late to do anything about it.  For example, in the recent WannaCry attack in May of 2017, ransomware encrypted critical files and altered their extensions with a new suffix; causing them to be hidden and encrypted. LepideAuditor scans your entire network for such suspicious changes and sends you real-time alerts. The following image shows the file renamed report of LepideAuditor, which will allow you to detect such changes.

2. Alert for modifications in file serverFigure 2: Real-time alerts for important changes

Ability to restore unwanted changes

Once you’ve detected the ransomware attack, the next target should be to have the ability to restore the unwanted IT configuration changes. With LepideAuditor, you can capture both Active Directory Objects and Group Policy Objects’ state snapshots. Use Lepide Object Restore Wizard to restore the objects’ state to a previously dated snapshot.

3. restore wizardFigure 3: LepideAuditor restore wizard

If you’re one of the many organizations that are looking into ransomware protection options after the WannaCry and Petya attacks, then the best place to start is by strengthening your network.

If your security measures already include plans for fighting off ransomware attacks, then you must do a risk exposure analysis, strengthen defense measures, enhance detection capabilities and do some additional threat modelling. Cloud security is another option that you can consider.

If you use Active Directory, Group Policy, Exchange, File Server or NetApp Filers, then you can start with LepideAuditor.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2017 Lepide Software Private Limited. All Trademarks Acknowledged.