How to Prevent Ransomware: 15 Ways to Prevent the Next Attack
What Is Ransomware?
Ransomware is a type of malware that stops users from accessing their personal files or system, and demands ransom payment to regain access. The earliest types of ransomware were created in the late 1980s, when payments were made through snail mail.
Currently, ransomware developers demand that payment be made via credit card or cryptocurrency, and attackers target all types of organizations, businesses, and individuals. Certain ransomware creators sell their services to other attackers, an operating model known as Ransomware-as-as-Service (RaaS).
This is part of our series of articles about malware protection.
How Ransomware Works
Most types of ransomware perform three main steps – infection, encryption, and ransomware demands.
Step 1: Infection
There is a wide range in which ransomware can gain access to systems, devices, or networks. The majority of ransomware variants have multiple infection vectors. Here are several commonly preferred methods:
- Phishing emails – a form of social engineering attack that involves sending malicious emails that trick recipients into downloading an attachment containing a built-in downloader functionality or clicking on a link to a site hosting malicious downloads. If the recipient is successfully tricked, the ransomware is downloaded and executed on the computer.
- Remote desktop protocol (RDP) attacks – once threat actors steal or correctly guess the login credentials of authorized users, they can use the information to authenticate and gain remote access to a computer within an enterprise network. The actors exploit this access to directly download ransomware and execute it on the machine.
- Direct system infection – for example, the WannaCry ransomware exploited the EternalBlue vulnerability in order to directly infect systems.
Step 2: Encryption
After gaining access to a system, the ransomware starts encrypting files. This typically involves accessing files, using an attacker-controlled key to encrypt files, and then replacing the original files with encrypted versions.
To ensure system stability, the majority of ransomware variants carefully select files for encryption. Additionally, some variants delete backup copies as well as shadow copies of files, to ensure that recovery attempts without a decryption key are more difficult.
Step 3: Ransom demand
After the chosen files are encrypted, the ransomware makes a ransom demand. Each ransomware variant may implement this step in various ways. Many variants display a background modified into a ransom note or place text files containing a ransom note in each encrypted directory.
Ransom notes usually demand a certain amount of cryptocurrency in exchange for access to the files. Once the ransom is paid, the ransomware operator either provides a copy of the private key (which is used to protect a symmetric encryption key) or a copy of the symmetric encryption key, as well as a decryptor. Victims can then enter the information into the decryptor program, which reverses the encryption and restores access to the files.
15 Ways to Prevent a Ransomware Infection
Here are several key methods that can help you prevent ransomware infection.
1. Develop Ransomware Plans and Policies
An incident response (IR) plan can help guide your IT and security teams during a ransomware event. Your IR plan should include roles and communications that should be shared during an event, as well as a list of contacts (like partners or vendors) that must be notified.
You can also include a “suspicious email” company-wide policy, which lets employees know what to do when they receive a suspicious email. You can define specific technical steps or simply let employees know that they must forward these emails to the IT or security team.
2. Use a Firewall
The main role of a firewall is to monitor incoming and outgoing network traffic. Using pre-defined rules and threat information, the firewall looks for signs of known malicious payloads and then blocks potential risks. It is considered the first software-based line of defense against various threats, including ransomware.
3. Maintain Backups
According to an advisory from the Center for Internet Security (MS-ISAC), data backup is the most effective method of recovery from a ransomware attack. However, backup processes should be thoughtfully planned. All backup files must be appropriately protected.
Additionally, you should store backup copies offline or out-of-band, to ensure these copies cannot be targeted by threat actors. You can also use cloud services when mitigating a ransomware infection, because they often retain previous versions of files. This enables you to roll back to certain unencrypted versions of your data. To ensure your process works properly, you should routinely test backups.
4. Harden Endpoints
You should factor in security considerations when configuring your systems. By properly configuring systems, you can help reduce the threat surface as well as close security gaps left by default configurations. You can use the CIS Benchmarks, which offer industry-leading configuration standards. Another option is to implement endpoint security solutions, such as zero trust solutions, some of which may be built into your operating system, or offered by third-party providers.
5. Segment Your Network
Once ransomware breaches the system, it may need to move laterally through the network before it can reach the targeted data. Network segmentation can help prevent intruders from moving unhindered between systems and devices.
When segmenting your network, you need to make sure each subsystem has its own individual security controls, a separate firewall and gateway, and strict and unique access policies. This ensures that if attackers compromise a segment, the threat is isolated and the rest of the network remains secure.
6. Cultivate Staff Awareness
A security awareness training can help stop ransomware in its tracks. Once employees are capable of spotting and avoiding malicious emails, the entire workforce takes part in protecting the organization. A security awareness program can help employees learn what they should look for in an email before they actually download an attachment or click on a link.
7. Run Security Tests Regularly
Security tests can help organizations regularly validate the health of their systems and networks. A vulnerability assessment, for example, can help find weaknesses that may lead to breaches.
Security tests can identify a range of issues, including system misconfigurations, flaws in account privileges, weak passwords and problems in authentication mechanisms. It is also important to run penetration tests that perform ransomware simulations to see how systems and teams respond to the threat.
8. Frequently Update Systems
All applications, operating systems, and software must be regularly updated. By applying the newest updates, you can help close security gaps that threat actors are constantly looking to exploit. Whenever possible, you should turn on auto-updates, which ensures you can automatically update the most recent security patches.
Latest versions of Windows have built in ransomware protection – read our guide to Windows 10 ransomware protection (coming soon)
9. Whitelist Applications
Whitelisting and backlisting methods that help control what activity and behaviors are allowed or denied. A whitelist allows activities and a blacklist denies them. This method can be useful in preventing employees from installing certain software on company machines, restricting installation only to known software. This can prevent the installation of ransomware.
10. Set Up a Sandbox
A sandbox is an isolated environment that can execute files and run programs without affecting the network or host device. Sandboxes are often used in testing scenarios, but can also be useful in containing and testing potentially malicious software. By using sandboxes for malware detection, you add another layer of protection against various threats, including ransomware.
11. Implement Password Security
Threat actors look for weak passwords or default passwords to exploit when targeting systems and devices. When organizations use weak or default passwords, they leave their digital assets open to brute force attacks. To prevent this, organizations should use strong passwords and implement multi-factor authentication.
12. Use Ad Blockers or Browser Isolation Solutions
Malicious marketing is often used to trick users into downloading and installing ransomware. You can avoid this threat by installing ad blockers on all employee devices and browsers. You can use extensions and plug-ins that automatically block pop-up ads, or browser isolation solutions to limit malicious websites. This can significantly limit the attack surface.
13. Disable Script Execution
Prevent this vulnerability by disabling Windows Script Host and remove the devices’ ability to execute scripts.
14. Show File Extensions
Malicious payloads can be disguised with file names like “Paychecks.xlsx”. Their goal is to trick users into clicking on the attachment. You can prevent this by displaying file extensions, which help users see the real name of the file—Paychecks.xlsx.exe. This can prevent an accidental installation of ransomware.
15. Deploy a CASB
A cloud access security broker (CASB) can help protect against ransomware. You can deploy CASB solutions on-premises or in the cloud. Once deployed, the CASB acts as an intermediary between cloud data and users. It can help secure data flows between clouds and on-prem data centers, monitor cloud activity, ensure compliance and enforce security policies.
Ransomware Prevention with Hysolate
Hysolate creates an isolated workspace on user endpoints, to isolate ransomware and other endpoint threats, or to ensure secure enterprise access. Hysolate sits on user endpoints, but is managed via the cloud, with granular policies to control transfer into and out of the Workspace. The Hysolate Workspace isolates threats including malware and ransomware, adding an extra layer of security to the endpoint, without hindering user productivity.
Untrusted links, applications and even documents can be transferred into Hysolate, reducing risk, and users are able to access all websites and applications as needed. Rather than just isolating browser based malware risks, Hysolate provides full OS isolation against all ransomware and other endpoint threats.
Try Hysolate Free now.