Ransomware Controls

Ransomware: Facts and Threats. Countermeasures


Ransomware is a form of malware that has been a major threat to U.S. companies and individuals over the past two decades. Ransomware is a type of malware that encrypts files on infected systems/networks (crypto-ransomware), but there are a few variants that can erase files or block access using other methods (locker ransomware). Ransomware will demand a ransom to unlock the files once access is blocked. This ransom can be in the form of $200-$3,000 in bitcoins. However, other currencies and gift vouchers are sometimes reported. Ransomware variants are almost always designed to opportunistically attack victims and infect a variety of devices, from smartphones to computers.

Infection Vectors

Ransomware is spread mainly through user-initiated actions, such as clicking on malicious links in spam e-mails or visiting compromised websites. Malvertising and drive-by downloading are also used to spread malware. This is a method that does not require the user to engage for it to work.

Ransomware infections are almost always opportunistic and spread through indiscriminate vectors like the ones discussed above. However, there are very rare cases where cyber threat actors target specific victims. These attacks may be caused by specific infections or after actors discover that a sensitive entity is infected. These cases are often referred to by the Federal Bureau of Investigation (FBI), as extortion rather than ransomware. This is because they’re almost always an increased ransom amount that corresponds with strategic targeting. In spring 2016, several hospitals were infected by strategically targeted ransomware.

Additional Capabilities

Ransomware variants’ features have been expanded over the last year to include data exfiltration, participation at distributed denial-of-service (DDoS), and antidetection. One variant erases files, regardless of whether or not payment was made. Another variant allows you to lock cloud-based backups during continuous real-time back-ups (a.k.a. during persistent synchronization). Other variants are targeted at smartphones and Internet of Things devices (IoT).

Some variants claim they are from a law enforcement agency, and that the user owes them a “fee”, or “fine” for illegal activities such as pornography viewing. These variants may use techniques to determine the victim’s approximate geographic location to give the name of a specific agency. The U.S. government will never remotely lock or disable a computer, and then demand a penalty to unlock it.

How to Reduce the Risk of Ransomware Infections

These are only a few of the best practices, but they do not cover all aspects.

Network and System Security

  • Plan for an emergency response this includes how to handle ransomware events.
  • Backups are essential. If you have encrypted or infected files, make sure your backup system allows for multiple backups. Routinely test backups to verify data integrity and ensure that they are operational.
  • Anti-spam and antivirus software are recommended. Regular network and system scans can be enabled with antivirus software that automatically updates signatures. To prevent phishing emails from reaching your network, implement an anti-spam solution. Add a warning banner in all emails from external sources to remind users about the dangers of opening attachments and clicking on links.
  • Disable macros scripts. Instead of using full office suite software, you can use Office Viewer software to view Microsoft Office files sent via e-mail.
  • Make sure all systems are up to date all hardware, operating systems, and software must be kept up to date, including any cloud locations and content management system (CMS), as well as all applications. If possible, use a central patch management system. To prevent programs from being executed in ransomware locations such as temporary folders, implement application whitelisting or software restriction policies (SRP).
  • Restriction of Internet access. Consider adblocking software and a proxy server to access the Internet. Restrict access to ransomware entry points such as personal email accounts or social networking sites.
  • Use the principle of least privilege and network segmentation. Separate data according to organizational value. Wherever possible, create virtual environments that allow for the physical and logical separation between data and networks. Use the principle of least privilege.
  • Monitor and vet third parties remote access to the network of an organization and/or connections to third parties to ensure that they adhere to cybersecurity best practices.
  • Participate in cybersecurity information sharing programs and organizations such as MSISAC and InfraGard.

Secure the End-User

  • Employees can be trained in phishing and social engineering. They should not open any suspicious email attachments or click on links in them. Also, be careful before they visit unknown websites.
  • Remind users not to open their browsers. When not in use.
  • A reporting plan is essential this ensures that staff knows where and how they can report suspicious activity.

Response to a Compromise/Attack

  • now to prevent infection from spreading, disconnect infected systems from the network.
  • Find the data affected some sensitive data such as electronic protected medical information (ePHI), may need additional reporting or mitigation.
  • Find out if there is a decryptor available. Online resources like there are no more ransom! can help.
  • RestoreFiles from regularly maintained backups
  • report the infection. It is strongly recommended that the SLTT government agency reports ransomware incidents MS-ISAC. Home users and other sectors may also report infections to their local Federal Bureau of Investigation field offices, or the Internet Crime Complaint Center – IC3.