In our ever-evolving cyber world, the rise of ransomware attacks only increases by the day. Companies have been forced to pay millions of dollars just to recover from these types of attacks. In 2017 alone ransomware attacks resulted in a total of 5 billion dollars in losses. In the past, SCS has shared different security practices, such as layering, proper backups, disaster recovery, and the importance of an antivirus solution, which all comes together to stop ransomware before it even gets the chance to be deployed.
What is Ransomware?
Ransomware is a type of malware that is specifically designed to look for files, and encrypt them. This turns any files that are encrypted by the malware unusable unless the decryption key is available; which only the bad actor who deployed the ransomware has. The bad actor will then demand payment in order for any encrypted files to be unencrypted for the victim. This payment is usually in the form of the popular cryptocurrency; bitcoin. Sadly, payment does not guarantee receipt of the decryption key or that all files are recovered.
How does a Ransomware attack work?
A typical ransomware attack starts with entry. This is usually achieved through a spam or phishing email with a malicious attachment, a web download or document containing exploits, or remote file sharing. Once the malware is introduced into a system, an attacker will attempt to escalate privileges until they are an administrator. This privilege escalation can be achieved through exploiting vulnerabilities on a system to bypass security software. Once elevated privileges are gained the attacker will attempt to disable security software for every device in the environment and delete any backups that are used. They will then look for critical systems in the environment to infect and branch out to other systems. Without security software defenses and any backups, the attacker will then spread ransomware to all systems; encrypting everything. At this point the attacker will leave a ransomware note demanding payment for the files to be decrypted and wait for the victim to contact them.
How to prevent Ransomware
There are numerous ways to prevent ransomware from being able to infect your environment. Each of these different methods all refer back to security through layers; a topic SCS has covered in previous write-ups.
- A robust and centralized antivirus endpoint for all devices in the network.
- Principal of least privilege preventing unnecessary users from obtaining higher level of access than needed
- Keep all devices up to date
- Having tested current Incident Response, Business Continuity plan and a Disaster Recovery Plans
- Consistent employee awareness training
- Network segmentation
A robust and centralized antivirus endpoint is a key component in the prevention of ransomware. If a malicious file does find its way onto a device, the antivirus will not let the file run and it will perform an immediate removal of the malicious file from the device. Having the antivirus centralized increases the overall visibility of devices, which allows security professionals to maintain a strong security posture of the network.
Principle of least privilege ensures users who do not need elevated access do not receive it. This way, if an account is compromised, the bad actor would not have the ability to perform high level tasks which can be leveraged to compromise the environment. This removes the ability for a program to run with elevated access as well.
Keeping all devices up to date ensures there are as minimal ways for a bad actor to break in. Regular updates reduce the amount of exploitable vulnerabilities in an environment which in turn reduces the overall risk. Without a way in or a way to gain higher level of privileges, ransomware will be nearly impossible to deploy.
While business continuity plans and disaster recovery for file backups do not directly stop ransomware, it is a crucial component that mitigates ransomware attacks. Without proper backups you will not be able to recover any encrypted files without paying a hefty ransom in the event ransomware was successfully deployed in the environment. Regular file backups with a recovery plan allows the ability for a compromised environment to roll back before the initial infection thus mitigating ransomware. These two go hand in hand. Without a plan, backups cannot be utilized efficiently. Without backups, a plan cannot be executed to success.
Employee awareness training is a key factor in the prevention of ransomware. With proper user awareness training the risk of an end user clicking a malicious link, or perhaps downloading a malicious file from an email, is greatly reduced. Your environment is only as strong as your weakest end user, so it is very important to have periodic end user awareness training.
Lastly but not least, network segmentation minimizes access. The network segments or breaks the LAN into smaller subnets minimizes the area an attacker can infect. This mitigates the opportunity for an infected device to be able to pivot easily into another critical device such as a domain controller. With segmentation, this forces all different zoned traffic to be passed through the firewall instead of devices being able to talk to one another directly.
How can Secure Compliance Solutions help you? Free External IP Vulnerability Scans for up to 5 IPs!
Contact us for more information about the services we offer and how us at SCS can keep your environment secure . To demonstrate our services we would like to offer a free vulnerability scan for up to 5 external IP addresses!