Prevent, Detect and Recover from a Ransomware Attack

Though ransomware is slowly being replaced by Cryptojacking as the most popular form of malware, ransomware is still a formidable threat, with even more variants – targeting even more devices and industries. Below are some pointers that can help companies prevent, detect, and recover from a ransomware attack.

Prevention

Establish a security awareness training program: An on-going security awareness training program is the first line of defence. Employee’s must be well informed about phishing attacks, and be able to identify emails with malicious links/attachments.

Keep software patched and review configurations: Attackers will seek to exploit known security vulnerabilities and poorly configured systems. All software should be patched/updated regularly and configurations must be carefully reviewed. You may want to implement an automated patch management program.

Get a 3rd party security risk assessment: While using a third-party service may seem like an unnecessary expense, you can never be too careful when it comes to protecting your sensitive data, especially when considering the hefty fines associated with the GDPR.

Implement a secure UTM Firewall: Make sure you have a properly configured UTM firewall which uses malware sandboxing.

Use the latest anti-phishing technology: Though many strains of ransomware are able to bypass traditional anti-spam/anti-malware solutions, they still provide an additional layer of defence.

Keep an inventory of all devices connected to your network: You must know exactly what devices are connected to your network and enforce “least privilege” access on all devices, based on the users assigned to them.

Prevent files from executing in AppData/LocalAppData folders: Using either Windows or an IPS, you can disallow programmes from running in AppData/LocalAppData folders. Trusted applications can be whitelisted if required.

Disable Remote Desktop Protocol (RDP): RDP is a Windows utility that facilitates remote desktop access. Attackers have been known to use special search engines to search for RDP instances that are open to the internet, and then launch a brute force attack to gain access to the victim’s desktop.

Detection

Monitor outbound traffic: In addition to monitoring inbound connections, outbound connections must also be monitored. After all, ransomware attacks typically dial home before they are initiated. You must be able to detect, alert and respond to any suspicious network traffic.

Show hidden file-extensions: Windows hides known file-extensions by default. However, ransomware strains such as Cryptolocker use the file extension “.PDF.EXE”. Additionally, it is a good idea filter any emails that have attachments with either the “.EXE” extension, or ones with multiple extensions. If you really need to send executable files via email, send them in a password protected ZIP file or via a cloud service.

File integrity auditing: Detect, alert and respond to suspicious file and folder activity. Use a sophisticated file auditing solution such as Lepide Data Security Platform to detect and respond to bulk changes. If X number files are encrypted within a given period of time, Lepide Data Security Platform can automatically execute a custom script which can stop a specific process, change the firewall settings, disable a user account or shut down the server.

Security information and event management (SIEM): SIEM solutions compliment file auditing solutions by monitoring system logs and alerting on suspicious events associated with the network, applications, databases, operating system, and so on. Make use of AI and machine learning to ensure you have access to the latest threat intelligence.

Recovery

Disconnect from the network immediately: The moment you suspect that you have been infected, disconnect from the network (including Wi-Fi). Doing so will unlikely prevent the attack from launching but it may intercept communication between your device and the C&C server before all of your files have been encrypted.

Restore the system to its original state: Assuming you have been keeping regular and reliable backups, you will need to restore and test all systems. It is a good idea to backup all data onto a removable drive and be sure to disconnect the drive once the backup is complete. After all, some strains of ransomware will also encrypt files on any connected drives/devices.