When discussing ways to prevent ransomware, people frequently cite the importance of educating employees about how to identify and report suspicious emails, as the most effective approach to ransomware prevention.
Since employees are our first line of defense, and are typically the weakest link, there is some truth to this approach. The problem, however, is that unlike computers, which in most cases perform as instructed, people make mistakes. And all it takes is one moment of weakness, to bring your entire IT system to its knees.
In other words, security awareness training is very important, but it cannot be relied on to prevent ransomware attacks. We also need automated solutions that can detect and respond to suspicious activity, round-the-clock, and in real time.
What is Ransomware?
Ransomware is a form of malware that encrypts data on a victim’s device and threatens to keep it locked unless the victim pays the attacker a ransom. These days, virtually all ransomware attacks are double extortion attacks that demand a ransom to unlock data and prevent its theft. Triple extortion attacks, where threat actors add more layers to their attacks and expand the attack surface, are also on the rise.
Most ransomware attacks arrive via emails masquerading as trusted entities, which prompt the user to download a malicious attachment or click on a link to a malicious website.
How Ransomware works
As mentioned previously, most ransomware attacks arrive via email, and assuming the victim opens the email, downloads, and executes the attachment, the following stages will typically unfold;
Stage 1 – Reconnaissance
Most sophisticated strains of ransomware will carry out reconnaissance activities in order to identify vulnerabilities and spread them to other systems. Such activities may include looking for open shares, sensitive data, backups, inactive user accounts, and Bitcoin wallets to steal. Some strains will try to delete files associated with the Windows Volume Shadow Copy Service, in order to make it harder for the victim to retrieve their data once encrypted.
Stage 2 – Backdoors
The ransomware script will attempt to establish a communication channel with the attacker’s Command & Control (C&C) server in order to obtain the encryption key, and possibly extract copies of the victim’s data before starting the encryption process.
Stage 3 – Encryption
Once the encryption key has been obtained, the script will begin encrypting the files on the victim’s local machine, and, if possible, spread to other systems.
Stage 4 – Extortion
Once the files have been encrypted, the victim will be presented with a ransom note informing them that their data has been encrypted (and possibly stolen) and they must pay a ransom to get their files back. The ransom amount is usually denominated in US dollars, although the payment will be made in Bitcoin. The ransom note will usually contain instructions on how to buy and send Bitcoin.
It is important to bear in mind that even if you pay the ransom, there’s no guarantee that the attackers will give you the decryption key, and there’s no way to know what they will do with your data. This is precisely the reason why prevention is better than a cure.
Types of Ransomware
While more advanced and varied strains of ransomware continue to evolve, below are the main types of ransomware we see today:
This is the most common type of ransomware and is where the script encrypts the victim’s data and then demands payment for the decryption key.
This is where the script locks the victim out of their system, and then presents them with a ransom note. Unlike crypto-ransomware, locker ransomware doesn’t encrypt the victim’s data.
As you may have guessed, scareware is designed to scare the victims into downloading the ransomware program and paying the ransom. Scareware usually appears in the form of a pop-up box, containing a threatening message.
This type of ransomware is similar to the “double extortion” technique, in that it extracts copies of the victim’s data and then threatens to expose the data to the public if they refuse to pay. Entities that deal with large amounts of confidential data are particularly exposed to the risk of leakware. It’s worth noting that we are now seeing “triple extortion” techniques being used, which is where DDoS attacks are thrown in for good measure.
Ransomware As a Service (RaaS)
RaaS is not so much a type of ransomware, but a way of distributing it. RaaS is essentially an affiliate network that provides even the most novice hackers with the tools they need to launch their own attacks. The RaaS provider will typically keep a commission on any successful exploits.
Best Practices to Prevent Ransomware Attacks
As mentioned before, prevention is better than a cure so as well as responding to breaches, businesses must also take proactive measures to prevent ransomware attacks from occurring. Here are 10 key tips you can implement to help protect against ransomware attacks:
1. Backup Your Data and Maintain Backups
Backing up your data is one of the easiest ways to protect against ransomware and is one of the most effective methods of recovery from a ransomware attack.
The most important consideration, however, is that attackers may have targeted online backups before deploying ransomware to the environment. So, when developing a ransomware-proof backup infrastructure, processes should be thoughtfully planned to mitigate the risk of backups being affected.
Storing backup copies offline will ensure that they cannot be targeted by threat actors. Cloud services can also be used when mitigating a ransomware attack because they often retain previous versions of files enabling you to roll back to unencrypted versions of your data. To ensure your process works properly, you should routinely test backups making sure they restore as expected.
2. Keep All Systems and Software Updated
All applications, operating systems, and software must be kept updated to the latest version available with the goal of preventing ransomware. Malware, viruses, and ransomware are constantly evolving with new variants that can bypass old security features, so it is essential to ensure that everything is patched and up to date.
Many attackers target larger businesses that depend upon outdated legacy systems. One of the most infamous ransomware attacks occurred in 2017 when the malicious software WannaCry crippled major corporations around the world. Among the worst affected was the NHS in Great Britain with at least a third of trusts in England disrupted and many operations and appointments canceled.
Microsoft had previously released patches once they had discovered this particular vulnerability, but much of WannaCry’s spread was from organizations that had not applied these patches or were using older Windows systems that were past their end-of-life and so they were unable to prevent malware infection.
3. Install Anti-Virus and Firewall Technology
Comprehensive anti-virus and anti-malware software are the most common ways to defend against malware by scanning, detecting, and responding to ransomware attacks. Many sophisticated strains of ransomware can bypass most anti-virus solutions but you still need them in place to block strains that are well known.
A firewall helps to protect against ransomware attacks by filtering and monitoring incoming and outgoing network traffic. Using pre-defined rules and threat information, the firewall looks for signs of known malicious content and then blocks potential risks. It is considered to be the first software-based line of defense to detect and stop ransomware threats.
4. Network Segmentation
Network Segmentation is becoming increasingly important as cloud adoption rises, especially in multi-cloud and hybrid environments. Network segmentation allows organizations to partition their network according to business needs and grant access according to user role and trust status.
Each individual subsystem should have its own security controls, firewalls, and unique access to mitigate the risk of ransomware moving laterally and reaching the target data. Segmented access will not only prevent the spread of malware to the main network, but it will also give the security team more time to identify, isolate, and remove any threats.
5. Email Protection
Email is one of the most common attack paths for threat actors and usually, these suspicious emails contain a malicious link that delivers the ransomware to the recipient’s workstation.
A secure email gateway solution provides advanced multilayered protection to defend against email threats and sandboxing provides an additional level of defense in protection against ransomware. Any email that passes the email filter and still contains unknown links, senders, or file types can be tested before it reaches the network or mail server.
Whitelisting is the practice of specifying a list of approved applications, executable files, IPs, and email addresses which can be accessed on a network. As well as blocking ransomware threats, whitelisting can help prevent the spread of malware viruses on the network. Anything not on the whitelist will be restricted or blocked if a user or cybercriminal tries to access it and so it mitigates the risk of a ransomware attack.
7. Endpoint Security
Endpoint security is the cybersecurity approach to defending endpoints such as desktops, laptops, and mobile devices from malicious activity.
An endpoint security strategy is an essential part of preventing ransomware attacks because every remote endpoint can be the entry point for an attack, and the number of endpoints is ever-increasing with the growing shift to remote work.
Endpoint protection solutions offer a centralized management console from which administrators can connect to their enterprise network to monitor, protect, investigate, and respond to ransomware attacks. This can be accomplished by using either an on-premise, hybrid, or cloud approach.
8. Limit User Access Privileges
Users who have administrative privileges are the most important users within your organization, but they also represent the biggest risk to your data security. Administrative rights are essential to the efficient running of any IT system as they enable trusted users to perform essential tasks like installing software, adding new accounts, creating passwords, and the many other system modifications needed to do their job.
The flip side of this, however, is that admin rights provide the user with the ‘keys to the kingdom’ and therefore present a huge risk to the security of an organization’s data. An attacker who infiltrates a business with access to these rights could do significant harm. For this reason, in order to help prevent a ransomware attack, it is imperative to limit the number of user accounts with administrative privileges to the bare minimum.
The Principle of Least Privilege (POLP) is an information security concept in which any user, program, or process has only the bare minimum access privileges necessary to perform its function.
Applying this principle of least privilege reduces the risk of attackers gaining access to critical systems or sensitive data by compromising a low-level user account, device, or application. Implementing the POLP helps contain breaches in their area of origin, stopping them from spreading to the entire system.
9. Set Up Threshold Alerting
Consider adopting a real-time auditing solution that can detect and respond to events that match a pre-defined threshold condition. For example, if x number of files were copied or encrypted within a given timeframe, a custom script can be executed to prevent the attack from spreading. This might include disabling accounts, stopping certain processes, shutting down affected systems, changing the firewall settings, and so on.
10. Provide Security Awareness Training
Because end-users and employees are the most common gateway for ransomware attacks, one of the most important security measures a company can implement is security awareness training for all users.
A security awareness training course teaches employees what they should look for in an email before they download an attachment or click on a link and so helps prevent ransomware attacks. Once employees are aware of how to spot and avoid suspicious emails, the entire workforce is taking part in protecting the organization from malicious activity.
How Lepide Helps in Ransomware Prevention
The Lepide Data Security Platform enables you to detect, alert and respond to suspicious Ransomware attacks in real time. Such events may include the creation of privileged accounts, accounts being accessed at irregular times, and emails being sent out of the network.
As above, Lepide can also detect and respond to events that match a pre-defined threshold condition, such as when a large number of files have been copied or encrypted within a given time frame, and then execute a custom script to prevent the attack from spreading.
The Lepide Data Security Platform can also be integrated with your SIEM solution, which will enable you to see all relevant events via a single, centralized dashboard, and have all relevant alerts sent to your inbox or mobile device.
If you’d like to see how the Lepide Data Security Platform can help you prevent ransomware attacks, schedule a demo with one of our engineers or start your free trial today.