When discussing ways to prevent ransomware, people frequently cite the importance of educating employees about how to identify and report suspicious emails, as the most effective approach to ransomware prevention.
Since employees are our first line of defense, and are typically the weakest link, there is some truth to this approach. The problem, however, is that unlike computers, which in most cases perform as instructed, people make mistakes. And all it takes is one moment of weakness, to bring your entire IT system to its knees.
In other words, security awareness training is very important, but it cannot be relied on to prevent ransomware attacks. We also need automated solutions that can detect and respond to suspicious activity, round-the-clock, and in real-time.
What is Ransomware?
Ransomware is a form of malware that encrypts data on a victim’s device, and then tries to extort them by demanding a ransom payment, usually in Bitcoin, in order to get the decryption key needed to retrieve the data. Most ransomware attacks arrive via emails masquerading as trusted entities, which prompt the user to download a malicious attachment or click on a link to a malicious website.
How Ransomware works
As mentioned previously, most ransomware attacks arrive via email, and assuming the victim opens the email, downloads, and executes the attachment, the following stages will typically unfold;
Stage 1 – Reconnaissance
Most sophisticated strains of ransomware will carry out reconnaissance activities in order to identify vulnerabilities and spread to other systems. Such activities may include looking for open shares, sensitive data, backups, inactive user accounts, and Bitcoin wallets to steal. Some strains will try to delete files associated with the Windows Volume Shadow Copy Service, in order to make it harder for the victim to retrieve their data once encrypted.
Stage 2 – Backdoors
The ransomware script will attempt to establish a communication channel with the attacker’s Command & Control (C&C) server in order to obtain the encryption key, and possibly extract copies of the victim’s data before starting the encryption process.
Stage 3 – Encryption
Once the encryption key has been obtained, the script will begin encrypting the files on the victim’s local machine, and, if possible, spread to other systems.
Stage 4 – Extortion
Once the files have been encrypted, the victim will be presented with a ransom note informing them that their data has been encrypted (and possibly stolen) and they must pay a ransom to get their files back. The ransom amount is usually denominated in US dollars, although the payment will be made in Bitcoin. The ransom note will usually contain instructions on how to buy and send Bitcoin.
It is important to bear in mind that even if you pay the ransom, there’s no guarantee that the attackers will give you the decryption key, and there’s no way to know what they will do with your data. This is precisely the reason why prevention is better than a cure.
Types of Ransomware
While more advanced and varied strains of ransomware continue to evolve, below are the main types of ransomware we see today:
This is the most common type of ransomware and is where the script encrypts the victim’s data, and then demands a payment for the decryption key.
This is where the script locks the victim out of their system, and then presents them with a ransom note. Unlike crypto-ransomware, locker ransomware doesn’t encrypt the victim’s data.
As you may have guessed, scareware is designed to scare the victims into downloading the ransomware program and paying the ransom. Scareware usually appears in the form of a pop-up box, containing a threatening message.
This type of ransomware is similar to the “double extortion” technique, in that it extracts copies of the victim’s data and then threatens to expose the data to the public if they refuse to pay. Entities that deal with large amounts of confidential data are particularly exposed to the risk of leakware. It’s worth noting that we are now seeing “triple extortion” techniques being used, which is where DDoS attacks are thrown in for good measure.
Ransomware As a Service (RaaS)
RaaS is not so much a type of ransomware, but a way of distributing it. RaaS is essentially an affiliate network that provides even the most novice hackers with the tools they need to launch their own attacks. The RaaS provider will typically keep a commission on any successful exploits.
Best Practices to Prevent Ransomware Attacks
Below are some of the best practices for preventing ransomware attacks.
While by no means a fool-proof approach, regular security awareness training is still very necessary for preventing ransomware attacks.
Many sophisticated strains of ransomware are able to bypass most AV solutions. That said, you still need them to block strains that are well known.
Use endpoint protection solutions
You will need to use endpoint protection solutions, such as firewalls, IPDS, DLP, and SIEM solutions, in order to monitor and block suspicious inbound and outbound network traffic. You will also need to keep track of any spikes in disk activity and poor system performance.
Make sure that you take regular backups and try to store them off-network. When you need to restore a backup, it is a good idea to test it beforehand, and if possible, restore the backup off-line to limit the possibility of infection.
Segment your network
By adopting a zero-trust policy you can segregate parts of your network to help prevent attacks from moving laterally to other systems.
Monitor user behavior
You will need to monitor user activity for anything suspicious. This might include the creation of new accounts, especially privilege accounts. You will also need to look out for the installation of unauthorized software, access to backups, accounts being accessed at irregular times, out of network emails, etc.
Set up threshold alerting
Consider adopting a real-time auditing solution that can detect and respond to events that match a pre-defined threshold condition. For example, if x number of files were copied or encrypted within a given time-frame, a custom script can be executed to prevent the attack from spreading. This might include disabling accounts, stopping certain processes, shutting down affected systems, changing the firewall settings, and so on.
How Lepide Helps in Ransomware Prevention
The Lepide Data Security Platform enables you to detect, alert and respond to suspicious Ransomware attacks in real-time. Such events may include the creation of privileged accounts, accounts being accessed at irregular times, and emails being sent out of the network.
As above, Lepide can also detect and respond to events that match a pre-defined threshold condition, such as when a large number of files have been copied or encrypted within a given time-frame, and then execute a custom script to prevent the attack from spreading.
The Lepide Data Security Platform can also be integrated with your SIEM solution, which will enable you to see all relevant events via a single, centralized dashboard, and have all relevant alerts sent to your inbox or mobile device.