Ransomware prevention 101 Expert tips
Date published: 30 May 2016
How to cover your Ransomware Risk
Whether you manage your own systems and devices, or rely on third-party hosted systems (i.e. ‘in the cloud’), your Ransomware risk is real, constant and growing…
Below are some key actions, that you can put in place now, to significantly reduce your Ransomware and Cyber Crime risk – they cover prevention, instant response during an attack and recovery.
1) What to do FIRST
- Set up regular data backup procedures – then ensure they happen Backups are ESSENTIAL in protecting data. If you are successfully attacked with Ransomware your backup is the best, possibly only, option for saving your data and ability to do business. Backups also help you recover from many other forms of damaging malware attacks and even hardware failures.
- Some Ransomware variants, such as Cryptolocker, will also encrypt files on drives that are mapped. This includes connected cloud file stores, attached network drives and USB thumb drives.
- Action: Backup often, to an external drive or backup service (one that is not assigned a drive letter) & physically disconnect it from the computer between backups. Make sure the Backups are tested and are usable!
2) Set up Your Defenses
Cyber Essentials Controls
CESG spent many years determining which security best practices would remove the most risk. (a Cyber Essentials version of the 80/20 rule!) Following Cyber Essentials guidance can reduce your risk by 80%. In addition to being a great security guide, some Cyber Essentials checks can help to prevent Ransomware. The following is a list of those checks:
- Installing the latest software patches and updates can help against known security issues being leveraged by malicious software.
- Installing and keeping up to date the latest anti-malware/virus software can ensure that known bad executables, and potentially software behaviours, are stopped.
- Disabling auto-run can prevent malicious software being transferred between systems using storage technology such as USB pens.
- Do not use Administration-level accounts for day-to-day tasks. As well as being good security practice, this will help restrict the impact of any malware infection.
- Access privileges should be used to limit access to resources and systems. As above, this should also help to restrict the impact of any malware infection.
- Firewalls should limit network traffic to only approved source / destinations and service types. Malware protection, possibly in the form of APT / IPS, can prevent potentially malicious software from calling home or propagating on your systems.
Automate Defence (when possible)
Patch or Update your software
Keeping your software up to date is a security essential, it significantly reduces your risk. Ransomware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto your system. If you make a practice of updating your software often it can block their access. (As a triple bonus it also helps defend against other Malware and makes it harder to hack into your systems!).
Action: Enable automatic updates, especially on major vendors such as Windows and Adobe. If you can’t auto-update go directly to the software vendor’s website (good practice as Ransomware / Malware creators can disguise Phishing attacks as software update notifications).
In email If your gateway mail scanner can filter files by extension, you may reduce risk by denying mails sent with “.EXE” files, and “*.*.EXE” files. Users who then legitimately need to send or receive executable files could use password-protected ZIP files or via secure cloud services. Naturally this is not fool proof and you may want to consider other options (a 7-Zip vulnerability was recently discovered and patched).
Re-enable showing full file-extensions
Window’s default behaviour hides known file-extensions. Re-enabling showing full file-extensions will help your team spot & avoid clicking on suspicious files – e.g. those with unexpected “.EXE” (executable) extensions often used by Ransomware.
Use a reputable security suite and keep it updated
Ensure you include anti-malware software and a software firewall, they will both help identify threats or suspicious behaviour. Ransomware developers frequently send out new variants, (to try to avoid detection) multiple layers of protection, will reduce their chances of success.
If you run across a Ransomware variant so new that it gets past anti-malware software, it may still be prevented from executing, or be blocked from connecting with its Command and Control server (to receive its encryption instructions) by Software Restriction Policies (SRP) or your firewall…
Firewalls/Proxies and APT/IPS
Once something malicious is running inside your network, you do not want it to communicate with the outside. Firewalls should be configured to restrict network traffic going in both directions, not just inbound traffic. Web browsing should also be limited to prevent access to known malicious websites. Internet proxies can be used to help prevent access to malicious content, or user access to websites by content type.
Advanced Threat Protection (APT) / Intrusion Prevention Systems (IPS) can also detect and prevent software from accessing or performing potentially malicious activity.
Windows Policy Updates
There are a number of Windows group policies that can be deployed to help prevent running malicious code. e.g. The user application data folder is often used by Malware developers, as a location to launch malicious software. Software Restriction Policies (SRP) can be used to prevent the execution of software from that folder.
3) Train your People
Train your people to detect what “suspicious” looks like and what to do in the event of an attack. Help them by giving sensible policies, “attack reaction” training and showing hidden file-extensions.
Email Attachments: Before opening email attachments, you should first check the emails validity. Potential malicious software is often attached to emails in the hope that someone will open it. The malicious emails can range from very simple and obvious through to sophisticated and less obvious. These are fairly obvious…
With emails that have “Invoice Attached” or something similar may be harder for someone in an accounts team to ignore. However, there are simple checks that you can perform to confirm details about the email. If you are unable to confirm any of the details, then try getting in touch with the sender to confirm its validity (do not use any of the contact details supplied in the email – they could be fake).
Also check the attachment type, would you normally have an invoice attached as a ZIP or Executable file? It is important that everyone is trained on what to look out for in emails. And remember, banks do not send emails asking you to login to your account using a link contained in an email (or they should not).
Also, Inland Revenue send information in the post, not via email. Be aware of what you are opening, clicking on and viewing.
What if the worst happens?
You’re in the middle of an attack or your files are being encrypted – what can you do? Disconnect from WiFi or unplug from the network immediately This technique may not always help, but training your people to “immediately disconnect the system and notify IT” if they think they’ve clicked on a malicious attachment, can (if done quickly enough) limit your risk, damage and costs.
Depending on the breed of Ransomware this action may cut off communication with the attackers’ server and localize the data encryption to just one machine (which may be far easier to recover from). It normally takes some time to encrypt all your files, so even if you’re not quick enough to outpace the malware spread, disconnecting from the network and notifying IT – will give your team valuable response time. It may help to isolate an infection.
Restore or Recover
If you have System Restore enabled Windows, you might be able to defeat a Ransomware or Malware attacker. However, some versions of Ransomware (e.g. Cryptolocker) may delete the System Restore files, before you can return the system to a known clean state. If that is the case, then your best option would probably be a full restore from a clean back up. (You’ve got a clean backup and tested the procedure already…right?)
Pay or Don’t Pay?
If you have any other option open to you, my advice would be don’t pay for two main reasons: i) You have no guarantee you will get your data back. In many cases the decryption key is never received, it fails to work or only partly decrypts the data. ii) You’re then a proven “paying customer” which increases your likelihood of future retargeting!
One Final Suggestion…
For the policies and practices you put in place to remain effective in protecting you and your business they must be enforceable, measurable and consistent. User training on cyber / information security procedures can be made part of your HR on-boarding process and refreshed regularly.
For System Settings, firewall rules and policy enforcement, I would recommend using detailed system / configuration auditing tools such as the award winning Nipper Studio and Paws Studio.