How to Prevent Ransomware: 15 Ways to Prevent the Next Attack

What Is Ransomware?

Ransomware is a type of malware that stops users from accessing their personal files or system, and demands ransom payment to regain access. The earliest types of ransomware were created in the late 1980s, when payments were made through snail mail.

Currently, ransomware developers demand that payment be made via credit card or cryptocurrency, and attackers target all types of organizations, businesses, and individuals. Certain ransomware creators sell their services to other attackers, an operating model known as Ransomware-as-as-Service (RaaS).

This is part of our series of articles about malware protection.

How Ransomware Works

Most types of ransomware perform three main steps – infection, encryption, and ransomware demands.

Step 1: Infection

There is a wide range in which ransomware can gain access to systems, devices, or networks. The majority of ransomware variants have multiple infection vectors. Here are several commonly preferred methods:

  • Phishing emails – a form of social engineering attack that involves sending malicious emails that trick recipients into downloading an attachment containing a built-in downloader functionality or clicking on a link to a site hosting malicious downloads. If the recipient is successfully tricked, the ransomware is downloaded and executed on the computer.
    Remote desktop protocol (RDP) attacks – once threat actors steal or correctly guess the login credentials of authorized users, they can use the information to authenticate and gain remote access to a computer within an enterprise network. The actors exploit this access to directly download ransomware and execute it on the machine.
    Direct system infection – for example, the WannaCry ransomware exploited the EternalBlue vulnerability in order to directly infect systems.

Step 2: Encryption

After gaining access to a system, the ransomware starts encrypting files. This typically involves accessing files, using an attacker-controlled key to encrypt files, and then replacing the original files with encrypted versions.

To ensure system stability, the majority of ransomware variants carefully select files for encryption. Additionally, some variants delete backup copies as well as shadow copies of files, to ensure that recovery attempts without a decryption key are more difficult.

Step 3: Ransom demand

After the chosen files are encrypted, the ransomware makes a ransom demand. Each ransomware variant may implement this step in various ways. Many variants display a background modified into a ransom note or place text files containing a ransom note in each encrypted directory.

Ransom notes usually demand a certain amount of cryptocurrency in exchange for access to the files. Once the ransom is paid, the ransomware operator either provides a copy of the private key (which is used to protect a symmetric encryption key) or a copy of the symmetric encryption key, as well as a decryptor. Victims can then enter the information into the decryptor program, which reverses the encryption and restores access to the files.

15 Ways to Prevent a Ransomware Infection

Here are several key methods that can help you prevent ransomware infection.

1. Develop Ransomware Plans and Policies

An incident response (IR) plan can help guide your IT and security teams during a ransomware event. Your IR plan should include roles and communications that should be shared during an event, as well as a list of contacts (like partners or vendors) that must be notified.

You can also include a “suspicious email” company-wide policy, which lets employees know what to do when they receive a suspicious email. You can define specific technical steps or simply let employees know that they must forward these emails to the IT or security team.

2. Use a Firewall

The main role of a firewall is to monitor incoming and outgoing network traffic. Using pre-defined rules and threat information, the firewall looks for signs of known malicious payloads and then blocks potential risks. It is considered the first software-based line of defense against various threats, including ransomware.

3. Maintain Backups

According to an advisory from the Center for Internet Security (MS-ISAC), data backup is the most effective method of recovery from a ransomware attack. However, backup processes should be thoughtfully planned. All backup files must be appropriately protected.

Additionally, you should store backup copies offline or out-of-band, to ensure these copies cannot be targeted by threat actors. You can also use cloud services when mitigating a ransomware infection, because they often retain previous versions of files. This enables you to roll back to certain unencrypted versions of your data. To ensure your process works properly, you should routinely test backups.

4. Harden Endpoints

You should factor in security considerations when configuring your systems. By properly configuring systems, you can help reduce the threat surface as well as close security gaps left by default configurations. You can use the CIS Benchmarks, which offer industry-leading configuration standards. Another option is to implement endpoint security solutions, such as zero trust solutions, some of which may be built into your operating system, or offered by third-party providers.

5. Segment Your Network

Once ransomware breaches the system, it may need to move laterally through the network before it can reach the targeted data. Network segmentation can help prevent intruders from moving unhindered between systems and devices.

When segmenting your network, you need to make sure each subsystem has its own individual security controls, a separate firewall and gateway, and strict and unique access policies. This ensures that if attackers compromise a segment, the threat is isolated and the rest of the network remains secure.

6. Cultivate Staff Awareness

A security awareness training can help stop ransomware in its tracks. Once employees are capable of spotting and avoiding malicious emails, the entire workforce takes part in protecting the organization. A security awareness program can help employees learn what they should look for in an email before they actually download an attachment or click on a link.

7. Run Security Tests Regularly

Security tests can help organizations regularly validate the health of their systems and networks. A vulnerability assessment, for example, can help find weaknesses that may lead to breaches.

Security tests can identify a range of issues, including system misconfigurations, flaws in account privileges, weak passwords and problems in authentication mechanisms. It is also important to run penetration tests that perform ransomware simulations to see how systems and teams respond to the threat.

8. Frequently Update Systems

All applications, operating systems, and software must be regularly updated. By applying the newest updates, you can help close security gaps that threat actors are constantly looking to exploit. Whenever possible, you should turn on auto-updates, which ensures you can automatically update the most recent security patches.

Latest versions of Windows have built in ransomware protection – read our guide to Windows 10 ransomware protection (coming soon)

9. Whitelist Applications

Whitelisting and backlisting methods that help control what activity and behaviors are allowed or denied. A whitelist allows activities and a blacklist denies them. This method can be useful in preventing employees from installing certain software on company machines, restricting installation only to known software. This can prevent the installation of ransomware.

10. Set Up a Sandbox

A sandbox is an isolated environment that can execute files and run programs without affecting the network or host device. Sandboxes are often used in testing scenarios, but can also be useful in containing and testing potentially malicious software. By using sandboxes for malware detection, you add another layer of protection against various threats, including ransomware.

11. Implement Password Security

Threat actors look for weak passwords or default passwords to exploit when targeting systems and devices. When organizations use weak or default passwords, they leave their digital assets open to brute force attacks. To prevent this, organizations should use strong passwords and implement multi-factor authentication.

12. Use Ad Blockers or Browser Isolation Solutions

Malicious marketing is often used to trick users into downloading and installing ransomware. You can avoid this threat by installing ad blockers on all employee devices and browsers. You can use extensions and plug-ins that automatically block pop-up ads, or browser isolation solutions to limit malicious websites. This can significantly limit the attack surface.

13. Disable Script Execution

A common tactic ransomware hackers use is to send .zip files with malicious JavaScript code. Another popular strategy is to pack a .vbs (VBScript) file into a .zip archive.

Prevent this vulnerability by disabling Windows Script Host and remove the devices’ ability to execute scripts.

14. Show File Extensions

Malicious payloads can be disguised with file names like “Paychecks.xlsx”. Their goal is to trick users into clicking on the attachment. You can prevent this by displaying file extensions, which help users see the real name of the file—Paychecks.xlsx.exe. This can prevent an accidental installation of ransomware.

15. Deploy a CASB

A cloud access security broker (CASB) can help protect against ransomware. You can deploy CASB solutions on-premises or in the cloud. Once deployed, the CASB acts as an intermediary between cloud data and users. It can help secure data flows between clouds and on-prem data centers, monitor cloud activity, ensure compliance and enforce security policies.

Ransomware Prevention with Hysolate

Hysolate creates an isolated workspace on user endpoints, to and other threats, or to ensure secure enterprise access. Hysolate sits on user endpoints, but is managed via the cloud, with granular policies to control transfer into and out of the Workspace. The Hysolate Workspace isolates threats including malware and ransomware, adding an extra layer of security to the endpoint, without hindering user productivity.

Untrusted links, applications and even documents can be transferred into Hysolate, reducing risk, and users are able to access all websites and applications as needed. Rather than just isolating browser based malware risks, Hysolate provides full OS isolation against all ransomware and other endpoint threats.

Try Hysolate Free now.

Ransomware Protection: Removal, User Education, and Prevention

 

What Is Ransomware?

Ransomware is a type of malicious software (malware) that uses cryptography to hold information for ransom. Ransomware prevents legitimate users from accessing and using their information. Access is granted only if the organization or individual pays the ransom.

Ransomware attacks employ asymmetric encryption. It is a form of cryptography that uses two keys—a private key to encrypt files and a public key to decrypt them. Threat actors generate each pair of keys especially for the victim.

The private key can decrypt the files held captive by the threat actor. It is offered to victims only after they pay the ransom. In some cases, however, the attacker might take the ransom without providing the decrypting key as agreed. Unfortunately, it is almost impossible to decrypt ransomed files without the private key.

Once ransomware successfully infects a system, it executes a malicious binary. The executed binary then starts searching and encrypting valuable files, such as images, documents, and databases. It can also attempt to exploit vulnerabilities and spread into other computer systems over private or public networks.

Ransomware Removal—What to Do When You Get Infected

Once ransomware successfully encrypts files, it displays a message asking for ransom. When this happens, stakeholders in the organization need to decide whether to pay the ransom or not.

In most cases, it is not possible to recover the encrypted files. However, there are some actions you can take immediately. Here is what you can do when ransomware infects your systems:

  • Quarantine the machine—there are certain ransomware variants that try to spread to other machines and connected drives. You can remove access to other targets to limit the spread of ransomware.
    Leave the computer on—file encryption processes can affect the stability of the computer. If you try to power off the computer, you might experience loss of volatile memory. To increase the possibility of recovery, keep the affected computer on.
    Create a backup—in some cases, you might be able to decrypt files without having to pay the ransom. You can achieve this by making a copy of these files and storing this backup on removable media. This way, if a decryption effort fails and damages the files, you still have a copy to recover.
    Check for decryptors—the No More Ransom Project offers free decryptors. You can check this project for a decryptor that matches the ransomware. You should first run the decryptor on a copy of encrypted information to test if it can truly help restore your files.
    Ask for help—computers often store backups of files. Digital forensics experts can try to recover these backup copies—but can only succeed if the copies were not entirely deleted by the ransomware.
    Wipe and restore—you can restore the machine from an operating system installation or a clean backup. This can help you ensure that all malware components are entirely removed from the device.

Related content: read our guide to Windows 10 Ransomware Protection (coming soon)

User Education: How Users Can Prevent Ransomware Infection

User education is essential for preventing ransomware infection. Training sessions should be conducted periodically to ensure users are aware of important security measures, including:

  • Avoid clicking on links from unknown or untrusted sources—including websites and emails.
    Avoid revealing sensitive information—including personal and credential data that an attacker could use to launch a ransomware attack. Even if the message appears legitimate, it is better to be cautious.
    Avoid opening suspicious email attachments—including attachments that prompt you to run a macro, as this can be an entry point for malware.
    Avoid using unknown flash drives—including storage media such as USB sticks that you don’t know where they are from.
    Ensure your operating system and programs are regularly updated—this allows you to benefit from the latest patches and prevent attackers from exploiting the newest discovered vulnerabilities.
    Avoid downloads from unknown sources—only download files from trusted sites, which can be verified by their trust seals (i.e. https, lock or shield symbols).
    Use a secure VPN service for public Wi-Fi—using public Wi-Fi networks can expose your device to attacks, so it is best to avoid carrying out sensitive transactions over a public Wi-Fi connection, or use a VPN.

Protecting against Ransomware: Building an Anti-Ransomware Program

An anti-ransomware program can help protect organizations against ransomware attacks. Here are the five main elements of an effective anti-ransomware program:
Protect
Backup can help protect the organization against ransomware. It is an integral component of an anti-malware program. When creating backups, organizations should follow the 3-2-1-1 rule. It means you need to keep three copies of data on two different media types, and store one version off-site in addition to one immutable copy.

You can rotate immutable media as a tape or a disk. You can disconnect it from the network and then take it off-site to a secured secondary location. There is a wide range of vendors that offer cloud-based immutable storage. In addition to protecting against ransomware, secure off-site copies offer easier recovery.

When choosing an off-site option, note that recovery times are often longer from offline backups. Additionally, offline backups can prove difficult to test. You can achieve faster recovery times by replicating to a hot target, like a cloud service or a secondary appliance—which keeps backups in a state readily available for recovery.

Secure

Ransomware usually targets Windows operating systems. According to recent findings, over 83% of malware was designed to breach Windows systems. Backup systems usually require many role-based instances for data movement, centralized management, reporting, and search and analytics. It can be quite complex to secure all those machines.

To secure Windows operating systems, consider locking down these components so that they can only perform the actions required and not more. Alternatively, you can employ a solution based on integrated backup appliances. This kind of solution can remove this complexity and also comes hardened by default.

Test

There are many factors that can impede a successful recovery. For example, trying to restore from infected backup copies of machines. This is why you should regularly test the viability of any strategy you create for backup and disaster recovery purposes. You can leverage automated recovery testing, which can help compliment your data management and protection efforts.

Detect

You should strive to detect ransomware as early as possible, because early detection can help facilitate faster recovery. The majority of backup vendors offer predictive analytics assisted by machine learning (ML), which can help detect possible attacks. Predictive processes can find abnormal data fluctuations and then alert administrators.

Instant Recovery

If data is effectively backed up and tested for its recoverability, the organization should be ready to roll the network back to a safe restore point. Once this is achieved, the organization can avoid data failure, downtime, and the consequential revenue loss.

Ransomware Protection with Hysolate

Hysolate creates an isolated workspace on user endpoints, to contain ransomware and other malicious threats, and ensure secure enterprise access. Hysolate sits on user endpoints, but is managed via the cloud, with granular policies to control transfer into and out of the Workspace.

The Hysolate Workspace isolates threats including malware and ransomware, adding an extra layer of security to the endpoint, without hindering user productivity.

Risky links, applications and even documents can be transferred into Hysolate, reducing risk, and users are able to access all websites and applications as needed. Rather than just isolating browser based malware risks, Hysolate provides full OS isolation against all threats.

Try Hysolate Free now.

Malware Protection: Types, Tools and Best Practices

What Is Malware Protection?

Malicious software (malware) is a program designed to perform malicious activities. For example, malware can be programmed to spy on browser activity, steal financial information, or irreversibly encrypt data and demand a ransom.

There are many types of malware—the most common are viruses, worms, trojans, ransomware, spyware and adware. We discuss each of these types in more detail below.

The majority of malware attacks are delivered through links to malicious websites or malicious email attachments. Once a user clicks on the link or opens the file, the malware is activated and starts performing the malicious action it was designed for.

Malware protection technology can protect against malware attacks using a variety of techniques, including signature-based malware detection, behavior-based malware detection and sandboxing.

Common Types of Malware

Here are some of the most common types of malware:

Ransomware—malware which is designed to infiltrate computers and encrypt key files. After these files have been encrypted, the individual behind the ransomware demands payment for access to the secret key required to decrypt the encrypted files. Learn more in our guide: how to prevent ransomware (coming soon)
Viruses—malware that functions by infecting different computer programs. For instance, a virus could overwrite the code of an affected program with its own code or make the program import and use a malicious code.
Worms—malware that is created to sprawl out to additional infected systems. This could include malware that spreads by releasing phishing emails or that scans for different vulnerable computers.
Rootkits—malware that is created to be secretive and can watch a computer user. Once it has been installed, the rootkit attempts to hide itself so as to avoid detection by antivirus and other security programs, while exfiltrating and collecting data for the operator.
Cryptomining malware—cryptocurrency mining programs are created to exploit cryptocurrencies awards by solving Proof of Work computational puzzles. Cryptomining malware makes use of the CPU tools of an infected computer to find solutions to these problems. This enables criminals to win award money.
Botnet—a network of infected computers. Cybercriminals use and control botnets in order to carry out large-scale, automated attacks, such as Distributed Denial of Service (DDoS) and credential stuffing. Botnet malware is intended to infect computers with a place a control and command structure that lets attackers send commands to the malware so that it carries out the attacker’s intention.
Trojans—malware created to impersonate something. Trojans try to steal the credentials of online accounts that may offer access to various streams of income like online bank accounts.
Fileless—a form of malware that avoids detection by traditional antivirus applications, which scan a computer’s files for indications of malware. This is achieved by removing custom malicution code and using functionality built into the system being targeted. This makes fileless malware difficult to detect, because it doesn’t have the file that matches signatures previously retained by antivirus applications.
Adware—malware that is created to serve malicious ads to computer users. Malware developers gain revenue from the advertisers whose ads the author serves.

How to Prevent Malware Infections in Your Organization

You can prevent malware with a variety of techniques:

  • Install anti-malware software on your devices
  • Ensure safe user behavior on devices (i.e. avoiding opening attachments from untrusted sources)
  • Keep your anti-malware software updated, so you can benefit from the latest patches
  • Implement a dual approval process for transactions between different organizations
  • Implement second-channel verification processes for transactions with customers
  • Apply threat detection and response procedures to identify malware and prevent it from spreading
  • Implement robust security policies such as whitelists or allowlists
  • Implement security at the web browser level

How Does Antimalware Software Work?

Antimalware software is a core component of a malware protection strategy. There is a wide range of antimalware solutions and vendors. The majority use the following security strategies.

Signature-Based Malware Detection

This type of detection looks for known software components, identifying them using digital signatures. These signatures are used to flag newly detected software as malware. The signature-based malware approach can help defend against many common malware types, like adware, keyloggers, and some types of ransomware.

It can be useful as a first line of defense against malware, but cannot safeguard a system if threats are new and unknown, or use advanced evasion strategies.

Behavior-Based Malware Detection

This type of detection can support the efforts of security experts, helping them quickly identify, block, and eradicate malware. Behaviour-based malware detection processes employ active malware analysis, which examines how the malware component behaves, to identify suspicious processes running on a machine. Behavior-based malware detection is often powered by machine learning (ML) algorithms.

Sandboxing

Sandboxing can isolate potentially malicious components, separating threats from the rest of the system or network. Sandboxes are often used to filter potentially malicious files, ensuring these files are removed before they can damage the system.

For example, when a user opens an email attachment from an unknown source, a sandbox can be used to run the file in a virtual environment. The file is not allowed to access the real operating system or other programs running on the machine—it can only operate within a safe, isolated environment. If the file behaves suspiciously, it is quarantined for further analysis, and the user is not allowed to open it outside the sandbox.

9 Malware Protection Best Practices

Here are several best practices to consider when implementing malware protection:

  1. Strong passwords and software updates—ensure all users create strone, unique passwords, and regularly change passwords. Use a password manager to make it easier for users to use and remember secure passwords. Update your systems as quickly, as security flaws become known and patches are released.
  2. Back up your data and your test restore procedures—backup is a critical practice that can help to protect against data loss. It can help ensure that normal operations can be maintained even if the organization is attacked by network-based ransomware worms or other destructive cyber attacks.
  3. Protect against malware—you should employ a layered approach that employs a combination of endpoint protection tools. For example, you can combine endpoint protection with next-generation firewalls (NGFW), and also implement an intrusion prevention system (IPS). This combination can help you ensure security is covered from endpoints to emails to the DNS layer.
  4. Educate users on malware threats—train your users on techniques that can help them avoid social engineering schemes, such as phishing attacks, and report suspicious communication or system behavior to the security team.
  5. Partition your network—you should use network segmentation to isolate important parts of your network from each other. This can significantly reduce the “blast radius” of successful attacks, because attackers will be limited to a specific network segment, and cannot move laterally to other parts of the network.
  6. Leverage email security—the majority of ransomware infections are spread via malicious downloads or email attachments. You should implement a layered security approach, including a secure email solution, a company-sanctioned file-sharing solution, and endpoint protection on user devices.
  7. Use security analytics—continuously monitor network traffic, and use real-time threat intelligence feeds to add context to security alerts. This can help you gain extended visibility into threats affecting your network, understand their severity and how to respond effectively.
  8. Create instructions for your IT staff—develop an incident response plan, which tells security staff and other stakeholders what they should do to detect, contain, and eradicate a cyber attack.
  9. Deploy a zero-trust security framework—in this security approach, all access requests, whether coming from outside or inside the network, must be verified for trustworthiness before they can gain access to a system. The goal is to secure access by end-user devices, users, APIs, microservices, IoT, and containers, all of which may be compromised by attackers.

Malware Protection with Hysolate

Hysolate creates an isolated workspace on user endpoints, to contain threats and ensure secure enterprise access. Hysolate sits on user endpoints, but is managed via the cloud, with granular policies to control transfer into and out of the Workspace. The Hysolate Workspace isolates threats including malware and ransomware, adding an extra layer of security to the endpoint, without hindering user productivity.

Risky links, applications and even documents can be transferred into Hysolate, reducing risk, and users are able to access all websites and applications as needed. Rather than just isolating browser based malware risks, Hysolate provides full OS isolation against all threats.

Try Hysolate Free now.