Ransomware is a criminal activity that forces a company to pay a fee in return for having their data decrypted. Hackers use malware to encrypt a company’s file. There are several alternatives to paying ransomware:
- Hiring security experts to restore your computer operation by figuring out the decryption key or by other technical means.
- Living with the consequences either by ceasing operations or by restoring the data yourself if proper steps were taken to separate your data from your operations.
- Taking protective measures to prevent ransomware from happening or by ensuring your company can proceed if a malicious attack does occur.
Ransomware usually is delivered through an email attachment or by accessing a dangerous website. Ransomware attacks are becoming more sophisticated as encryption algorithms advance. Companies and individuals are even renting out their ransom software for a fee (Ransomware-as-a-service) to other criminals. In many cases, computer operating system software has not kept up with these new advances. The use of Bitcoin has helped criminals avoid detection because the payments can’t be traced.
Some useful ransomware defenses
Some of the many steps you or your IT administrators should take are:
- Backing up your data on different systems or offline (offsite is even better) so that the data can be restored after an attack. Backups should be regular – daily or weekly. The backup process should be routinely tested to make sure it works if and when an attack occurs.
- Education. Employees should be trained to know when they can and cannot open attachments, download files, and browse the web.
- Restricting access. The more people who have access to a system, the more likely it is they may do something wrong that introduces the ransomware software. Key operations should only be executable by the system administrator. Some ransomware cannot function in system administrator mode.
- Anti-virus and anti-malware software should be installed and regularly updated. Good malware software should scan attachments and URLs and notify the user of the danger of opening the attachment or website link.
- The software chosen should be with a company that updates its software to respond to new ransomware attacks.
- Policies should be in place that restrict which types of attachments can be sent and opened. EXE (executable) files are especially suspect.
- Local administrative rights should be removed.
- Permissions should be reset so that only IT administrators can manage dangerous files and only key personnel can write or update information.
Firewalls should be able to limit or “block remote desktop protocol (RDP) and other remote management services.” Spam lists should be created and software should be used to detect spam. Proper advance deletion of spam files can prevent the worker from even seeing a bad attachment. The firewall should also delete or warn if certain types of file extensions are sent. Additional firewall best practices include:
- Considering use of a sandboxing solution and the right type of firewall engine. Sandboxing should be applied to attachments and web traffic so that the attachments and websites are being properly analyzed for malware before entering your network.
- Understand that every open port is a potential point of entry for ransomware. Non-essential open ports should be eliminated. Rather than using point-forwarding, use VPNs to access remote sources.
- The ports that do stay open should be properly secured.
- Segment Local Area Networks into smaller zones or Virtual LANs that are connected securely by the firewall.
- Apply proper IPS policies governing network traffic so that bots and worms can’t spread between Local Area Network segments.
- Isolate infected systems immediately.
What to do if a ransomware attack occurs
If an attack occurs:
- It can help to take a summary of your system memory which can help later with decryption.
- A strategy should be in place for disconnecting the system and disabling automated backup procedures.
- Access to servers, especially “command-and-control servers” should be blocked.
- Emails should be examined, if possible, to identify the attacker.
- Consider notifying law enforcement.
Plan to avoid ransomware attacks before they occur
The best way to avoid having to pay a ransom or hire security experts is to avoid the ransomware attack before it happens. Proper firewall best practices can help reduce the likelihood of an attack and how you restore your operations in the event of an attack. To prepare ahead of the attack, please contact us. Our experienced ransomware attack consultants are ready to help.