When it comes to ransomware protection we can think of 2 main focuses: Prevention and Mitigation.
Under prevention, we're trying to get everything right so we can lessen the possibility of a ransomware attack in the first place.
In mitigation we are actually conducting significant advance preparation to be resilient when any attacks do occur. In this way when an attack does occur (when, not if) we are able to bounce back.
To prevent a ransomware attack from occurring, you want to be conducting all cybersecurity best practice steps - and this especially includes each and every one of your employees and integrated business partners who have any connections to your data and networks.
In our article here today we begin with the Basics to which every employee and the company overall should be adhering, and work our way up through to backups, intermediate and advanced steps geared towards building further resilience.
You are logged in to your computer as you are every day, however, you only see a lock screen and a device that cannot be boot up. A message asking you to pay Bitcoin or money appears on the screen. Just now you were attacked by ransomware, the biggest problem for all devices.
Ransomware is a form of malicious software or virus which locks all the functionality of your computer or encrypts all the data on it until you pay ransomware for unlocking or decrypting.
An example of ransomware is "Ded cryptor" which locks all files on your device until a ransom is paid. WannaCry is another one of the most popular ransomware that encrypts all your files making them unable to be accessed and demand to pay some bitcoins for decrypting them.
This form of cyber attack is one of the biggest threats in the cyber world today. The number of ransomware victims is increasing rapidly.
The most common forms of ransomware are locker and crypto.
LOCKER ransomware locks all the functionality of your computer and forces you to pay a ransom to regain control.
CRYPTO ransomware, on the other hand, encrypts all your most important data and threatening folders that will be destroyed unless you pay the ransom that the attacker is asking for.
The most common way hackers try to infect your computer with ransomware is by sending fake emails, spear phishing, or leading you to a fake site where you will download malicious software yourself.
Another common way in which ransomware spreads is when people wanting to get some software for free with popular cracks, actually install the ransomware virus in the background and thus deceive themselves.
Some of the most popular ransomware are: Locky, WannaCry, Bad Rabbit, Shade/Troldesh, Jigsaw, CryptoLocker, Petya, GoldenEye, GrandCrabe, B0r0nt0k, Dharma Brr, Fair, MADO, etc.
For all of this ransomware, there are decryptors made, but new ransomware appears every day!
YOU ARE NOT HELPLESS AGAINST IT!
Although it seems daunting, there are measures you can take to prevent these types of attacks.
The most important thing is to educate yourself and your employees to create awareness of this threat and the possible consequences for the business.
Have the IT security department in your company regularly informed about the latest threats that are emerging. The vast majority of threats can be prevented if they find out about it in time and apply a patch that the vendor makes available.
Some of the sites where you can find out about the latest threats are:
Phishing is the most common form of sending ransomware viruses, so it is important to educate your employees about the possible consequences.
As a best practice, it has been shown that sending simulated phishing emails to employees on a regular basis. In this way, you can see which employees need additional training.
To simulate these attacks, you can use, for example, the free Unsecured service or hire a company to conduct testing and training.
Educate employees on how to choose secure passwords, explain to them why they do not use personal names, surnames, and numbers such as “123” for their passwords.
In addition to security, you can include in regular practice the use of a password manager to store important passwords and generate new ones. Some of the most famous password manager software is KeePass and Teampass and one of our top choices Bitwarden.
If you are not sure what you need to educate your employees about, it is best to hire a cybersecurity company that deals with awareness training to do it for you.
One of the most important items in preventing ransomware attacks is to back up your data regularly. That way, even if your data is encrypted, you will have it in reserve.
What should you back up?
Things that are hard to be replicated and should be backed up are:
When you determine what you need to back up, you need to determine what type of backups you are going to do:
Now we come to the part where we talk about where and when to do back up?
There are three locations where backups can be done:
From the security standpoint, the best practice is to have a server only for backups so if your server is compromised you have a safe backup on a separate server.
Rsync is used for file-system backup. It is very efficient because it backs up only changed files, which speeds up the process a lot. The location where you want to back up is easily set up. It is also possible to set up manual as well as automatic backups.
Manual Rsync back up:
Automatic Rsync backup:
Now this command for backing up will trigger every time that you set it to run and automatically back up all data you wanted.
To restore back up you just need to copy files from the backup server to the production one.
FULL documentation for Rsync can be found on https://linux.die.net/man/1/rsync
For Windows, you can also use free software from EaseUs that is very good for small companies
Update your antivirus regularly and use it to scan your workstation for errors that need to be corrected.
If you do not use premium or paid Anti-Virus such as Sophos, you can use some free solutions from some popular vendors.
Before you click on any link from an email or access an unknown site, THINK TWICE. This way you prevent yourself from falling for hacker scams.
Install the add-on blocking plug-in on your browser. Pop-ups are one of the most common ways to accidentally install unwanted software.
In the browser, you use to go to Add-on Store and find Adblock Plus (ABP) and install it. This add-on will block all spam pop-ups.
Always use strong passwords, this will prevent the hacker from breaking your password with a brute-force attack and gain access to your account.
To ensure that each code is safe and different, without the problem of writing them on paper. The best solution is to use a Password Manager. With them, you can also generate new codes when you need them and always be sure that your codes will not be breached by a brute force attack
Here are a couple of free password managers:
You always download all the software you want to use only from official or verified sites and not from third parties who are usually infected with a malicious file.
If you receive a suspicious message, email or call, do not reply or share personal information. To carry out an attack as successfully as possible, hackers first collect as much information about you as possible in order to deceive you as successfully as possible later.
In addition to regular education, regular testing of employees is also very important. In this way, you can check the awareness of each employee as well as determine who needs additional training.
Regular testing is difficult for companies and setting up the system is not easy for everyone. So, there are some free providers that offer to send Phishing email campaigns to your employees for free.
You can use for example https://www.knowbe4.com/phishing to test your employees or hire an external company to do that for you with your desires for email design or login pages for example.
Neither you nor your employees should use a user who has administrator rights when using the computer regularly, as this limits the damage that may occur to you.
To restrict administrative rights in Windows you simply need to remove end-user accounts from the Admin group:
These settings will delete all users from the Administrator group and add only ones that you specify
For Linux users you just need to create an "admin" group and give sudo rights only to the user in that group:
Now only users that are in the admin group can run su command.
Create your own email filters that arrive to successfully avoid spam, phishing, and other malicious emails. If you have the opportunity, use the filters on the mail gateway that you use in the company.
Depending on which vendor you use the Email gateway, you have different options for filtering incoming emails. Each vendor has detailed instructions on setting up the filters and a description of how each of them improves security.
Here is some documentation for the most used email gateways:
If you use Google Gmail here are tips to create filters:
1. In the upper right corner of the clinic on the dot, and then on "See all settings"
2. Then select "Filters and Blocked Addresses"
3. You will see "Create a new filter". Click on it and a new window will appear.
4. Now you can for example set "*@microsoftRS.co.me" or in "Has the words" type 'Important'. This will filter all messages coming from the domain "microsoftRS.co.me" or any message that has "Important" in it.
5. After you set the parameters you want, click "Create filter" and select an action to take. For example, you can send it to some folder, or delete it immediately.
Regularly installing system and software patches reduce the vulnerability of your system to known attacks.
Patching the system is very complicated and there are a few steps that need to be performed before starting patching:
When you complete the list above you can start the patching system. NEVER forget to do backup before patching and to check is everything ok after patching.
Here is an example of how to automatically update the Ubuntu server.
1. Install "update-manager" on server
# sudo apt install unattended-upgrades
2. After installing you need to enable and start manager.
# sudo systemctl enable unattended-upgrades
# sudo systemctl start unattended-upgrades
3. Now to define what you want to update you need to edit config file
# nano /etc/apt/apt.conf.d/50unattended-upgrades
Example of the configuration file
4. To enable automatic upgrades you need to create a new auto upgrade file.
# touch /etc/apt/apt.conf.d/20auto-upgrades
5. Edit automatic upgrade file with text editor
# nano /etc/apt/apt.conf.d/20auto-upgrades
Example of the automatic upgrade file:
For "Update-Package-Lists" and "Unattended-Upgrade" number 1 is enable auto-update, 0 disables
AutocleanInterval automatically cleans packages for "X" days.
6. To test configuration simply run
# sudo unattended-upgrades --dry-run --debug
FULL documentation can be found here https://wiki.debian.org/UnattendedUpgrades
You can also use some patch management systems from trusted vendors like:
Set up your computer to show you the file extensions to make sure the file you open is the one you wanted. It is not uncommon for hackers to make a virus look like a regular pdf file and in fact, it is an executable file.
In Windows, it is simple to set extensions to be shown. You just need in File Explorer to click on "View" and then check "File name extensions"
Turn off the AutoPlay Windows component used to automatically start CDs, USBs, etc.
In Windows click the Widows key or on the Windows icon in the taskbar. In search type "AutoPlay Settings" and then open the app shown. Then you can set to not use AutoPlay or proper action for every device you want.
Network segmentation is the idea of creating subnets within a corporate network. Network segmentation allows you to curb malicious viruses and threats as well as further increase network performance.
Important resources and data need to be identified to properly segment the network.
For example, the best example is that in a special VLAN there are servers separate from the user, DR (Disaster Recovery) separate from everything in order to always be safe and protected from all threats. Separately create a DMZ (Demilitarized Zone) zone in which there will be services that need to be accessed via the Internet, and especially a zone for databases.
Segmentation can be further enhanced by setting up an internal firewall that will control what, for example, access to the database and by which ports. In this way, we prevent the attacker from compromising our important data if he compromises the user's computer.
Network segmentation can be a complicated process especially if the firm just wants to move on to it. It is best to hire network experts to do network segmentation if you do not have the experience and staff to do so.
Application whitelisting is one of the most effective ways to protect the corporate network from various viruses and even ransomware. It is a security approach that, when well implemented, determines which applications, software, scripts can be run and executed on the user's computer or the server itself.
Many vendors have integrated this feature into their antivirus solutions, such as Sophos' antivirus agent giving system administrators complete control to enable and disable programs that the average user can use and run. For example, employees in the sales sector do not need to use and execute any Python scripts and drastically reduce the chance of being attacked by a malicious virus programmed in Python.
For successful implementation, it is necessary to analyze in detail the jobs of all employees and then approach the process of determining which sectors need which programs, software, etc.
Disaster recovery is a plan that contains policies, procedures, and tools that the company will implement in the event of an incident, which allows the company to return to productive mode as soon as possible.
As even the slightest unavailability of a website or a system can cost a company tens of thousands of dollars in just one hour, it is necessary to have backup systems that will enable basic functioning until the problem is solved.
Therefore, it is best to have copies of production systems that can replace the entire system or at least the most important part of the business. Disaster Recovery Sites are practically complete or partial backups of the company's most critical systems.
- HOT Site:
Hot sites are identical copies of production systems. The biggest advantage of the hot site is that it is synchronized with the production and works in parallel with it. If there is a problem that the production system is under attack and cannot function, the hot site can replace it within a few minutes. In this way, downtime to business operations is minimally reduced. However, the price is not small and the system itself is used only for the most important systems.
- WARM Site:
The Warm site is something between cold and hot sites. The main difference between a hot and a warm site is that a hot site is an identical copy of a production system while a warm site contains only servers with the necessary packages installed WITHOUT a database. To boot the system from the warm site, it is necessary to make additional settings, connections and to replenish the database. Warm sites are used for systems that are not critical to operation, although it takes much more time to set up to be productive and the cost of maintaining them is therefore much lower.
- COLD Site:
The cold site is roughly only a cooling system, power supply, additional memory which in case the system is overloaded or has certain problems can be used to help. It takes a lot of time and effort to set up such sites, but their price is the lowest.
Zero Trust is a security concept that has the idea that the organization automatically does not trust anything inside or outside the organization, instead, everyone must be verified before gaining any access. According to the traditional IT infrastructure, it is difficult to get any access for anyone who is offline, but everyone who is already online is trusted according to the standard, while at Zero Trust no one is trusted and everyone has to be verified.
This whole model is considered the best when it comes to IT security, however, it is very difficult to implement such a model in any organization. We will talk more about this topic in some future period.
As soon as you identify any infected devices, immediately unplug them from the network cable, unplug the WiFi adapter, and turn them off.
Ransomware spreads through the network and that is why it is very important that as soon as infected devices are found, they are isolated from the rest of the infrastructure. Temporarily turn off all your shared folders until you determine if they are infected or not.
After successfully isolating all infected devices, you need to determine the source from which the ransomware originated. Start by testing all devices that do not have the latest version of the OS or that have vulnerable applications. Talk to employees to find out if someone received a suspicious email, accidentally clicked on a malicious link, and who had the first signs of ransomware.
Notify all employees of threats. Send email notifications to pay attention to all strange behaviors. Also, if you are able, visit each employee and personally acquaint him with the existing threat.
Once you have successfully maintained the damage and notified all employees, the best way to recover all data in a short period and avoid paying ransomware is to restore all data and the system from your backup.
If you have a regular backup, it will not be difficult for you to return the system to the state it was in before the attack. You never know if when you unlock the data after paying for the ransomware, the attacker will reactivate the encryption of your data to ask you to pay again, if you restore the system to the state before the attack, you make sure that you are completely free of viruses
Although it sounds like the easiest solution, don't pay for ransomware because no one can guarantee that an attacker will unlock your data. According to research conducted, it has been proven that only 20% of paid ransomware is unlocked data. Also, you can never be sure that the virus is no longer in your system and that the attacker will not restart the virus at some point to ask for more money.
As a replacement, if you have an anti-virus program, you can also use some of the well-known free software to remove Ransomware viruses.
We hope you are successful in your preventions and preparations to fight ransomware. If you need assistance can contact SEIRIM for our ransomware prevention and protection services to help keep you secure.
A thorough cybersecurity defense mindset and preparation are required to mitigate the threat.
Curated best-of-the-best cybersecurity news.
Unfortunately, when all an attacker has to do is find one mistake, one gap in your defenses, cybersecurity takes getting everything right.
"An ounce of prevention is worth a pound of cure." - Especially in cybersecurity.