People, by nature, tend to be creatures of impulse and when faced with the challenge of a ransomware attack they are usually fast to react, they want to ensure the safety of their data. Paying the ransom plays directly into the criminal’s hand and the return of system access or retrieval of data is never guaranteed. Furthermore, this encourages this type of cybercrime to continue because criminals know that it is relatively easy for them to achieve success. Moreover, the commonness of cryptocurrencies is facilitating this profitable undertaking as it is more challenging to track the funds.
It seems as if we are inadvertently aiding the effectiveness of this criminal endeavour and encouraging its continuity. We know that it is happening and that we should have the strategies in place to best thwart this type of attack yet many organisations still do not do enough to safeguard themselves, their systems and their data.
Detect, Protect, but don’t react as expected
Our understanding of ransomware is that it can either lock the target computer or encrypt targeted files (particularity nasty and most frequently used lately). All it takes is for a user to browse an infected website, react to rogue security software or a technical support scam- through fear mongering or social engineering. Reacting to a deviant email (most common form of ransomware delivery) and clicking on a URL link or an attachment containing a malicious macro might enable this too. All these delivery routes can culminate in ransomware infection.
Ransomware may evade malware detection as malware is always being adapted and obscured to avoid detection. Only once the attack by the brand new variant has occurred can we start to defend against that specific malware and thus find that our defence often falls behind and the perpetrator remains a step ahead. This allows the malware to get through undetected. Therefore, layers of defence are so very important-yet this strategy is not always seen as priority.
It is said time and time again, if at all possible, to avoid reacting in the way the criminals intend. Do not pay the ransom but rather restore from backup. When faced with the challenge most submit to paying the ransom, even the police in some countries are paying to restore their systems. In some cases, when files have been encrypted and businesses do not have up-to-date backups, they are left little choice but to pay the ransom-if they are to have any chance of retrieving their valuable data. However, there is never any guarantee that the files in question will be returned unencrypted. After all, you are dealing with a criminal! Moreover, this could place you on the radar as a victim willing to pay, putting you at risk of future attacks.
In late 2016 a new type of ransomware was seen that asks for payment in bitcoin or that you infect two of your friends or acquaintances in return for your files. The criminals even claim that this is the only way that they are able to make a living.
Protective measures to consider
It is important to be preventative rather than reactive when it comes to ransomware. So what can be done to improve safety? There are both technical as well as non-technical measures that can be taken to better secure ourselves, our businesses and our valuable data.
Multiple forms of mitigation used in unison is a better approach than utilising any singular strategy. If one approach fails another may have more success.
Security in layers (defence in depth)
It is surprising how often this approach to security is ignored. Some organisations feel that a firewall and antivirus combination will not only suffice but will be more than enough to secure their environment. Layers of protection are not a new strategy but emphasis needs to be placed on the importance of this- it should be part of your defence-in-depth already but if not this should definitely take priority. Layers should include detection and protection applications for malware and ransomware and antivirus with active monitoring functioning.
Monitoring and managing network traffic
This allows you to better control what traffic is on your network at any given moment in time. It is important that networks are properly zoned and that users and devices only see and interact with areas of the network that they should be interacting with. Also the level of privilege required for a particular job to be done should be limited.
The utilisation of application layer firewalls whenever possible is recommended. The majority of firewalls have the capability to proxy as well as reverse proxy, thus whenever possible services should be published through reverse proxies-as to avoid subject to object direct access. Not only does this limit the damage but also prevents direct access to files and environments if an attack where to occur.
Firewalls should also be utilised and enabled on the endpoint to ensure that traffic outbound from hosts and from non-corporate software is blocked.
- Proxy your traffic
Good proxies are able to block traffic originating from applications that are not permissible or not trusted. You can also proxy internal traffic at an application layer to be inspected.
- Restricted interfaces
Remote access applications that are locked down by strong policies help to mitigate this threat- as ransomware must be executed to infect the networked machines. This can help to limit exposure.
It is highly recommended to use application whitelisting to create a whitelist of the corporate applications allowed to run on the machines and on the network. This is a strong strategy and does work and more often than not it more challenging to bypass.
- Patching and patch maintenance
This area is often mistakenly not deemed a priority and frequently ignored or not maintained. Patching your applications and your environment is very important moreover it does protect you. Some ransomware exploits unpatched systems and through these vectors the infection can be exceedingly worse.
- Rule of least privilege
Always implement and keep reviewing the rule of least privilege. An allow-all policy that allows for all users to gain access to networked files and resources is not wise. This can result in ransomware denying you access to the files.
It is pertinent that the files are carefully grouped and that the correct level of access is applied whilst adopting the rule of least privilege. Users should always only have the least amount of privilege required for them to do their work.
Make sure your permissions are appropriately set and that authentication is required for access, especially to critical systems. The utilisation of two-factor authentication to gain access to systems that are sensitive, is always recommended and ransomware cannot easily bypass these controls.
- Restorable backups
Astonishingly, many businesses do not have a basic backup in place that can be properly restored to a point in time. Backups are essential and can be the saving grace. Creating secure backups regularly
must not be overlooked. Cloud storage is an option but when used high-level encryption and multifactor authentication must be applied.
- Promote security awareness
One of the most important aspects of security, especially when dealing with ransomware is to inform your users (on a regular basis) to keep clear of suspicious software and potentially harmful websites. If it looks suspicious-it most probably is. Be vigilant and use common sense.
Educating users will help them to stay abreast of the latest attacks and threats. Employee awareness and training is very important so that everyone stays informed. Ensure that all employees are knowledgeable of the threat routes, of how social engineering can usually play a vital role. Inform them of phishing scams and what signs to look out for in websites that reveals them to be suspicious.
Stand your guard and fight back
Ransomware is all about the money that can be extorted. More organisations are finding that it is crucial for them to maintain access to their systems and data and the adversaries know this. With systems and data becoming more critical the likelihood of an organisation paying the ransom is increased making this a lucrative business for the criminal. Make a backup and ensure you can restore your files along with the other recommendations in this article.
Ransomware is challenging to combat; adversaries will continue to look for vulnerabilities to exploit as well as victims and businesses to target. No-one is safe from this attack vector and everyone should ensure that they have done everything possible to thwart an attack, as the best defence is to block/stop, or if this fails, detect and contain the threat. Businesses must be proactive if they are to stand a chance against ransomware and the resulting impact.
2 thoughts on “Ransomware-let’s fight back!”
Regarding the backup, I must say that recently I heard about a ransomware that deletes all your backups if any are detected, so that’s not too reliable, just giving a heads up.
I’m backing up everything in external drives just to be sure that if I get infected my backups will not be deleted.
Hi Ricky. Thanks for the article! I have had a number of customers recently who have been the victims of ransomware attacks. One customer is an accountant and sadly, even though he handles international accounts, he did NOT have a backup. His entire server was totally infected. I ended up finding over 90% of his data files for clients infected and unrecoverable. Many of his customers didn’t have backups either. He made the false assumption that because his Quickbooks files were on a server with his webhost that he was safe. A very tough lesson indeed!
These are insidious and very dangerous file infectors and deserve due diligence when setting up security practices. Thanks again and have a great weekend!