Top 10 guidelines for Ransomware protections
Malware is a malicious software program designed to disrupt, damage, or gain unauthorised access to a specific computer or larger system. Ransomware is revenue-generating malware specifically developed to deny access to a victim’s files, using complex encryption, until a ransom is paid. Not all Ransomware programs are created equal.
There are close to 800 known variants to accommodate the various attack vectors that can be used to enter a system. Hackers typically require that payment be made in cryptocurrency (e.g., Bitcoin) which generally mask transaction sources and destinations.
Insurance companies are forecasting that Ransomware will soon account for the highest percentage of cyber insurance claims. Ransomware criminals will demand on average €35,000 paid in Bitcoin to release their decryption keys, which will not work 17% of the time.
As ransomware continues to spread organisation are most likely to be under attack in two high level areas:
- Unsecured internet facing services e.g. RDP.
- Employees targeted via phishing attacks.
For the majority of Ransomware, it relies on vulnerabilities in unpatched systems or unsupported operating systems e.g., Server 2008 or Window XP because they make lateral movement through the network frictionless.
To assist organisations to be better protected against the threat of Ransomware the following guidelines have been developed.
Perimeter security controls in place to ensure inbound ports to internet facing services are protected to include RDP, email, web hosting…etc. Controls include high availability firewall protection, IPS controls, malware protection and web application protections.
It is also important to know your network and know what normal network activity looks like so unauthorised or abnormal activity can be identified. Ongoing vulnerability assessments and penetration testing activities to be undertaken. Best practice would require that network security testing of critical internet facing services is conducted on a periodic basis (at minimum annually) and/or after any significant configuration change.
All Windows endpoint devices (desktops, laptop and tablets) should have an approved antivirus/antimalware product installed, active and up to date. Many antivirus packages now offer Ransomware specific features or add-ons that can identify suspicious behaviour common to all Ransomware which is file encryption.
In addition, content scanning and email filtering can be used to prevent attack emails from arriving in the inbox.
When hardware and software are no longer supported by the vendor, organisations should upgrade it, replace it or air-gap it. This requires the organisation to maintain a complete inventory of all IT assets, because if it cannot be seen, it cannot be protected.
Organisations should ensure all client and server operating system patches are up-to-date, especially security patches, and make sure to test all patches quickly and thoroughly before applying them.
Organisations should develop a reliable patching strategy that, in addition to patching Windows operating systems, prioritizes the timely patching of Java, Flash and Adobe Reader. These are commonly exploited by Ransomware.
The message for organisations is to promote good password practices and the use of multi factor authentication as standard across corporate and personal accounts.
Password – Strength, Reuse and Sharing: Password strength is enforced by most platforms but should be at a minimum 10 characters long. Users should consider using a passphrase to facilitate greater length and frequent password changes. Substituting certain letters in the phrase with numbers and characters will increase the security of the passphrase.
It is as important that password/passphrase reuse is avoided, including using similar passwords, between personal and business accounts. Password reuse is the most common way for hackers to escalate access during an attack. 92% of users reuse their passwords. The hacker will typically crack a social media account password and then gain access to corporate data due to an employee’s password reuse.
Never share your passwords with others or write them down!
Multi factor authentication as standard across corporate and personal accounts. If multi-factor authentication is not enabled, it is entirely possible for an attacker to ‘brute force’ access to an account by simply guessing a password. This remains an extremely common tactic and enabling multi-factor authentication is the single most important step that individuals and organisations should take to protect services, personal data, and infrastructure.
This is particularly important for privileges accounts (e.g. administrator) and senior management teams they will be the first to be targeted as part of targeted phishing campaign (i.e. spear phishing) that can result in a Ransomware attack.
A key line of defence is an engaged, curious, and well-trained workforce acting as a human firewall spotting unusual activity to prevent a breach e.g., spoofed email requesting a user to click on a link which can lead to malware being downloaded.
This can be in the form of webinars to staff, email communications, targeted videos right through to simulated phishing tests to your users.
A good security awareness training program should start with email fundamentals and then expand on them to keep users engaged. Some of the basics of email etiquette that all staff should know are:
- Do not click on links or download attachments from parties that are not completely trusted.
- Look at the email headers. (“From” fields are usually giveaways.) Does something about the domain seem off? Is it .net when it should be .com? Is it misspelled? Quickly delete these emails without opening them.
If you suspect deceit, hit delete!
- Think twice before clicking on hyperlinks in emails even from trusted senders. Domain names and display names can easily be spoofed. Hover over links to ascertain their credibility before clicking on them.
- Manually type in URLs to sites you want to visit rather than clicking on links.
- Immediately turn off the Internet connection if a suspicious process is detected. This is particularly effective in the early stages of a Ransomware attack because the malware will be prevented from establishing a connection with its command and control server and, thus, will be unable to complete the encryption routine.
The advice is to ensure only approved devices with a minimum-security standard are permitted to connect to your network and access company systems, applications, and data.
Organisations want the peace of mind to know that all devices connecting to their network have been approved to connect and are secure. Types of devices can include removable media (e.g. USB, Cameras), laptops, desktops, and mobile phones.
At following minimum protections should be in place prior to the device connecting to the organisations network:
- Device enrolment to ensure only approved devices are permitted to connect to the corporate network.
- Make sure up-to-date endpoint protections are installed and active on any devices that will be used for work. A standard level of protection applied to these devices prior to connecting to the network include:
- Operating system is patched.
- Endpoint AV and malware protections.
- Advanced Endpoint Detection and Response (EDR) to include Anti-Ransomware protections
- Local firewall is enabled.
- Additional web filtering software installed to include application level protections.
- Disk encryption, Pin number and auto lock enforcement.
Organisations should enhance their current email protections as much as possible. Some suggestions, outside of the usual scanning for malicious content would be:
- Email filtering services to quarantine or reject emails from untrusted sources.
- Email filtering services that scan and protect against malicious content or bad weblinks.
- Email threat detection services to highlight unusual activity e.g. Advanced Threat Protection
- Email banner to advise when an email is from an external source.
- Implement DMARC – Email validation tool designed to detect and prevent email spoofing.
One of the best protections against a Ransomware attack is regular, viable backups. It is not possible to perform full backups of everything every second, but it is possible to identify the most critical data and ensure that backups are scheduled accordingly. Store at least one copy of backups offline to air-gap it from a network storage attack. Critical backups should be tested periodically to validate recoverability.
One of the most common software vulnerabilities is macros embedded in trusted applications such as the Microsoft Office Suite. The newest versions of Office programs have options to disallow embedded macros that are not digitally signed. This option should be enabled by default across the board, allowing only macros from trusted people or organisations.
What should an enterprise do if it is attacked? It is not a simple task to recover files encrypted by Ransomware, and in many cases, it is impossible. Therefore, a modern and rehearsed incident response plan (IRP) is critical to preventing a Ransomware attack and responding effectively to one.
One component of a modern IRP is a cost-benefit analysis of time, effort and cost in determining whether to pay a ransom. Modern IRPs should consider the following:
Data criticality—How important are the data in question, and is it worth recovering?
Business impact—How long can your business operate without the data before revenue or reputation are negatively impacted?
Feasibility of recovery—Are there any viable backups of the data, and if so, are they also encrypted?
Paying the attacker—Can the ransom amount be negotiated down? Do you have Cyber insurance and if so, will your insurer pay part or all of the ransom? Is the attacker likely to provide the decryption key upon receiving payment? Will the criminals launch future attacks against your organisation?
Incident response procedures should be tested periodically to identify areas that need improvement. This will include providing instructions to staff on immediate actions that they should take in event of an incident (or suspected incident) and be provided with contact details for the IT support team.
Written By: Colm Lennon, Head of Security & Operations
Fill out the form below to receive our “Top 10 Guidelines for Ransomware Protection” infographic