The Ransomware Story
In recent years, ransomware has developed enormously. Between the year 2014 and 2016, CryptoWall ransomware came onto the scene, spreading via emails with ZIP attachments carrying malicious PDF files. The same year also saw the arrival of the Petya ransomware. Petya was used to conduct ransomware-as-a-service campaigns. The WannaCry ransomware made its debut in 2017, infecting about 300,000 businesses in 150 countries within just a few days. In 2018, SamSam took its toll. The trend has continued into 2019 as the ransomware Anatova was released on the 1st of January 2019.
The persistence of ransomware infection is clearly noteworthy. As the ransomware develops, so too does the skill and creativity of the attackers. In this post, we’ll briefly look at some ways we can prevent ransomware incidence and recover from ransomware compromise.
Preventing Ransomware Incidence
- A Defense-in-depth Approach
A typical organization’s enterprise network consists of multiple layers, such as external -facing infrastructure, perimeter firewall devices, internal networks and servers, hosts, applications and data.
A defense-in-depth approach will make any potential attack very difficult. By securing each of these layers, we can dissuade potential threat actors from attempting to compromise networks and systems. As the goal of ransomware is to get unrestricted access to data, securing these layers separately would strongly discourage would-be attackers.
- End-user Security Awareness Training
An organization can be well secured with secure firewalls, servers and encrypted tunnels, but if a single user clicks on a dangerous link or downloads a malicious file, it may bypass many of the defenses. For an organization, there is little more dangerous than a “trusted” user accidentally executing a malicious program from within the enterprise network. One way that attackers accomplish this is via social engineering. By fooling end-users into trusting malicious files, programs and links, the attacker can ensure an easy route through an organization’s security.
A proper end-user security awareness training program will go a long way to educate and enrich end-users with the right information and mindset to defend themselves and their organizations against social engineering attacks and phishing campaigns.
- Simulated Attacks
A simulated attack is done to emulate adversarial techniques and follow the same processes malicious persons use to social-engineer end-users. Simulated attacks or penetration tests can be performed to verify the exploitability of identified weaknesses and make recommendations on how to close or patch the vulnerabilities. Simulated attacks can be carried out periodically to verify that the security awareness training is effective. In fact, combining simulated attacks with security awareness training can be highly effective in maintaining a constant state of vigilance.
- Software-based Protection
Antiviruses are good examples of utilizing software-based protection to block known malicious programs from running. An even more effective solution can be an endpoint security software, which can block both known and unknown programs from running. An endpoint security software can also help in preventing zero-day attacks by not just looking at known malware signatures but by monitoring the behavior of unknown programs and taking decisions based on that behavior. Endpoint security solutions are known to combine machine learning algorithms with artificial intelligence, and this makes them superior to traditional antiviruses.
- Vulnerability Assessments
One of the ways hackers gain unauthorized access into systems is by exploiting unpatched vulnerabilities in software. It will be worthwhile to conduct periodic vulnerability assessments to know which weaknesses exist within an organization.
According to Radware’s 2017-2018 global application and network security report, loss of data is the most pressing issue when an organization is hit with ransomware. Regular backup can reduce the impact felt when affected by ransomware. When it comes to the issue of paying a ransom, an organization will probably have more confidence in resisting the urge to pay if it has strong backup systems in place holding recent data.
- Disconnect and isolate the infected computer from the network as soon as possible.
- Determine if there are any other assets (computers, drives, storage devices, cloud data) that are affected and isolate them.
- If possible, determine the ransomware family. There might be information available on the public Internet on how to mitigate that ransomware variant.
- Decrypt files using 3rd party software (if available).
- Restore computers from backup
To Pay or Not to Pay?
This is usually a tough question to answer. Naturally, it’s always discouraged to pay hackers any form of compensation. This encourages them and verifies that they’re making progress with their campaigns. Also, by funding them, they are being provided with the financial ability to continue in the ransomware business. It is much better to invest in backups and recovery strategies early on, to avoid the question altogether.