10 Tips To Mitigate Ransomware

By: Ernst Pelser

In 2018, the number of global ransomware attacks reached around two hundred and four million.  It is also considered to be one of the most pressing cybersecurity issues worldwide right now.

Ransomware is a type of malware that encrypts your systems and eventually renders your system unusable.  Once the system has been encrypted, the threat actor will contact the victim to pay a ransom for the release of the files or to give you the key to unencrypt the data.    So, if you think about what would the cost be to a business?  Well, there is obviously the reputational cost and the cost of trying to recover from the situation: staff's time, your business’s time, third parties’ cost, and the cost of downtime.  And the most important cost to consider is the cost to your customers.  

How does a ransomware attack happen?  There are various mechanisms, but some of the common ones are through email campaigns.  A malicious email is sent through to a user, the user follows a link through to a browser that downloads the malicious payload, and that payload will eventually start encrypting your files or attacking some software on your system.  A lot of the systems type of ransomware also run long enough in your system that your backups will keep on backing up encrypted files until you start rotating your tapes.  Now, obviously, when you are trying to recover, you basically just recover encrypted files. The final step in the process is where the victim is notified that the files are encrypted. This normally happens through some alert that pops up on your screen saying that your files have all been encrypted and you must pay a ransom, normally through some electronic form, to a bitcoin to decrypt your files or and recover your files.  The best approach is to take preventative actions. Security protection should always be viewed through multiple lenses. People, process, and technology. A layered approach is always recommended.

Tip #1: First and foremost, it is critical that you do use security awareness training.  Educate your users about the risks of malware, about the risks of ransomware, how it gets delivered, how to spot it through emails, and to be cautious about clicking on certain links.

Tip #2: Ensure staff are comfortable with the security or IT team. Staff are sometimes hesitant to reach out to the security team if they have security concerns about an email or a link they‘ve received. This is where you need an IT and a security team that is known to be collaborative with staff so that people feel free that they can have a conversation.

Things like spam filters stop spam early in the system before they even reach the users.  You are not going to have a hundred percent hit rate, but you can seriously reduce the amount of spam that people receive.  

Tip #3, #4, #5: Employ good security measures on your email system.  Things like SPF, DMARC, and DKIM.  SPF is Sender Policy Framework, DMARC is Domain Message Authentication Reporting and Confirmation, and DKIM is Domain Key Identification to prevent email spoofing.  

Tip #6: Blocking access to malicious websites. This is where a good firewall with IPS Intrusion Prevention Systems comes into play.  A lot of them, most of the advanced ones, have a website filtering system that will dynamically block malicious websites.  There is no way that you can manually configure a firewall to block all malicious websites because these websites can be spun up and spun down within hours, so you need a global system that actually tracks these malicious sites and automatically updates the firewall.  They are not as cost-prohibitive as people tend to think, so it is well worth investing in a decent firewall and IPS solution.

Tip #7: Patch operating systems. Any type of malware normally attacks vulnerable software and patch operating systems is the absolute key.  Set malware and virus applications to scan systems regularly especially for critical systems like your main servers and endpoints as well.  

Tip #8: Follow lease privilege practices especially privileged accounts.  What this means is basically, only give a person access to what they need to do their job.  A lot of smaller organisations allow administrators to use the administrator account for daily non-admin tasks. Admins should use non-admin accounts for normal operations and only use admin accounts when it's absolutely required.  

Tip #9
: Enable application whitelisting.  Application whitelisting is effectively where your systems are configured that you can only install a whitelist certain application.  Things like Word and Excel. There are different ways to attack this but effectively, it limits the type of applications that can be installed.  Even if a user wants to install something which is not necessarily in the best interest of the business, they get blocked.  But it also means that if there is a process trying to install an application, then that gets blocked as well.  

Tip #10: Back up systems regularly, and test backups on a regular basis.  We've really touched on why this is critical but the testing part is where a lot of organizations fall short.

So, what should you do if you get hit by ransomware?  These tips actually come as recommendations from the FBI:  

  • Isolate the system from the rest of the network.  This is a key step because you basically do not want the malware or the encryption to start moving laterally through the organization.  So, immediately disconnect your wireless connection.  
  • If you want to be dead certain, disconnect the power. Shut the system down.  The downside of that is that you could actually be destroying evidence if you are going to go down that path.  
  • Collect your latest backups, test that they are good, test that they do not contain the malware, and then try and restore the system, or at least get the critical part of the business back up and running as soon as possible.  
  • Contact your law enforcement, they will be able to suggest your next best steps especially specific to your region.  
  • Start to change critical passwords like admin and domain passwords.

If you have any questions or need any assistance with any of this, please feel free to reach out to us either via our website or just call Proxima Information Technology Solutions at +61 4062 7176.