Loss of productivity due to ransomware attacks is on the rise and cybercriminals are cashing in, making millions of dollars with minimal investment and effort. Between the end of 2015 and the first half of 2016, ransomware saw an 800% increase in ransoms paid to cyber criminals. With 2016 on track to net $1 billion dollars in ransom payments, it’s time you take a closer look at your network to see what can be done to boost your defenses. There are a few steps you can take today to protect your network from ransomware attacks. For more advanced steps, check out our ransomware prevention checklist.
It All Starts With Employees
Employees are the weakest link in any organization when it comes to ransomware. It is your employees that will unwittingly initiate the ransomware attack on your network by visiting a compromised website or opening unsafe email attachments. Since employees are in the direct line of fire in a ransomware attack, it’s best to start with your employees first, with education and training.
Security Awareness Training: It is important that your employees understand what attack vectors to look for in every email they receive to identify and avoid opening emails that contain malware. An organization should host quarterly training and include examples of real phishing emails and also demonstrate a ransomware attack.
Simulated Attacks: Once your employees are educated on what phishing attacks are and how to identify phishing emails; you need to test them with simulated phishing campaigns. These campaigns will help you improve your employee training and will keep your employees up-to-date and alert to the latest attack vectors.
Open JavaScript (.js) Files in NotePad: Opening in notepad avoids running any malicious scripts and allows you to inspect the file for malicious content.
Do Not Open Unsolicited Attachments: Never open an email attachment if you don’t know who the sender is, or if you were not expecting to receive it. Verify the authenticity by contacting the sender if you are unsure if it’s safe.
What IT Should Be Doing
Because you only need to visit a website to be infected with ransomware, it’s important that your IT staff is up to the task of protecting your network infrastructure and ready to react in the event of a ransomware attack. Here are steps IT can take to harden your network from ransomware attacks.
Hosts: Hosts should include antivirus and a software based firewall, installed and up-to-date on virus definitions. You might also consider a host-based intrusion detection system and advanced endpoint protection like Carbon Black.
Patching: It’s very important that your host operating systems and applications are updated on security patches to rid them of vulnerabilities that could be exploited in an attack.
Antivirus: Although we know that AV is less than 50% effective, and it relies on signatures; it is still a viable solution when it’s a part of a layered network defense.
Backups: As you have probably learned by now, data backups are critical! Data needs to be backed up at frequent intervals, and those backups should be tested regularly. There are a number of backup options available, but whatever option is chosen, you should include both onsite and offsite backups. Offsite backups are very important in resuming business operations in the event of a disaster at your current business location. Onsite backups on physical hard drives are typically the fastest method to restore your data, as opposed to using a cloud-based service where data must be downloaded over your internet connection. You should also be backing up your website databases to protect them from ransomware that targets Linux web servers.
Volume Shadow Copies: Many ransomware variants will delete the shadow copies but if it didn’t, you could use volume shadow copies to restore your server after an attack.
Email Gateway: Install a mail gateway appliance that uses anti-spam and antivirus scans to block email-borne threats.
Firewall: Threats originating from the internet can be stopped by your firewall and web gateway. Use URL filtering to block websites that host ransomware and their command and control servers. Make sure you lock down all ports in your firewall other than those you are currently using. You might go so far as to geo-block IP addresses from at least Russia and China.
Whitelisting: Whitelisting allows you to specify what applications are authorized to run and identify what they can change and update. When an application tries to execute, it is automatically checked against the list and, if found, allowed to run.
Use GPOs and SRPs: CryptVault uses the free GnuPG tool (gpg.exe) to encrypt files. You can use Group Policy or Software Restriction Policies to block the .exe files of GnuPG by using a Group Policy Object (GPO).
Disable Files Running From AppData/LocalAppData Folders: It is common for some ransomware strains to run from the AppData or Local App Data folders. You can use Windows or Intrusion Prevention Software to create a rule to exclude execution of software from these directories. Be careful though, as you may find some legitimate software running from this directory that will need to be excluded from the rule.
Enable File Extensions: Windows hides file extensions by default. It is a good idea to show the file extensions so users can spot suspicious file extensions like JavaScript. Without file extensions visible, a user can only rely on the file icon to identify it.
Disable Macros: Ransomware is often spread through Microsoft Word or Excel documents using macros. Windows disabled macros by default many years ago, and you should be very careful with any document that asks you to turn macros on.
Install Microsoft Office Viewers: MS viewers allow you to view, print and copy documents even if you don’t have MS Office installed. Viewers will not run macros.
Be Careful with the Admin Accounts: Do not use administrator accounts unless it’s absolutely necessary and avoid browsing the web or opening documents while you have administrative rights.
Lock Down Your Shares: Only give write permissions on shares to users/groups that need access to it.
Disable RDP: The remote desktop utility is a handy tool allowing you to remote control other machines. Most will not be able to disable RDP entirely, but it should be known that Cryptolocker/Filecoder malware can access machines through RDP so if you don’t use it, shut it down.
Cyber Liability Policy: Proprietary data and Personally Identifiable Information (PII) are key components of your business that must be kept safe from cybercriminals. Your business is liable for breaches of PII. A cyber liability policy should be considered to protect yourself in the event of a breach, but failure to adequately secure your network can result in a refusal by your insurance company to pay the cyber liability claim.
CryptoStopper: CryptoStopper was developed to identify ransomware by watching the data on your network. By monitoring watcher files for read/write operations, CryptoStopper can detect the presence of ransomware the moment it happens. CryptoStopper provides information about the infection such as the infected user account, the infected computer account, and most importantly, it disconnects the infected workstation from the rest of the network. CryptoStopper is a true ransomware killer. There are no whitelists or signatures which need to be updated, and constant false positives are a thing of the past. When ransomware attacks, CryptoStopper recognizes the behavior and stops it in seconds, immediately sending out alert messages and saving the day from the ransomware attack.
As you can see, there are a number of steps you should take to secure your network from malware and ransomware. Combining all of these suggestions will help you develop a multilayer defensive strategy that will be very effective at keeping cybercriminals away from your sensitive data.
Further Reading