How to protect your business from Ransomware
How to protect your business from Ransomware
In this blog post, I will share some tips on How to protect your business from Ransomware. Ransomware is malicious software that cybercriminals use to hold your computer or computer files for ransom, demanding payment from you to get them back.
Here are a few tips that will help you keep ransomware from damaging your data:
- Back up your data
The single biggest thing that will defeat ransomware is having a regularly updated backup. If you are attacked with ransomware you may lose that document you started earlier this morning, but if you can restore your system to an earlier snapshot or clean up your machine and restore your other lost documents from backup, you can rest easy.
- Show hidden file-extensions
One way that Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions. If you re-enable the ability to see the full file-extension, it can be easier to spot suspicious files.
- Filter EXEs in email
If your gateway mail scanner has the ability to filter files by extension, you may wish to deny mails sent with “.EXE” files, or to deny mails sent with files that have two file extensions, the last one being executable (“*.*.EXE” files, in filter-speak). If you do legitimately need to exchange executable files within your environment and are denying emails with “.EXE” files, you can do so with ZIP files (password-protected, of course) or via cloud services.
- Disable files running from AppData/LocalAppData folders
You can create rules within Windows or with Intrusion Prevention Software, to disallow a particular, notable behavior used by Cryptolocker, which is to run its executable from the App Data or Local App Data folders. If (for some reason) you have legitimate software that you know is set to run not from the usual Program Files area but the App Data area, you will need to exclude it from this rule.
- Disable RDP
The Cryptolocker/Filecoder malware often accesses target machines using Remote Desktop Protocol (RDP), a Windows utility that allows others to access your desktop remotely. If you do not require the use of RDP, you can disable RDP to protect your machine from Filecoder and other RDP exploits.
- Patch or Update your software
These next two tips are more general malware-related advice, which applies equally to Cryptolocker as to any malware threat. Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto your system. It can significantly decrease the potential for ransomware-pain if you make a practice of updating your software often. Some vendors release security updates on a regular basis (Microsoft and Adobe both use the second Tuesday of the month), but there are often “out-of-band” or unscheduled updates in case of emergency. Enable automatic updates if you can, or go directly to the software vendor’s website, as malware authors like to disguise their creations as software update notifications too.
- Use a reputable security suite
It is always a good idea to have both anti-malware software and a software firewall to help you identify threats or suspicious behavior. Malware authors frequently send out new variants, to try to avoid detection, so this is why it is important to have both layers of protection. And at this point, most malware relies on remote instructions to carry out their misdeeds. If you run across a ransomware variant that is so new that it gets past anti-malware software, it may still be caught by a firewall when it attempts to connect with its Command and Control (C&C) server to receive instructions for encrypting your files.
If you find yourself in a position where you have already run a ransomware file without having performed any of the previous precautions, your options are quite a bit more limited. But all may not be lost. There are a few things you can do that might help mitigate the damage, particularly if the ransomware in question is Cryptolocker:
- Disconnect from WiFi or unplug from the network immediately
- Use System Restore to get back to a known-clean state
If you have System Restore enabled on your Windows machine, you might be able to take your system back to a known-clean state. But, again, you have to out-smart the malware. Newer versions of Cryptolocker can have the ability to delete “Shadow” files from System Restore, which means those files will not be there when you try to replace your malware-damaged versions. Cryptolocker will start the deletion process whenever an executable file is run, so you will need to move very quickly as executables may be started as part of an automated process. That is to say, executable files may be run without you knowing, as a normal part of your Windows system’s operation.
Challenges: There are 2 significant factors that are making ransomware much tougher to stop today:
- Aggressive use of social engineering. The hackers are conducting more and more research into their targets, and they are specifically targeting enterprise customers, not just random consumers or end-users. The phishing emails with ransomware in attached documents that we are seeing today are incredibly sophisticated. They are spoofed to appear to come from a legitimate service provider or supplier to the target company, they reference recent activity the company has likely had with the 3rd party, and the attachment appears to be quite relevant. These are a far cry from the poorly-written blanket SPAM of past year’s campaigns.
- Leveraging exploit kits and other tools to avoid detection. The recent Verizon Data Breach Investigations Report found that most malware was only seen once, and the life span of 99% of malware was only 58 seconds, and then it was never seen again. This means that the majority of attacks will not match signatures used by simple anti-virus solutions.
To fight these unknown variants of ransomware, organizations need to block malware the first time it is seen. One of the most powerful prevention techniques is sandboxing, but it must be deployed in full blocking mode. Sandboxing opens files (email attachments, or web downloads that were linked in the email or hosted on a watering hole site) and then runs them in a virtual environment watching for malicious behavior. If the file is deemed safe it can then be released to the user.
The challenge for organizations with this technology is that it can take several minutes to get a verdict on a file from sandboxing, so how do you allow users to work without introducing a delay? One solution for this is threat extraction technology that can create clean, reconstructed versions of documents that remove macros and scripts, allowing the user to immediately view the document, and then get access to the original once it has been fully evaluated.