How To Prevent Ransomware – Tips for Ransomware Prevention

What is Ransomware?

Ransomware is a form of malware that encrypts data on a victim’s device, and then tries to extort them by demanding a ransom payment, usually in Bitcoin, in order to get the decryption key needed to retrieve the data. Most ransomware attacks arrive via emails masquerading as trusted entities, which prompt the user to download a malicious attachment or click on a link to a malicious website.

How Ransomware works

As mentioned previously, most ransomware attacks arrive via email, and assuming the victim opens the email, downloads, and executes the attachment, the following stages will typically unfold;

Stage 1 – Reconnaissance

Most sophisticated strains of ransomware will carry out reconnaissance activities in order to identify vulnerabilities and spread to other systems. Such activities may include looking for open shares, sensitive data, backups, inactive user accounts, and Bitcoin wallets to steal. Some strains will try to delete files associated with the Windows Volume Shadow Copy Service, in order to make it harder for the victim to retrieve their data once encrypted.

Stage 2 – Backdoors

The ransomware script will attempt to establish a communication channel with the attacker’s Command & Control (C&C) server in order to obtain the encryption key, and possibly extract copies of the victim’s data before starting the encryption process.

Stage 3 – Encryption

Once the encryption key has been obtained, the script will begin encrypting the files on the victim’s local machine, and, if possible, spread to other systems.

Stage 4 – Extortion

Once the files have been encrypted, the victim will be presented with a ransom note informing them that their data has been encrypted (and possibly stolen) and they must pay a ransom to get their files back. The ransom amount is usually denominated in US dollars, although the payment will be made in Bitcoin. The ransom note will usually contain instructions on how to buy and send Bitcoin.

It is important to bear in mind that even if you pay the ransom, there’s no guarantee that the attackers will give you the decryption key, and there’s no way to know what they will do with your data. This is precisely the reason why prevention is better than a cure.

Types of Ransomware

While more advanced and varied strains of ransomware continue to evolve, below are the main types of ransomware we see today:

Crypto-Ransomware

This is the most common type of ransomware and is where the script encrypts the victim’s data, and then demands a payment for the decryption key.

Locker Ransomware

This is where the script locks the victim out of their system, and then presents them with a ransom note. Unlike crypto-ransomware, locker ransomware doesn’t encrypt the victim’s data.

Scareware

As you may have guessed, scareware is designed to scare the victims into downloading the ransomware program and paying the ransom. Scareware usually appears in the form of a pop-up box, containing a threatening message.

Leakware

This type of ransomware is similar to the “double extortion” technique, in that it extracts copies of the victim’s data and then threatens to expose the data to the public if they refuse to pay. Entities that deal with large amounts of confidential data are particularly exposed to the risk of leakware. It’s worth noting that we are now seeing “triple extortion” techniques being used, which is where DDoS attacks are thrown in for good measure.

Ransomware As a Service (RaaS)

RaaS is not so much a type of ransomware, but a way of distributing it. RaaS is essentially an affiliate network that provides even the most novice hackers with the tools they need to launch their own attacks. The RaaS provider will typically keep a commission on any successful exploits.

Best Practices to Prevent Ransomware Attacks

Below are some of the best practices for preventing ransomware attacks.

Educate employees

While by no means a fool-proof approach, regular security awareness training is still very necessary for preventing ransomware attacks.

Use anti-virus/anti-malware

Many sophisticated strains of ransomware are able to bypass most AV solutions. That said, you still need them to block strains that are well known.

Use endpoint protection solutions

You will need to use endpoint protection solutions, such as firewalls, IPDS, DLP, and SIEM solutions, in order to monitor and block suspicious inbound and outbound network traffic. You will also need to keep track of any spikes in disk activity and poor system performance.

Keep backups

Make sure that you take regular backups and try to store them off-network. When you need to restore a backup, it is a good idea to test it beforehand, and if possible, restore the backup off-line to limit the possibility of infection.

Segment your network

By adopting a zero-trust policy you can segregate parts of your network to help prevent attacks from moving laterally to other systems.

Monitor user behavior

You will need to monitor user activity for anything suspicious. This might include the creation of new accounts, especially privilege accounts. You will also need to look out for the installation of unauthorized software, access to backups, accounts being accessed at irregular times, out of network emails, etc.

Set up threshold alerting

Consider adopting a real-time auditing solution that can detect and respond to events that match a pre-defined threshold condition. For example, if x number of files were copied or encrypted within a given time-frame, a custom script can be executed to prevent the attack from spreading. This might include disabling accounts, stopping certain processes, shutting down affected systems, changing the firewall settings, and so on.

How Lepide Helps in Ransomware Prevention

The Lepide Data Security Platform enables you to detect, alert and respond to suspicious Ransomware attacks in real-time. Such events may include the creation of privileged accounts, accounts being accessed at irregular times, and emails being sent out of the network.

As above, Lepide can also detect and respond to events that match a pre-defined threshold condition, such as when a large number of files have been copied or encrypted within a given time-frame, and then execute a custom script to prevent the attack from spreading.

The Lepide Data Security Platform can also be integrated with your SIEM solution, which will enable you to see all relevant events via a single, centralized dashboard, and have all relevant alerts sent to your inbox or mobile device.

If you’d like to see how the Lepide Data Security Platform can help you prevent ransomware attacks, schedule a demo with one of our engineers or start your free trial today.