Ransomware Best Practices For Prevention And Response

Ransomware: Best Practices for Prevention and Response

In less than a day, nearly 25 million computers were infected by WannaCry ransomware. WannaCry is just one of many ransomware attacks that, rather than stealing data from computers, hold them hostage and demands ransom payments. WannaCry was the most extensive ransomware attack. It took over many global computers, including those of FedEx in the United States, as well as systems that power the British healthcare system and systems across Asia.
Data encryption: A key component of Malware
Ransomware is a simple form of ransomware. Ransomware is a method of capturing and encrypting data, which is then held until payment is made. Email and websites are the most popular methods of ransomware delivery.
Although ransomware has been around in some form or another for decades–the first known attack is believed to have occurred in 1989–it has more recently become the modus operandi of cybercriminals across the globe. In part, advances in cryptography have allowed the ransomware to evolve over the past decade. Ransomware has become more secure due to the availability of sophisticated encryption algorithms such as RSA and AES ciphers. Although estimates are not exact, ransomware attacks continue to increase. The Verizon 2017 Data Breach Investigations Report estimates that (pre-WannaCry) ransomware attacks around the world grew by 50 percent in the last year. Symantec, in a separate report, estimated that the average amount paid by victims had risen to $1,077.
Ransomware attacks have seen a recent increase in popularity due to a variety of factors:
  • Bitcoin has been a significant factor in the rise in ransomware attacks. It is a perfect currency for ransomware requests because it lacks oversight from any governing body and anonymity.
  • The evolution of ransomware-as-a-service (RaaS) has also played a significant role in the proliferation of attacks. RaaS has moved the execution of a ransomware attack from “professional” to “script-kiddie.”
  • Ransomware execution is not stopped by operating systems in its early stages, possibly before the actual encryption starts.
  • Ransomware is still a problem even though email delivery is still the most popular method of transmission. Users are not properly trained and made aware of the potential dangers associated with opening malicious email attachments. This is a sign that organizations need to increase web and email security as well as user security awareness.Separately, but related, attackers are becoming more skilled in social engineering. Many of the same markers that were used for identifying malicious emails (e.g. Many of the old markers that were used to help identify malicious emails (e.g. misspellings, incorrect punctuation, improper capitalization, unknown “from” addresses) are no longer applicable. Online spell-checkers and translators have made it easier to create convincing phishing stories. However, it is becoming increasingly difficult for users to identify spoofed addresses.
An Ounce Of Backup
Regular backups and verification of your system are the best ways to deter ransomware. More recent ransomware attacks have not only encrypted data files but also Windows system restore points and shadow copies, which could be used to partially restore data after a ransomware attack. To ensure that the system can be restored effectively after an attack, backups should be kept on a separate computer that is not accessible from a network.
These are some other effective mitigation strategies:
  • Inform employees. Ransomware, like other malware, can infect a system via email attachments, downloading, and internet browsing. Regular training should be provided to employees to avoid common malware pitfalls.
  • Conduct regular data backups. This is worth repeating. You should regularly back up your system. It is important to store backups offline, preferably offsite, so they are not accessible through your network. Offsite storage is better for other events.It is important to check the data backup process regularly. This will ensure that backups capture all data and that your restore process works in your environment. Backup important files at a personal or home level as soon as they are modified. Also, make sure backup media (thumb drives and external hard drives), are not connected to any networked devices. You should check periodically that files can be accessed via the backup device. It is not a good idea to find out that the backup device is damaged when you need to recover data. Not to be overlooked is the possibility that online backup services could be compromised by ransomware. Backups may be overwritten by ransomware-encrypted versions.
  • Limit code execution. Ransomware can execute from both temporary and data folders but cannot access them due to access control. This could make it difficult to decrypt data.
  • Limit administrative and system access. Certain ransomware strains require that a system administrator account be used to carry out their operations. This ransomware can cause additional problems by reducing user accounts and terminating default system administrator accounts.
  • Keep your software up-to-date. This is an important rule to protect against ransomware and/or ensure early detection.
System-Level Protection.
Ransomware can be blocked at two of its most popular points of entry, i.e. email and websites. Email and websites are the most common points of entry for ransomware. However, it is possible to reduce but not eliminate ransomware attacks at the system level. It is essential to remember that anti-malware products must be able to detect and block ransomware at both the file and process levels before any data can be compromised. A well-designed antimalware product should be able to scan email attachments and detect malicious content. These statements emphasize should because ransomware is constantly evolving and it is impossible to guarantee that anti-malware products that are up-to-date will detect it.
Consider the following guidelines when you send an email:
  • Robust Filtering is one the most crucial steps an organization can make. If employees are not receiving spam emails or other potentially malicious attacks, the chances of an attack being successful will be lower.
  • Blocking attachments can be an important step to reduce the attack surface. Ransomware can be delivered in executable attachments, such as executable files (e.g. .exe,.js, or any other executable file that can be executed), Microsoft Office files containing macros and.zip files which either contain executable files (or are executable). Named.zip but actually.exe. It is important to establish a policy that prohibits the sending of these files by email and that attachments will be deleted by the email security device.
  • Permission-related Practices: A ReviewThis is an important practice as many of these practices could help to mitigate the effects of ransomware attacks.
    • By removing local administrative rights, ransomware can be stopped from running on local systems and prevented it spreading. This is done by crippling the key components of any ransomware attack. These include the ability to modify system files and directories and system registry and storage. Access to critical system resources and files is also blocked by the removal of local administrative rights.
    • Other permission-related actions include limiting user write capabilities, preventing execution in user directories, whitelisting apps, and restricting access to network storage and shares. Ransomware may require write access to certain file paths to be installed or executed. Ransomware variants will not be able to execute their actions if they have to write access restricted to a limited number of directories (e.g. User/Document or User/Downloads).Ransomware executables may also be blocked by removing execution permission with these directories. Many companies only use a small number of applications to do business. By maintaining a whitelist-only policy, applications that are not white-listed can be stopped from execution.

      One last permissions rule that could reduce ransomware’s impact and stop it from spreading is to require login at access points like local and mapped drives.

At The Network Level
It has been more difficult to stop ransomware from spreading at the network level. Firewalls with robust blacklisting and whitelisting can be used to deter malware from downloading via the internet.
At the network level, firewalls should limit or completely block remote desktop protocol (RDP) and other remote management services. To prevent spam-detection methods, such as spam list deployment, users can be prevented from receiving compromised emails. Limit the file extensions that can send via email is another strategy.
It can be difficult to stop ransomware from spreading from an infected host to other computers on the network. It is best to immediately disconnect ransomware from all connections (wired, Wi-Fi and Bluetooth) to prevent it from spreading to other computers. It is also important to disable automated backups of local or external storage.
In the event of a Ransomware attack
These practices can be effective but cannot protect your company from ransomware. These steps will help you if you suspect that you are the victim of ransomware attacks.
  • Take a screenshot of your system. If possible, take a snapshot of your system’s memory before you shut down the computer. This will allow you to locate the ransomware attack vector and any cryptographic material that can be used for decrypting data.
  • Turn off your computer. This will prevent the further spread of ransomware and data damage.
  • Identify the attack vector. Takedown all emails that may have been used to spread the ransomware attack.
  • Block network access to any identified command and control servers used by ransomware. Ransomware often blocks data encryption without having access to these servers.
  • Notify authorities. You should inform authorities to assist with the investigation. Although law enforcement may be able to assist in an investigation, it can also increase the possibility that data will never be recovered. Ransom payments increase as payment is made. If the user decides to pay, it is possible to delay the payment and increase the cost by involving law enforcement.
Looking ahead and wrapping up
Ransomware attacks are on the rise due to easier access and higher financial payouts. Criminals will target larger organizations, government, and education as well as healthcare. Ransomware technology will continue to improve due to a business model that guarantees anonymity. Ransomware encryption is rapidly approaching commercial security products.
Law enforcement agencies and government entities are still working to address this problem. However, best practices can be used to help organizations prevent and mitigate ransomware attacks.