How to Prevent Ransomware: A Simple Guide for Protection
When considering how to prevent ransomware, focus on the essential asset in all organizations—content. Security must go beyond infrastructure protection. A form of malware, ransomware essentially takes files and systems hostage—locking up content.
Ransomware works by getting into a system, then spreading across organizations. Several common tactics used to gain access are:
- Drive-by-Downloads
Attackers embed malicious code on websites that automatically download the ransomware when the user visits the infected site. - Exploit Kits
Code is developed that seeks out and takes advantage of known vulnerabilities. - Malicious Advertising or Malvertising
Fake ads are presented to entice users to click, then unknowingly launch ransomware. - Phishing
Disguised as trusted communications such as e-mails, attackers send malicious attachments or links that contain ransomware. - Social Engineering
Tricks users into clicking a malicious link that launches ransomware.
Once ransomware has been activated, it usually encrypts infected systems and presents a ransom note. Depending on the type of ransomware, it can sometimes be decrypted. More virulent strains of ransomware cannot be decrypted without the attacker’s key.
Which Organizations Are Vulnerable to Ransomware?
Security gaps make organizations vulnerable to ransomware. Attackers are keenly aware of those vulnerabilities and have ransomware tuned to exploit them. Following are a few of the weak points that make organizations vulnerable to ransomware:
Legacy Systems
Outdated operating systems are often used as a point of entry for ransomware attacks. In many cases, the software is no longer supported, so there are no security patches available.
Quite often, organizations have an operating system (OS) that has not been upgraded for a variety of reasons. When it comes to security, this presents a significant risk since malware and ransomware commonly prey on the vulnerabilities in legacy operating systems.
Failure to Harden Systems
Many organizations are vulnerable to ransomware because of unused services, open ports, and overlooked operating system functions. When these are not locked down, they are used as a point of entry for ransomware and malware.
Over-Reliance on Perimeter Protection
Perimeter protection systems assume that what is internal is good and the bad would be coming from the outside. This works for some scenarios, but ransomware attackers often enter systems using phishing emails or malicious links on websites. In those cases, the threat is brought in by a user, not by an attacker at the perimeter.
Flat Network Topologies
A flat network provides the ideal environment for ransomware and malware spread, jumping easily from system to system.
Online Backups
Because ransomware can attack almost any connected system, having backups exclusively online risks them being encrypted.
Lack of Security Awareness Training
Ransomware is known for taking advantage of humans’ weaknesses to gain access to systems. Attackers are sly and adept at tricking people into falling for their tricks.
No Incident Response Plan and Team
When ransomware strikes, time is of the essence. The faster mitigation and recovery plans can be put in play, the less damage is done.
Which Organizations Are Targeted by Ransomware?
Any organization can be the victim of a ransomware attack. The following sectors have been targeted by ransomware because of the sensitivity of the data they require—the information that is at the heart of their work. When ransomware locks up the systems of these types of organizations, the consequences can be dire.
- Education
- Energy companies
- Farming and food production
- Government agencies—especially lower-level ones, such as those in smaller cities
- Healthcare
- Legal
- Manufacturing
- Small and medium-sized businesses
How to Prevent Ransomware: Protection Strategies
There is no guaranteed method for how to prevent ransomware, but there are several protection strategies organizations can enable. These strategies must protect content wherever it resides, including PCs, desktops, mobile devices, file storage, and cloud applications.
Like all effective security, ransomware prevention efforts must take a holistic approach and incorporate multiple tools and tactics to protect potential targets. Ransomware prevention strategies should include:
- Content protection
- Identity management policies
- Early threat detection
- Compute layer security
- Hierarchical network topologies
- Cybersecurity awareness and training
- Continuity planning
- Ransomware insurance
Data Protection
The most reliable form of data protection when it comes to ransomware is backups. Offline backups are the most reliable as they are insulated from ransomware attacks, unlike backups on the network or in a connected cloud environment. In addition, an isolated, highly protected backup environment will provide ready access to files in the event of a ransomware attack.
Staff Training
Taking time to train users about ransomware tactics, spot them, and avoid the traps is a very effective defense against ransomware attacks. In fact, well-trained users can be the first line of defense in a ransomware attack when they identify and immediately report signs of an attack.
For ransomware training to be effective, it needs to be empowering and engaging, but it also needs to be continuous.
Regular training helps keep security awareness at the top of mind amongst users and embeds it as part of the corporate culture.
Anti-Ransomware Solutions
- Ransomware behavior detection
- Anti-virus tools
- Ransomware removal systems
- Ransomware decryption tools
- Patch management systems
- Monitoring and security event management
- Backup systems
How to Respond to a Ransomware Attack
The best and fastest way to respond to a ransomware attack is to have a plan. This means researching and documenting every step in the recovery process, including assigning roles and responsibilities. Rapid response to a ransomware attack goes a long way towards mitigating damage and expediting recovery.
First Responses to a Ransomware Attack
The first step after a ransomware threat has been detected is to determine the severity of the situation. Based on the level of the threat, the appropriate tactics should be deployed.
Three Ransomware Threat Levels
- 1. High threat level— Ransomware has been successfully deployed and poses a direct threat or suspicious activity points to an immediate threat.
- 2. Medium threat level— Ransomware has been detected on an endpoint, but does not pose an immediate threat, or suspicious activity has been flagged for review to determine if it is a threat.
- 3. Low threat level— Unwanted software, such as adware, has been detected. It can cause issues, including changing browser settings, redirecting search results, and displaying ads. The problem should be addressed, but it does not warrant an accelerated response.
For each threat category, engage an incident response team that will follow remediation guidelines based on the kind of ransomware attack and its severity.
First responses to a ransomware attack should include:
- Block all affected user accounts that contain ransomware before it spreads.
- Identify every encrypted file.
- Trace the ransomware infection back to its source.
- Analyze the extent of the damage.
- Consider remediation options.
Common Post-Attack Mistakes
Review these common mistakes in handling a ransomware incident to help avoid them.
- Restarting Infected Devices
A restart could result in retaliation. Often, ransomware detects attempts to reboot and penalizes victims. Those penalties include corrupting the device’s Microsoft Windows installation, so that the system will never boot up again and delete encrypted files at random.
Also, rebooting clears the machine’s memory, eliminating information that could be useful for future investigation. It is best to put the system into hibernation, so that all data is saved in memory. - Connecting to External Backup Systems and Storage Devices
This gives ransomware access to even more content. Only connect to backup systems and storage devices after neutralizing the ransomware. - Communicating on a Network Impacted by Ransomware
Depending on the strain of ransomware, attackers could intercept communications sent or received on a compromised network. Until remediation is complete, use alternate networks or communication channels. - Deleting Files During a Ransomware Attack
Some ransomware includes decryption keys in the infected files. If the file is deleted, the key is too, and the file cannot be decrypted. Also, files can contain information that is helpful for post-event attack analysis.
What to Do After Ransomware Detection
Isolate Systems Impacted by Ransomware
Prevent the ransomware from spreading by disconnecting all infected devices from each other, shared storage, and the network—both wired and WiFi. This disconnection must be automated. When an infection is identified, infected files should be automatically isolated and any suspicious executables removed.
Also, remember the ransomware may have entered through multiple systems, and some of the ransomware may remain dormant. When ransomware is detected, all connected and networked computers should be scanned.
Identify the Ransomware Strain
Generally, ransomware can be identified by the message that it presents. Understanding the type of ransomware that’s used in the attack reveals propagation methods and targeted files. Knowing the strain of ransomware can also help select the best options for remediation.
It is also essential to determine if the ransomware includes persistence mechanisms. If so, after the ransomware process is stopped, it will reactivate after a period of time or after a reboot. Knowing if the ransomware utilizes persistence mechanisms is critical. Without this knowledge, remediation is undermined.
Trace the Attack
Identifying the entry point of ransomware helps track its spread and potentially stop it. The attack can be traced from the last modified user account with information found in audit logs. Work backward, be sure to include remote users and partners to find the point of origin.
Report the Ransomware Attack to the Authorities
Many compliance regulations require disclosure in the event of a breach. A ransomware attack is considered a breach that must be reported to regulatory and law enforcement agencies.
The FBI’s Internet Crime Complaint Center should be alerted immediately, followed by local law enforcement. Disclosures to law enforcement help them track down the individual or group behind the ransomware attack and prevent future attacks.
Assess the Impact of the Ransomware Attack
Before launching into defensive and corrective action, stop to assess the damage and understand the situation in its entirety. Then, armed with information, make decisions about remediation.
Evaluate Ransomware Recovery Options
Ransomware recovery options come down to three choices:
- 1. Pay the ransom.
This is not recommended by security experts or law enforcement agencies. However, in some circumstances, it may be the best of several bad options. - 2. Attempt to remove the ransomware.
Some ransomware can be neutralized with a decryptor that has been created using information from prior attacks. For newer ransomware, the likelihood that a decryptor is available diminishes. Even with a decryptor, security experts question if it is possible to delete the ransomware. - 3. Reinstall from the last clean point.
Starting from a clean point is generally accepted as the best solution to remedy a ransomware attack.
Notify Affected Customers
Regardless of how unpleasant it is, sometimes, legal and compliance regulations require that customers be notified about a ransomware attack. If notification is needed, promptly explain the situation and remediation plans. Expediency and transparency are always the best approaches and give customers confidence that the organization has the matter under control.
Plan to Prevent Recurrences
When the ransomware has been neutralized and business operations are restored to normal, the next round of work begins. A full assessment must be completed to understand how the ransomware entered and was activated and what damage it did. This will help to prevent future attacks.
Ransomware Attacks and Costs
Sophos “State of Ransomware 2021” found that:
- The cost of recovering from ransomware has doubled from $761,106 to $1.85 million in 2021.
- The average ransom paid is $179,404.
- Only 8% or organizations have data returned after paying ransom with 29% having only half of their data returned.
According to Health Sector Cybersecurity Coordination Center (HC3), a division of the US Department of Health and Human Services:
- The United States had the most ransomware attacks in the HPH sector with 82 reported—59% of all reported around the world.
- The average ransom payment in the HPH sector was $131,000.
Three Biggest Ransomware Payouts
- CWT Global—$4.5 million ransom payment
- Rangar Locker ransomware
- 30,000 computers compromised
- Two terabytes of data encrypted
- Colonial Pipeline—$4.4 million ransom payment
- DarkSide ransomware
- Targeted business network
- Shut down operational technology network, which controls the pipeline
- Brenntag—$4.4 million ransom payment
- DarkSide ransomware
- 150GB of data stolen
Four Strains of Highly-Effective Ransomware
- Ryuk
- Spread through phishing, malicious links, and infected attachments
- Responsible for at least $60 million in worldwide damage
- More than 100 successful attacks reported
- SamSam
- Exploits remote desktop protocol (RDP) and file transfer protocol (FTP) vulnerabilities
- Credited with more than $30 million in losses
- Hundreds of reported attacks
- WannaCry
- Spread via phishing
- More than $4 billion in losses attributed to it
- More than 200,000 people and companies affected
- Petya
- Propagated via emails with malicious attachments
- Caused more than $10 billion in financial losses
- Affected all types of organizations from banks and transportation, to energy and healthcare
Seek to Prevent Ransomware with the Five Ps
In addition to proactive prevention tactics, such as data protection, staff training, and ransomware solutions, remember the “five Ps”— Prior Planning Prevents Poor Performance. Have a plan in case a ransomware attack occurs.
With ransomware, prior planning and the plan’s efficacy can determine an attack’s impact. Expedite remediation and reduce the lifecycle of a ransomware attack with comprehensive planning efforts.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 26th August, 2021