How To Prevent Ransomware: The Basics
According to the 2019 Verizon Data Breach Report, ransomware is the 2nd most frequent malware attack behind command & control (C2) attacks. Ransomware is still delivered via email, which is the main method of transmission for all malware. How can we convince users to stop clicking on phishing links?
Pro tip: You can’t. Humans can do human things. We must approach ransomware differently. In this post, we will address the basics of ransomware, and explain how an automated detection and prevention system like Varonis is the way to go to prevent ransomware attacks from taking down the network.
Learn ransomware basics to earn CPE credits Take our free course.
“In one hour, I will teach you the basics of Ransomware as well as what you can do to protect it and how to prepare.”
What is Ransomware?
Ransomware is malware which encrypts victim’s files. The attacker will then try to convince the victim to pay ransom to unlock their files.
Ransomware was first distributed in 1989 on floppy disks and demanded a ransom of $189.
Baltimore was hit by a ransomware attack in 2019, which resulted in $18 million of recovery costs.
How does ransomware actually work?
Ransomware: How it Works
Ransomware is a multi-staged attack that attackers have put together in many different ways. The basic principles are almost always the same. You will need to infiltrate the network of your target, encrypt all data possible, and extort ransom.
First, the attackers must deliver the malware payload directly to the target. This is usually a simple phishing attack that includes malware in file attachments. The ransomware can either work locally or replicate to other computers in the network.
Next, the malware contacts the attackers to inform them that they have infected a victim.
The ransomware encrypts the victim’s files. It may start on the local disk, then probe the network looking for open or mapped shares to attack. The CryptoWall ransomware deleted Volume Shadow Copy files to make restoring from backup harder and looked for BitCoin wallets to steal. WannaCry used the EternalBlue vulnerability to spread to other computers and then perform the encryption.
The attacker sends the ransom notice after the victim has been completely pwned. Usually, the ransom note includes a dollar amount and a BitCoin link. These links contain threatening messages such as “pay us or our data gets it.”
It is worth noting that ransomware has become a very lucrative profession thanks to cryptocurrency. Although it is difficult to quantify the financial value of a criminal activity, the number of attacks shows that criminals see the benefits of using these techniques.
Recent attacks have made data exposure a part of their extortion plan. Ransomware is capable of encrypting the data and then exfiltrating it back to the attackers. Pay us or we will release your data.
Finally, is the victim willing to pay the ransom in the hope that the criminal will honor his promise and send the decryption keys? Or, does the victim try to manually recover encrypted data after removing the malware infection?
Attackers rarely deliver the keys even after they take the money. It’s shocking, I know. This is why the ransomware attack on Baltimore City was so costly and took so much time to recover. Baltimore refused to pay so IT staff had the task of restoring data and rebuilding what they couldn’t.
A recovery plan must also consider the possibility of data leakage. How can you stop an attacker from releasing your data? You can’t. This makes ransomware prevention more important than data backups.
Learn more about how ransomware works in the video below — it comes from our free 8-part introduction to ransomware course led by Troy Hunt.
Basic Tips to Protect Against Ransomware
There are two types of ransomware attacks: enterprises and individuals.
Do not click the link!
You’ve heard it before, I know. It is worth repeating. In 2019, phishing emails were responsible for a significant amount of malware. The link isn’t going away, and humans won’t stop clicking it. I know this because I clicked the link. As fallible, mortal human beings, we can be a bit more skeptical about emails. Maybe that little bit more skepticism can reduce the number of malware infections infected companies. Check out our blog “The Anatomy of a Phishing Email,” and blow up the infographic and post it around your office.
Create Email Protections and Endpoint Security
We know humans will click on the link as an enterprise.
- Check all emails for malware and ensure that firewalls and endpoint protections are up-to-date with the latest malware signatures.
- Notify other network users about out-of-network emails
- Allow users to use VPNs outside the network
Keep current backups of all your data, both for personal and business protection. A quick re-image of your disk is the best and most efficient way to stop ransomware. Then, you can restore data from the last good backup, unless the attackers also exfiltrate the data.
Protect your personal information
Humans are genetically predisposed towards trusting other people. This is one of the evolutionary reasons why our species has grown so rapidly. This trust is what mentalists use to convince us that we made a choice. Or, how attackers trick us into divulging our passwords and mother’s maiden names.
Be skeptical, and be respectful when asked about sensitive information. Although it’s the same problem as the links, this could be an actual-life interaction. This advice goes double for users in the C-Suite, who are the targets in whale phishing campaigns.