How to Protect Against Ransomware Attacks

Posted by Geraldine Hunt on Wed, Jun 15th, 2016

Ransomware attacks are striking with increased regularity but you can protect against ransomware attacks. This is a modern problem in malware, combining sophisticated and basic tactics. Extortionists typically do not ask for exorbitant amounts; the average ransom ranges between $300 to $1,000. But consider that Hollywood Presbyterian Medical Center paid $17,000 for access to its own data. On top of that, there is the issue of lost revenue, and tarnished reputation, while a business recovers.

There is no single package or set of practices that will immunize a network against a ransomware attack. Additionally, malware authors are continually modifying their “product”. For example, an infection usually starts with phishing emails. A user clicks on a JavaScript link in the email or downloads an attached document containing macros that launch the ransomware. Originally, ransomware exclusively used Microsoft Office documents with malicious VBA scripts. Now any app or document that runs  JavaScript code can launch the attack. However, there are many steps an organization can take to mitigate these expenses and even prevent a ransomware attack in the first place.

General Security Measures

Smaller organizations may be able to use whitelisting to restrict access to a limited number of websites and applications. This is ideal, but impractical for most larger businesses.

Restricting Privileges

An often-overlooked measure is to restrict user privileges. This should be done on a regular basis in any case, ransomware threat or not. The frequency required depends on the amount of turnover and transfer in the organization. Runaway user privileges can cause any malware to spread like wildfire throughout the network, making it difficult to eliminate. Granted, a complete audit of user privileges is a daunting task. A good place to start is user privileges for administrative tasks such as backup, servers, and network support. To minimize the use of administrative accounts, do not permit such accounts to receive email, and assign staff with administrative roles their own normal restricted accounts for everyday use.

Firewall Configuration

A modern firewall is critical in defense of the network. Since threats continually evolve, use an update service that automatically blocks the latest known threats. Many uncategorized websites are used in targeted phishing campaigns to distribute malware. Configure your firewall/proxy to require user interaction, such as a “continue” button, for end users communicating with uncategorized websites.

How to protect against ransomware attack:

• Keep software up-to-date. This will not preclude zero-day exploits, but it will patch the more recently known software vulnerabilities.
• Deploy an endpoint product that stops access to the network from devices with malware and missing software and up-to-date patches.
• Disable macro scripts from Microsoft Office files. In a Microsoft Server environment, this involves modifying Active Directory Group Policy. Before implementing this policy, verify that no department would be adversely affected. Some offices use templates and VBA as a substitute for accounting and sales software packages.
• IT services should block TOR since TOR network and proxy servers are routinely used by a majority of ransomware.
• For Dropbox, Google, OneDrive, and iCloud drives, each user should pause synching whenever possible. Many users do not know how to do this. Send a memo or email or add the steps to your login banner to train users.
• Implement multiple antimalware products to increase your chances of nipping an infection in the bud. No single antimalware product detects all possible infections. Using a combination of reputable products greatly buttresses your defense. Make sure to implement packages that are compatible with each other; not all are.
• Install advanced email spam filtering. Ransomware attacks start with phishing, so spam filtering is your first line of defense.

Designing a backup strategy to minimize the impact of ransomware

If the organization has a good set of backups, it will have the choice of paying the ransom or not. Otherwise, there is no choice but to pay. And the only way to know that you have a good set of backups is to test them by performing a restore. During a monthly maintenance window, test the restore of a different backup.  It is not uncommon for backups to be configured improperly or to be incomplete due to an unexpected increase in media size required. Check user privileges for backup at the same time.

On the Spiceworks community, IT professionals discussed how the threat of ransomware has changed their backup strategy. Most participants have instituted more backup procedures, more often, to more places than before. Fortunately, there are more backup options than ever. Deduplication is critical for organizations with considerable amounts of data. Snapshot technology (with adequate backups) can bring your organization up to date in, well, a snap. Here are some tips:

Backup data often.

• Minimally follow the 3-2-1 rule, maintaining at least three copies in two different formats with one copy stored off-site. Better still consider 4 copies of data, 3 different media, and 2 offsite.
• Some ransomware infects only local and mapped network drives. (Remember that mapped network drives could include Dropbox, Google Drive, etc.) Use cloud backup such as AWS as insurance.
• User PCs should be an afterthought in the case of a massive malware attack. IT resources are needed for mission-critical data restore. If such data is on a single PC, take this opportunity to move it to a network drive.

User training is an important step

If only Sally had not clicked on that link in her email, there would be no ransomware to deal with. That is right. Most ransomware is delivered by email. Typical themes include invoice and shipping notice scams. It makes sense that the best way to protect an organization is to educate end users about phishing.

Say NO to ransomware. Prevent email ransomware threats from reaching your users with SpamTitan.