CURRENT ARTICLE:  Ransomware Prevention 101
NEXT ARTICLE:   Awesome New Videos by SEIRIM!

Ransomware Prevention 101

Nemanja Joksimovic // Last Updated: 13 July 2021

When it comes to ransomware protection we can think of 2 main focuses: Prevention and Mitigation.

Under prevention, we're trying to get everything right so we can lessen the possibility of a ransomware attack in the first place. 

In mitigation we are actually conducting significant advance preparation to be resilient when any attacks do occur. In this way when an attack does occur (when, not if) we are able to bounce back.

To prevent a ransomware attack from occurring, you want to be conducting all cybersecurity best practice steps - and this especially includes each and every one of your employees and integrated business partners who have any connections to your data and networks.

In our article here today we begin with the Basics to which every employee and the company overall should be adhering, and work our way up through to backups, intermediate and advanced steps geared towards building further resilience.

Prevention Basics:

You are logged in to your computer as you are every day, however, you only see a lock screen and a device that cannot be boot up. A message asking you to pay Bitcoin or money appears on the screen. Just now you were attacked by ransomware, the biggest problem for all devices. 

What is Ransomware?

Ransomware is a form of malicious software or virus which locks all the functionality of your computer or encrypts all the data on it until you pay ransomware for unlocking or decrypting.

An example of ransomware is "Ded cryptor" which locks all files on your device until a ransom is paid. WannaCry is another one of the most popular ransomware that encrypts all your files making them unable to be accessed and demand to pay some bitcoins for decrypting them.

This form of cyber attack is one of the biggest threats in the cyber world today. The number of ransomware victims is increasing rapidly.

 

 

The most common forms of ransomware are locker and crypto.

LOCKER ransomware locks all the functionality of your computer and forces you to pay a ransom to regain control.

CRYPTO ransomware, on the other hand, encrypts all your most important data and threatening folders that will be destroyed unless you pay the ransom that the attacker is asking for.

 

Ways ransomware can infect your system

The most common way hackers try to infect your computer with ransomware is by sending fake emails, spear phishing, or leading you to a fake site where you will download malicious software yourself.

Another common way in which ransomware spreads is when people wanting to get some software for free with popular cracks, actually install the ransomware virus in the background and thus deceive themselves.

Some of the most popular ransomware are: Locky, WannaCry, Bad Rabbit, Shade/Troldesh, Jigsaw, CryptoLocker, Petya, GoldenEye, GrandCrabe, B0r0nt0k, Dharma Brr, Fair, MADO, etc.

For all of this ransomware, there are decryptors made, but new ransomware appears every day!

 

 

YOU ARE NOT HELPLESS AGAINST IT!

Although it seems daunting, there are measures you can take to prevent these types of attacks.

BASIC Level Preventions

 

\\\\1. Educate Yourself

The most important thing is to educate yourself and your employees to create awareness of this threat and the possible consequences for the business.

Have the IT security department in your company regularly informed about the latest threats that are emerging. The vast majority of threats can be prevented if they find out about it in time and apply a patch that the vendor makes available.

Some of the sites where you can find out about the latest threats are: 

Phishing is the most common form of sending ransomware viruses, so it is important to educate your employees about the possible consequences.

As a best practice, it has been shown that sending simulated phishing emails to employees on a regular basis. In this way, you can see which employees need additional training.

To simulate these attacks, you can use, for example, the free Unsecured service or hire a company to conduct testing and training.
https://www.usecure.io/en/free-employee-phishing-test

Educate employees on how to choose secure passwords, explain to them why they do not use personal names, surnames, and numbers such as “123” for their passwords.
In addition to security, you can include in regular practice the use of a password manager to store important passwords and generate new ones. Some of the most famous password manager software is KeePass and Teampass and one of our top choices Bitwarden.

If you are not sure what you need to educate your employees about, it is best to hire a cybersecurity company that deals with awareness training to do it for you.


\\\\ 2. Backup data


One of the most important items in preventing ransomware attacks is to back up your data regularly. That way, even if your data is encrypted, you will have it in reserve.
What should you back up?


Things that are hard to be replicated and should be backed up are: 

  • Websites (HTML, CMS)
  • Raw emails from an Email server
  • Media files (images, videos, audio)
  • Custom data (config files, back-end files, custom scripts...)

When you determine what you need to back up, you need to determine what type of backups you are going to do:

  • File-system backup: This type is good for backing up config files, emails, custom scripts, etc. This is also known as snapshot backup which makes an identical copy of the system from that time.
  • Database dump: This type is best for backing up SQL databases because it makes readable files that later can be imported to SQL server.


Now we come to the part where we talk about where and when to do back up?

When?

  • For things that are critical and that change daily such as mail servers, online stores - orders, etc. Back-ups should be done once a day.
  • Back-end servers or servers used for development should be run every time it is executed.
  • And everyone else should be done at least once every month.

Where?
There are three locations where backups can be done:

  • On the same server where production is.
  • On different servers from production.
  • External locations, whether company-owned and/or third party.

From the security standpoint, the best practice is to have a server only for backups so if your server is compromised you have a safe backup on a separate server.

Rsync is used for file-system backup. It is very efficient because it backs up only changed files, which speeds up the process a lot. The location where you want to back up is easily set up. It is also possible to set up manual as well as automatic backups.

Manual Rsync back up:

  1. First install Rsync on backup server
    # sudo apt-get install rsync
  2. Run command to access services that you want to back up and files, and then the path to storage was to back up. <user> User with rights to access files for back up, <server IP> IP of server that is backing up, </absolute path folder to backup/> path to files to back up, </absolute path to local storage/> local folder to store back up.
    # rsync -ahvz <user>@<server IP>:</absolut parth folder to backup/> </absolut path to local storage/>
  3. Enter the password for chosen user:

Automatic Rsync backup:

  1. First install Rsync on backup server
    # sudo apt-get install rsync
  2. Generate SSH key for easier access to the server
    # ssh-keygen
  3. Copy the public key from the backup server to production with the following command. <user> User with rights to access and write od production server. <server IP> production server IP.
    # scp ~/.ssh/id_rsa.pub <user>@<server IP>:~/.ssh/uploaded_key.pub
  4. Set to use SSH key for logging into the production server. <user> User with rights to access and write od production server. <server IP> production server IP.
    # ssh <user>@<server IP> 'echo `cat ~/.ssh/uploaded_key.pub` >> ~/.ssh/authorized_keys'
  5. Create a folder on the backup a server where you want to store files from production server
    # mkdir ~/backup_server1/
  6. Create a command for backing up (here is an example that you can modify). <user> User with rights to access and write od production server. <server IP> production server IP.
    # rsync -ahvz --delete --link-dest=~/backups/server_1 <user>@<server IP>:~/public ~/backups/public_$(date -I)
  7. Now we need just to add this command to cron and schedule for the time you want
    # crontab -e
  8. Add this to cron 
    # 0   3   *   *   *   rsync -ahvz --delete --link-dest=~/backups/server_1 <user>@<server IP>:~/public ~/backups/public_$(date -I)

Now this command for backing up will trigger every time that you set it to run and automatically back up all data you wanted.

To restore back up you just need to copy files from the backup server to the production one.

FULL documentation for Rsync can be found on https://linux.die.net/man/1/rsync

For Windows, you can also use free software from EaseUs that is very good for small companies
https://www.easeus.com/backup-software/tb-free.html?x-clickref=1101lh3Ycrd8

 

\\\\ 3. Use Anti-Virus


Update your antivirus regularly and use it to scan your workstation for errors that need to be corrected.

If you do not use premium or paid Anti-Virus such as Sophos, you can use some free solutions from some popular vendors.

https://www.bitdefender.com/solutions/free.html

https://www.kaspersky.com/free-antivirus

 

\\\\ 4. Think twice


Before you click on any link from an email or access an unknown site, THINK TWICE. This way you prevent yourself from falling for hacker scams.

 

\\\\ 5. Use a Block Pop-ups Add-on


Install the add-on blocking plug-in on your browser. Pop-ups are one of the most common ways to accidentally install unwanted software.

In the browser, you use to go to Add-on Store and find Adblock Plus (ABP) and install it. This add-on will block all spam pop-ups.

 

\\\\ 6. Use Strong Passwords


Always use strong passwords, this will prevent the hacker from breaking your password with a brute-force attack and gain access to your account.

To ensure that each code is safe and different, without the problem of writing them on paper. The best solution is to use a Password Manager. With them, you can also generate new codes when you need them and always be sure that your codes will not be breached by a brute force attack

Here are a couple of free password managers:

\\\\ 7. Download from Trusted Sites


You always download all the software you want to use only from official or verified sites and not from third parties who are usually infected with a malicious file.

 

\\\\ 8. DO NOT Disclose Personal Info


If you receive a suspicious message, email or call, do not reply or share personal information. To carry out an attack as successfully as possible, hackers first collect as much information about you as possible in order to deceive you as successfully as possible later.

 

\\\\ 9. Test Users


In addition to regular education, regular testing of employees is also very important. In this way, you can check the awareness of each employee as well as determine who needs additional training.

Regular testing is difficult for companies and setting up the system is not easy for everyone. So, there are some free providers that offer to send Phishing email campaigns to your employees for free.

You can use for example https://www.knowbe4.com/phishing to test your employees or hire an external company to do that for you with your desires for email design or login pages for example.

 

#### Medium Level Ransomware Prevention ####

 

\\\\ 1. Restrict Administrative Rights


Neither you nor your employees should use a user who has administrator rights when using the computer regularly, as this limits the damage that may occur to you.


To restrict administrative rights in Windows you simply need to remove end-user accounts from the Admin group:

  1. On Domain Controller you simply need to right-click on the group you want to restrict and then on "Create a GPO in this domain and Link it here..."
  2. Give a name for your new Group Policy
  3. Right-click on created Group Policy and then Edit
  4. Now you need to go and edit the setting under "Computer Configuration >> Preferences >> Control Panel Settings >> Local Users and Groups"
  5. When open right-click and select "New >> Local Group"
  6. Set the setting as follows:

These settings will delete all users from the Administrator group and add only ones that you specify

  • Now just need to update GPO and all changes will take effect. In CMD or PowerShell type:
    # gpupdate /force

For Linux users you just need to create an "admin" group and give sudo rights only to the user in that group:

  1. Create an admin group 
    # sudo groupadd admin
  2. Add admin user to group
    # sudo usermod -a -G admin <admin user>
  3. Restrict sudo to the admin group
    # sudo dpkg-statoverride --update --add root admin 4750 /bin/su

Now only users that are in the admin group can run su command.

\\\\ 2.  Email filter


Create your own email filters that arrive to successfully avoid spam, phishing, and other malicious emails. If you have the opportunity, use the filters on the mail gateway that you use in the company.

Depending on which vendor you use the Email gateway, you have different options for filtering incoming emails. Each vendor has detailed instructions on setting up the filters and a description of how each of them improves security.


Here is some documentation for the most used email gateways:

If you use Google Gmail here are tips to create filters:

1. In the upper right corner of the clinic on the dot, and then on "See all settings"

2. Then select "Filters and Blocked Addresses"

 

3. You will see "Create a new filter". Click on it and a new window will appear.

4. Now you can for example set "*@microsoftRS.co.me" or in "Has the words" type 'Important'. This will filter all messages coming from the domain "microsoftRS.co.me" or any message that has "Important" in it.

5. After you set the parameters you want, click "Create filter" and select an action to take. For example, you can send it to some folder, or delete it immediately.


\\\\ 3. Regularly Patch System


Regularly installing system and software patches reduce the vulnerability of your system to known attacks.

Patching the system is very complicated and there are a few steps that need to be performed before starting patching:

  1. Create a checklist of what you want to patch (OS, software...)
  2. Specify the time at which you will perform the update and patching (Usually best time is weekend in the morning)
  3. Download patches day before the scheduled time

When you complete the list above you can start the patching system. NEVER forget to do backup before patching and to check is everything ok after patching.

Here is an example of how to automatically update the Ubuntu server.

1. Install "update-manager" on server
# sudo apt install unattended-upgrades

2. After installing you need to enable and start manager.
# sudo systemctl enable unattended-upgrades
# sudo systemctl start unattended-upgrades

3. Now to define what you want to update you need to edit config file
# nano /etc/apt/apt.conf.d/50unattended-upgrades

Example of the configuration file

4. To enable automatic upgrades you need to create a new auto upgrade file.
# touch /etc/apt/apt.conf.d/20auto-upgrades 

5. Edit automatic upgrade file with text editor
# nano /etc/apt/apt.conf.d/20auto-upgrades 

Example of the automatic upgrade file:

For "Update-Package-Lists" and "Unattended-Upgrade" number 1 is enable auto-update, 0 disables
AutocleanInterval automatically cleans packages for "X" days.

6. To test configuration simply run 
# sudo unattended-upgrades --dry-run --debug

 

FULL documentation can be found here https://wiki.debian.org/UnattendedUpgrades

You can also use some patch management systems from trusted vendors like:

 

\\\\ 4. Look for File Extensions


Set up your computer to show you the file extensions to make sure the file you open is the one you wanted. It is not uncommon for hackers to make a virus look like a regular pdf file and in fact, it is an executable file.

In Windows, it is simple to set extensions to be shown. You just need in File Explorer to click on "View" and then check "File name extensions"

 

 

\\\\ 5. Disable AutoPlay


Turn off the AutoPlay Windows component used to automatically start CDs, USBs, etc.


In Windows click the Widows key or on the Windows icon in the taskbar. In search type "AutoPlay Settings" and then open the app shown. Then you can set to not use AutoPlay or proper action for every device you want.

 

#### ADVANCED ANTI-RANSOMWARE PROTECTION ####

\\\\ 1. Network segmentation

Network segmentation is the idea of creating subnets within a corporate network. Network segmentation allows you to curb malicious viruses and threats as well as further increase network performance. 

Important resources and data need to be identified to properly segment the network.

For example, the best example is that in a special VLAN there are servers separate from the user, DR (Disaster Recovery) separate from everything in order to always be safe and protected from all threats. Separately create a DMZ (Demilitarized Zone) zone in which there will be services that need to be accessed via the Internet, and especially a zone for databases.

Segmentation can be further enhanced by setting up an internal firewall that will control what, for example, access to the database and by which ports. In this way, we prevent the attacker from compromising our important data if he compromises the user's computer.

Network segmentation can be a complicated process especially if the firm just wants to move on to it. It is best to hire network experts to do network segmentation if you do not have the experience and staff to do so.

\\\\ 2. Application Whitelisting

Application whitelisting is one of the most effective ways to protect the corporate network from various viruses and even ransomware. It is a security approach that, when well implemented, determines which applications, software, scripts can be run and executed on the user's computer or the server itself.

Many vendors have integrated this feature into their antivirus solutions, such as Sophos' antivirus agent giving system administrators complete control to enable and disable programs that the average user can use and run. For example, employees in the sales sector do not need to use and execute any Python scripts and drastically reduce the chance of being attacked by a malicious virus programmed in Python.

For successful implementation, it is necessary to analyze in detail the jobs of all employees and then approach the process of determining which sectors need which programs, software, etc.

\\\\ 3. Create a Disaster Recovery (DR) Plan

Disaster recovery is a plan that contains policies, procedures, and tools that the company will implement in the event of an incident, which allows the company to return to productive mode as soon as possible. 

As even the slightest unavailability of a website or a system can cost a company tens of thousands of dollars in just one hour, it is necessary to have backup systems that will enable basic functioning until the problem is solved.

Therefore, it is best to have copies of production systems that can replace the entire system or at least the most important part of the business. Disaster Recovery Sites are practically complete or partial backups of the company's most critical systems.

There are three types of Disaster Recovery Sites:

- HOT Site: 

Hot sites are identical copies of production systems. The biggest advantage of the hot site is that it is synchronized with the production and works in parallel with it. If there is a problem that the production system is under attack and cannot function, the hot site can replace it within a few minutes. In this way, downtime to business operations is minimally reduced. However, the price is not small and the system itself is used only for the most important systems.


- WARM Site:

The Warm site is something between cold and hot sites. The main difference between a hot and a warm site is that a hot site is an identical copy of a production system while a warm site contains only servers with the necessary packages installed WITHOUT a database. To boot the system from the warm site, it is necessary to make additional settings, connections and to replenish the database. Warm sites are used for systems that are not critical to operation, although it takes much more time to set up to be productive and the cost of maintaining them is therefore much lower.


- COLD Site:

The cold site is roughly only a cooling system, power supply, additional memory which in case the system is overloaded or has certain problems can be used to help. It takes a lot of time and effort to set up such sites, but their price is the lowest.

 

\\\\ 4. Zero Trust Model

Zero Trust is a security concept that has the idea that the organization automatically does not trust anything inside or outside the organization, instead, everyone must be verified before gaining any access. According to the traditional IT infrastructure, it is difficult to get any access for anyone who is offline, but everyone who is already online is trusted according to the standard, while at Zero Trust no one is trusted and everyone has to be verified.

This whole model is considered the best when it comes to IT security, however, it is very difficult to implement such a model in any organization. We will talk more about this topic in some future period.

 

What to do if you become a victim of ransomware??

\\\\1. Detect Infected Devices and Isolate Them

As soon as you identify any infected devices, immediately unplug them from the network cable, unplug the WiFi adapter, and turn them off. 

Ransomware spreads through the network and that is why it is very important that as soon as infected devices are found, they are isolated from the rest of the infrastructure. Temporarily turn off all your shared folders until you determine if they are infected or not.

\\\\2. Find the Source of Infection

After successfully isolating all infected devices, you need to determine the source from which the ransomware originated. Start by testing all devices that do not have the latest version of the OS or that have vulnerable applications. Talk to employees to find out if someone received a suspicious email, accidentally clicked on a malicious link, and who had the first signs of ransomware.

\\\\3. Alert All of your Employees

Notify all employees of threats. Send email notifications to pay attention to all strange behaviors. Also, if you are able, visit each employee and personally acquaint him with the existing threat.

\\\\4. Restore from Backup

Once you have successfully maintained the damage and notified all employees, the best way to recover all data in a short period and avoid paying ransomware is to restore all data and the system from your backup. 

If you have a regular backup, it will not be difficult for you to return the system to the state it was in before the attack. You never know if when you unlock the data after paying for the ransomware, the attacker will reactivate the encryption of your data to ask you to pay again, if you restore the system to the state before the attack, you make sure that you are completely free of viruses

\\\\5. NEVER Pay Ransomware

Although it sounds like the easiest solution, don't pay for ransomware because no one can guarantee that an attacker will unlock your data. According to research conducted, it has been proven that only 20% of paid ransomware is unlocked data. Also, you can never be sure that the virus is no longer in your system and that the attacker will not restart the virus at some point to ask for more money.

You're lucky if this works..:

As a replacement, if you have an anti-virus program, you can also use some of the well-known free software to remove Ransomware viruses.

 


Microsoft
https://www.microsoft.com/en-us/download/details.aspx?id=54264&

Kaspersky
https://noransom.kaspersky.com/&

AVG
https://www.avg.com/en-gb/ransomware-decryption-tools#apocalypse

TrendMicro
https://esupport.trendmicro.com/en-us/home/pages/technical-support/1105975.aspx

Avast
https://www.avast.com/ransomware-decryption-tools

McAfee
https://www.mcafee.com/enterprise/en-us/downloads/free-tools/interceptor.html

Conclusion:

We hope you are successful in your preventions and preparations to fight ransomware. If you need assistance can contact SEIRIM for our ransomware prevention and protection services to help keep you secure.

ABOUT THE AUTHOR

Nemanja
Joksimovic

Nemanja is a highly certified and experienced penetration tester and all-around cybersecurity analyst practitioner from Serbia. He applies very professional and thorough methods that help keep SEIRIM's clients safe. 

RECENTLY

SEO Audit Tools - Our favorites at SEIRIM and Why

Get in touch with your website's SEO health with the best auditing tools

Ten Steps to China SEO Success

Gather a new perspective, tools and methodology.

Embrace a Powerful Password Paradigm

Better security is within reach!

SEIRIM Named one of worlds top 250 Managed Security Service Providers

Honored to be recognized for MSSP cybersecurity work

Hot New China Websites

Great websites recently launched for the Chinese audience

Open Source Cybersecurity

Check the open source options first to save your company money!