Ransomware: Best Practices for Prevention and Response
- Bitcoin has been a significant factor in the rise in ransomware attacks. It is a perfect currency for ransomware requests because it lacks oversight from any governing body and anonymity.
- The evolution of ransomware-as-a-service (RaaS) has also played a significant role in the proliferation of attacks. RaaS has moved the execution of a ransomware attack from “professional” to “script-kiddie.”
- Ransomware execution is not stopped by operating systems in its early stages, possibly before the actual encryption starts.
- Ransomware is still a problem even though email delivery is still the most popular method of transmission. Users are not properly trained and made aware of the potential dangers associated with opening malicious email attachments. This is a sign that organizations need to increase web and email security as well as user security awareness.Separately, but related, attackers are becoming more skilled in social engineering. Many of the same markers that were used for identifying malicious emails (e.g. Many of the old markers that were used to help identify malicious emails (e.g. misspellings, incorrect punctuation, improper capitalization, unknown “from” addresses) are no longer applicable. Online spell-checkers and translators have made it easier to create convincing phishing stories. However, it is becoming increasingly difficult for users to identify spoofed addresses.
- Inform employees. Ransomware, like other malware, can infect a system via email attachments, downloading, and internet browsing. Regular training should be provided to employees to avoid common malware pitfalls.
- Conduct regular data backups. This is worth repeating. You should regularly back up your system. It is important to store backups offline, preferably offsite, so they are not accessible through your network. Offsite storage is better for other events.It is important to check the data backup process regularly. This will ensure that backups capture all data and that your restore process works in your environment. Backup important files at a personal or home level as soon as they are modified. Also, make sure backup media (thumb drives and external hard drives), are not connected to any networked devices. You should check periodically that files can be accessed via the backup device. It is not a good idea to find out that the backup device is damaged when you need to recover data. Not to be overlooked is the possibility that online backup services could be compromised by ransomware. Backups may be overwritten by ransomware-encrypted versions.
- Limit code execution. Ransomware can execute from both temporary and data folders but cannot access them due to access control. This could make it difficult to decrypt data.
- Limit administrative and system access. Certain ransomware strains require that a system administrator account be used to carry out their operations. This ransomware can cause additional problems by reducing user accounts and terminating default system administrator accounts.
- Keep your software up-to-date. This is an important rule to protect against ransomware and/or ensure early detection.
- Robust Filtering is one the most crucial steps an organization can make. If employees are not receiving spam emails or other potentially malicious attacks, the chances of an attack being successful will be lower.
- Blocking attachments can be an important step to reduce the attack surface. Ransomware can be delivered in executable attachments, such as executable files (e.g. .exe,.js, or any other executable file that can be executed), Microsoft Office files containing macros and.zip files which either contain executable files (or are executable). Named.zip but actually.exe. It is important to establish a policy that prohibits the sending of these files by email and that attachments will be deleted by the email security device.
- Permission-related Practices: A ReviewThis is an important practice as many of these practices could help to mitigate the effects of ransomware attacks.
- By removing local administrative rights, ransomware can be stopped from running on local systems and prevented it spreading. This is done by crippling the key components of any ransomware attack. These include the ability to modify system files and directories and system registry and storage. Access to critical system resources and files is also blocked by the removal of local administrative rights.
- Other permission-related actions include limiting user write capabilities, preventing execution in user directories, whitelisting apps, and restricting access to network storage and shares. Ransomware may require write access to certain file paths to be installed or executed. Ransomware variants will not be able to execute their actions if they have to write access restricted to a limited number of directories (e.g. User/Document or User/Downloads).Ransomware executables may also be blocked by removing execution permission with these directories. Many companies only use a small number of applications to do business. By maintaining a whitelist-only policy, applications that are not white-listed can be stopped from execution.
One last permissions rule that could reduce ransomware’s impact and stop it from spreading is to require login at access points like local and mapped drives.
- Take a screenshot of your system. If possible, take a snapshot of your system’s memory before you shut down the computer. This will allow you to locate the ransomware attack vector and any cryptographic material that can be used for decrypting data.
- Turn off your computer. This will prevent the further spread of ransomware and data damage.
- Identify the attack vector. Takedown all emails that may have been used to spread the ransomware attack.
- Block network access to any identified command and control servers used by ransomware. Ransomware often blocks data encryption without having access to these servers.
- Notify authorities. You should inform authorities to assist with the investigation. Although law enforcement may be able to assist in an investigation, it can also increase the possibility that data will never be recovered. Ransom payments increase as payment is made. If the user decides to pay, it is possible to delay the payment and increase the cost by involving law enforcement.
Leave a Reply