Ransomware Prevention Guide: What You Need to Know
Ransomware Prevention: Definition, Forms, Management and More. Learn How You Can Prevent Ransomware and Keep Your Company Safe!
Every week, the cybersecurity news websites are full of ransomware attacks stories – large and small companies become victims of malicious actors who want easy money on the behalf of those who will lose data, money and time in return. But that is not all – it’s only a matter of time until ransomware attacks have death as a consequence, if the target is a medical facility or something similar. For this reason, today’s topic is ransomware prevention. Let’s find out how you can stay safe and out of trouble!
Ransomware Prevention Guide: Definitions
As per our Cybersecurity Glossary, ransomware can be defined as follows:
Ransomware is a type of malware (malicious software) that encrypts all the data on a PC or mobile device, blocking the data owner’s access to it. After the infection happens, the victim receives a message that tells him/her that a certain amount of money must be paid (usually in Bitcoins) in order to get the decryption key. Usually, there is also a time-limit for the ransom to be paid. There is no guarantee that if the victim pays the ransom, he/she will get the decryption key.
Ransomware prevention refers to the combination of practices, products and services used to avoid ransomware attacks.
Ransomware Prevention Guide: How Ransomware Works
In general, a ransomware infection has multiple stages:
- Infection – during this stage, the malware payload is delivered to the target. Very often, this involves a phishing attack with compromised attachments*. Next, the ransomware will act locally or will try to replicate itself to other computers of the network.
- Security key exchange – after the initial phase, the malware communicates with the attackers to get the cryptographic keys that it needs to encrypt the victim’s data.
- Encryption – in this phase, the victim’s files are encrypted. The local disk might be affected first.
- Extortion – in this stage, the victim receives the ransom note. Recently, the ransom note might also contain a data exposure threat, because ransomware can also exfiltrate the data back to the attackers.
- Unlocking or recovery – in this final stage, the victim may either try to remove the malware infection and recover the encrypted data manually or he/she pays the ransom. What should not come as a surprise is the fact that the hackers are not always honourable – not everyone gets their files back after paying the ransom.
Ransomware Prevention Guide: Forms of Ransomware
When it comes to forms of ransomware, there are countless examples. Let’s s have a look at a few examples:
As my colleague, Bianca, wrote, “Back in 2017, the WannaCry ransomware became one of the most devastating cyber-attacks ever seen. It swept the entire world, locking up critical systems all over the globe and infecting over 230,000 computers in more than 150 countries in just one day.”
It is “a crypto-ransomware type”, encrypting “the data on a machine, making it impossible for the affected user to access it.”
How does WannaCry ransomware works?
WannaCry behaved like a worm-type attack vector, being able to self-propagate on Windows devices. However, the fact that it was a worm was not the most significant thing about it. Instead, the methods it used to distribute itself were a concern, as they leveraged some critical Windows bugs that had been fixed by Microsoft two months before the outbreak. WannaCry used an exploit dubbed “EternalBlue”, which took advantage of a security vulnerability that allowed malicious code to propagate without the user’s consent across systems set up for file-sharing.
Epiq Ransomware represents a combination of attacks. It starts with a TrickBot infection, then, as BleepingComputer writes,
Once TrickBot is installed, it will harvest various data, including passwords, files, and cookies, from a compromised computer and will then try to spread laterally throughout a network to gather more data. When done harvesting data on a network, TrickBot will open a reverse shell to the Ryuk operators. The Ryuk Actors will then have access to the infected computer and begin to perform reconnaissance of the network. After gaining administrator credentials, they will deploy the ransomware on the network’s devices using PowerShell Empire or PSExec. In Epiq Global’s case, Ryuk was deployed on their network on Saturday morning, February 29th, 2020, when the ransomware began encrypting files on infected computers.
You can find more details about Epiq Ransomware and Ryuk Ransomware in some of our previous articles, Epiq Ransomware – A Team Effort and Ryuk Ransomware – Untangling a Convoluted Malware Narrative.
Egregor ransomware is related to the now-retired Maze ransomware and to the Sekhmet ransomware family. Maze ransomware was particularly dangerous because it not only used to steal data and encrypt it like any other ransomware, but its operators also threatened to expose this data if they didn’t receive the ransom, which transformed the attack into a data breach as well.
Recently, the Maze affiliates moved to Egregor ransomware.
How does Egregor Ransomware work?
The infection happens via a loader, then, in the victim’s firewall, it enables the Remote Desktop Protocol. After this, the malware is free to move inside the victim’s network, identifying and disabling all the antivirus software it finds. The next step is the encryption of the data and the insertion of a ransom note named “RECOVER-FILES.txt” in all the compromised folders. The victims are then told to download a dark web browser to communicate with the cybercriminals with the help of a dedicated landing page.
You can find more details about Egregor Ransomware in one of my previous articles, Egregor Ransomware: Origins, Operating Mode, Recent Incidents.
Ransomware Prevention Guide: Prevention Strategies
To efficiently prevent ransomware you need to approach the task from various angles:
a. Security Training
Trying to minimize human error might be the most productive form of ransomware prevention. Inform all your employees about the possible ways a ransomware infection can happen and tell them to pay particular attention to phishing emails.
b. Software Solutions – Antivirus, Anti-ransomware, Email Security
Good Antivirus, Anti-ransomware and Email Security solutions are also essential – and we can help you with this part.
Our Endpoint Detection and Response Software combines EPP with EDR to offer stellar endpoint protection, monitoring and response to mitigate cyber threats. With this solution, you can benefit from DNS traffic filtering, smart threat hunting powered by machine learning behavioural detection, automated software patching, vulnerability management, and software inventory, next-gen antivirus with a market-leading detection rate and our access management module for increased endpoint security and admin rights management.
Simple standalone security solutions are no longer enough.
HEIMDAL™ ENDPOINT PREVENTION
- DETECTION AND CONTROL
Simple standalone security solutions are no longer enough.
Our Ransomware Encryption Protection solution is compatible with any Antivirus and can detect any encryption attempts without signatures or behavioural patterns. From its dashboard you will be able to view the full details of any malicious encryption incident; this includes time states, tree diagrams with process callbacks, PowerShell scrips, computed MD5 hash, enumeration of read\write operation performed during encryption attempts, command-line arguments, the signature of malicious process, owner, and many more.
Heimdal™ Email Security is a spam filter and malware protection system which packs more email security vectors than any other platform. It can secure your business email agents against all types of spam emails, malicious attachments, email delivered malware and ransomware, phishing emails, malicious URLs, botnet attacks and email exploits.
c. Update, Patching, Backups
It is of paramount importance to keep your software and systems updated. As my colleague Ioana mentioned in one of her articles, “Two of the most devastating and serious cyber attacks examples we can think of were only possible because security updates weren’t installed in time. The Equifax data breach was caused by a security hole in the Apache Struts web application framework, which wasn’t updated. The WannaCry ransomware attack of <<unprecedented level>> also did a lot of damage, but mainly affected those computers that were unpatched and unprotected.”
We can help you with updates and patches too, since our Heimdal™ Patch & Asset Management solution will automatically install updates based on your configured policies, without the need for manual input. As soon as 3rd party vendors release new patches, our technology silently deploys them to your endpoints, without the need for reboots or user interruption.
When it comes to backups, everything is probably clear. Since ransomware encrypts the data of its victims, it’s crucial to be able to access it in various locations. Otherwise, your loss would be even more severe.
d. Privileged Account Management
Ransomware encrypts the files that are accessible on the systems of particular users, if it doesn’t include code that allows it to elevate a user’s privilege (you can find examples of privileged accounts in one of my previous articles, Privileged Account Management 101: How Can Privileged Accounts Compromise Your Security).
Our Heimdal™ Privileged Access Management tool automates the hassle of granting admin rights for a limited time for every user who needs them, but also automatically de-escalates those rights on threat detection. A privileged access management tool it’s not only about managing user rights but also about the fast flow of software installs, about logs and audit trail, about achieving data protection compliance.
System admins waste 30% of their time manually managing user
rights or installations
Heimdal™ Privileged Access
System admins waste 30% of their time manually managing user
f. Assets Inventory
An IT asset “is any data, device, or another component of the environment that supports information-related activities. Assets generally include hardware (e.g. servers and switches), software (e.g. mission-critical applications and support systems) and confidential information”.
By making an inventory of your IT assets, you can identify the most valuable ones and think about how an attacker could infiltrate your network, which will offer you precious clues about how you can improve the prevention methods.
Ransomware Prevention Guide: How to Manage a Ransomware Attack
In case you do get hit by a ransomware attack, there are certain steps that you must take. The U.S. Government Interagency explains:
Isolate the infected computer immediately. Infected systems should be removed from the network as soon as possible to prevent ransomware from attacking the network or shared drives.
Isolate or power-off affected devices that have not yet been completely corrupted. This may afford more time to clean and recover data, contain damage, and prevent worsening conditions.
Immediately secure backup data or systems by taking them offline. Ensure backups are free of malware.
Contact law enforcement immediately. We strongly encourage you to contact a local field office of the Federal Bureau of Investigation (FBI) or U.S. Secret Service immediately upon discovery to report a ransomware event and request assistance.
If available, collect and secure partial portions of the ransomed data that might exist.
If possible, change all online account passwords and network passwords after removing the system from the network. Furthermore, change all system passwords once the malware is removed from the system.
Delete Registry values and files to stop the program from loading.
When it comes to whether you should pay the ransom or not, they add:
There are serious risks to consider before paying the ransom. USG does not encourage paying a ransom to criminal actors. However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup. Ransomware victims may also wish to consider the following factors:
Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom.
Some victims who paid the demand were targeted again by cyber actors.
After paying the originally demanded ransom, some victims were asked to pay more to get the promised decryption key.
Paying could inadvertently encourage this criminal business model.
Ransomware Prevention Guide: Wrapping Up
Ransomware is one of the most common and most dangerous cyber threats of today, with possibly lethal consequences. Learning how to prevent it should be a top priority for any company interested in keeping its employees, clients, partners, assets, money and business operations safe.
However you choose to proceed, please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it.
Drop a line below if you have any comments, questions or suggestions regarding the topic of ransomware prevention – we are all ears and can’t wait to hear your opinion!