Ransomware Protection — LiveOnNetwork
Ransomware Protection — LiveOnNetwork
While it is impossible to completely block ransomware at its two most common points of entry (i.e. email and websites), steps can be taken at the system-level that will reduce (but not completely eliminate) ransomware attacks. First and foremost, it is important to note that current anti-malware products should be able to detect and block ransomware at the file and process level before data can be compromised. A well-designed anti-malware product should also be able to scan email attachments and downloads for malicious content. I emphasize should in these statements because ransomware evolves so rapidly that it is not a guarantee that even up-to-date anti-malware products will detect the latest strains.
For email consider the following practices:
- Robust filtering is one of the most important steps an organization can take. Logically, chances of an attack will be reduced if employees receive fewer emails that contain spam or potentially malicious attacks.
- Blocking attachments is an important step in reducing the attack surface. Ransomware is often delivered as some form of executable attachment: direct executables (e.g. .exe, .js, or anything else that can be executed), Microsoft Office files containing macros, .zip files that either contain executable files or are executable themselves (i.e. named .zip, but really .exe). It is therefore important to have a policy in place that these cannot be sent by email, and that any attachments will be removed by the email security appliance.
- Reviewing permission-related practices is an important practice because many of these practices can play an important role in mitigating the impact of a ransomware attack including the following:
- Removing local administrative rights can deter ransomware from running on a local system and prevent its spread by crippling the critical components of any ransomware attack: the power to change system files and directories as well as system registry and storage. The removal of local administrative rights also blocks access to any critical system resources and files that ransomware is targeting for encryption.
- Other permission-related practices include restricting user write capabilities, preventing execution from user directories, whitelisting applications, and limiting access to network storage or shares. Some ransomware requires write access to specific file paths to install or execute. Limiting the write permission to a small number of directories (e.g., User/Document and User/Downloads) will prohibit ransomware variants from successfully carrying out their actions.
Additionally, ransomware executables can be blocked by the removal of execution permission with those directories. Many organizations use a limited set of applications to conduct business. Non-white-listed applications including ransomware can be blocked from executing by maintenance of a whitelist-only policy for applications.
A final permissions practice that could blunt the impact of ransomware and prevent it from spreading is to require a login at access points such as local and mapped drives.
- At the Network Level
At the network level, it has proved more difficult to mitigate and prevent the spread of ransomware. Firewalls that implement whitelisting or robust blacklisting will be a successful deterrent to lessening the likelihood of successful web-based malware downloads and may deter ransomware from connecting to command-and-control servers.
- At the network level, firewalls should limit or completely blockremote desktop protocol (RDP) and other remote management services. Also, deploy spam-detection techniques, such as spam lists, to prevent compromised emails from reaching users’ inboxes. Another strategy is to limit the types of file extensions that can be delivered via email.
- Once an internal host has been infected, preventing the further spread of the ransomware to other computers within the network can prove more difficult. The single most effective method for preventing ransomware from spreading to other computers is to disconnect it as soon as possible including wired connections, Wi-Fi, and Bluetooth connections. Automated backups to local or external storage should also be disabled.
- In the Event of a Ransomware Attack
- While these practices are effective, it is impossible to completely protect your organization from ransomware. If you do believe you have been the victim of a ransomware attack, consider the following steps:
- Take a snapshot of your system. Prior to shutting down your system, if it is at all possible, try to capture a snapshot of the system memory. This will help later in locating the ransomware’s attack vector, as well as any cryptographic material, which can help with decrypting data.
- Shut down your system. To prevent the further spread of the ransomware and inevitable damage to data, shut down the system believed to be infected.
- Identify the attack vector. Recall all emails suspected of carrying the ransomware attack to prevent further spread of the attack.
- Block network access to any identified command-and-control servers used by ransomware. Ransomware is often blocked from encrypting data without access to these servers.
- Notify authorities. Consider informing authorities so they can help with the investigation. While law enforcement can assist with an investigation, it also increases the risk that data may never be recovered. Ransom payments tend to go up as time passes for the payment to be made. Involving law enforcement could also delay and add significant cost to the ransom if ultimately the user(s) decide to pay
Originally published at https://www.liveonnetwork.info.