J003-Content-Ransomware-Prevention-Recovery-Techniques_SQRansomware is a hot topic right now. An increasing number of US hospitals have been in the press recently for falling victim to ransomware attacks that rendered their data unusable and seriously impacted day-to-day operations. In one case, the CEO of the Hollywood Presbyterian Medical Center said, “the quickest and most efficient way to restore our systems was to pay the ransom” (to the effect of $17,000 in bitcoins).

Ransomware, commonly spread through e-mail or web sites, is a piece of malicious code that encrypts as much data as it can using a very strong encryption key (e.g. 2048-bit RSA). It then asks for a ransom to be paid to decrypt the data.

In this post we look at 10 different techniques (in no particular order) that help in preventing your organization from a ransomware attack.

1. Backup your data regularly

Regular backups of your data will allow you to regain access to encrypted files in the quickest possible time. To avoid the backups being infected too, the backup sets should be kept in a secure offline location (or cloud-based solution) and set to read-only. Periodic integrity checks on the backed up data should be carried out to make sure your backups are intact.

Note: It should go without saying, but a backup plan without a tried and tested restore process means nothing. What good is a backup set if it cannot be restored?

2. Scan and block e-mail attachments using an e-mail security solution

Using an e-mail security solution which scans e-mail attachments or blocks certain e-mail attachment file types before they hit the user’s mailbox is a great way to safeguard users from falling victim to ransomware.

To add to this, an antivirus with features like ‘real-time protection’ or ‘on-access scanning’ will monitor for suspicious activity in the background and take action immediately if a user clicks on a malicious file.

3. Block executables from launching from certain user profile folders

Using Windows Software Restriction Policies or Intrusion Prevention Software on the endpoint you should not allow executable files to run from the following locations. These folders, and sub-folders, are known to be used by ransomware to host malicious processes.

  • %userprofile%\AppData
  • %appdata%
  • %localappdata%
  • %ProgramData%
  • %Temp%

The rules should be configured to “block all, allow some” so that the default behaviour is to block all executables unless you whitelist certain applications.

Tip: The Ransomware Prevention Kit by ThirdTier contains a bunch of group policies, information and other resources you can use to help mitigate the risk of ransomware and implement the above rules.

4. Patch regularly and consistently

One of the most common infection vectors that malware exploits is a software vulnerability. By keeping your operating systems, browsers, productivity suites (e.g. Microsoft Office), firewalls, network devices, etc. patched, you are helping to reduce the risk of being caught out.

5. Monitor and block suspicious outbound traffic

An Intrusion Detection and Prevention System (IDPS) can monitor for suspicious outbound traffic and alert you or take action (e.g. kill the connection or reconfigure the firewall). Use this information, and that from threat intelligence sharing groups, to fine-tune your security infrastructure and make it harder for ransomware to communicate in to or out of your network (stop it from communicating with the command and control (C&C) centre).

6. Adopt the concept of least privilege

If a piece of ransomware was to execute under an admin security context, this could allow it to cause more damage and spread further afield (e.g. give it the capacity to encrypt data on network drives, shares and removable media).

By adopting the concept of least privilege, whereby users login with only the minimum privileges necessary to do their job, you are potentially limiting damage impact and reducing the risk of the malware spreading. Some malware does try to escalate its privilege level, but in most cases relies on the security context that it was executed under.

With least privilege, the idea is that if a user wants to execute a command or install/uninstall an application under an admin context, they would physically need to enter a set of credentials that elevates them to that higher level of privilege only for the time needed to carry out the operation.

7. Disable “Hide extensions for known file types”

One of the ways ransomware tries to hide its true identity is by masquerading as an innocent file format. For example, a file pretending to be a PDF document might be called “Invoice.pdf.exe”. If the “Hide extensions for known file types” option is enabled, the file will appear as “Invoice.pdf”. By disabling this option, you are making it easier to spot suspicious files on disk.

8. Enhance Microsoft Office applications security settings

A recent ransomware variant called ‘Locky’ uses a malicious macro to download and initiate its payload. Limit the chance of this happening by using group policy to force the disabling of macros or setting the “Disable all macros except digitally signed macros” option. Similarly, set ActiveX and External Content settings to “Prompt” or “Disabled” (depending on the business requirements of your organization).

9. Educate your users

Users are your last line of defence in the battle against ransomware. Ransomware wouldn’t be successful if it were not for unsuspecting users downloading and executing a piece of malware (e.g. opening an e-mail attachment, clicking on a malicious link, etc.)

Educating users on what is good practise and how to spot threats will reduce the chance of them falling victim to a social engineering attack. Some things to emphasise would be:

  • Do not open e-mail attachments from senders you do not know
  • Do not click on links in e-mails from senders you do not know
  • Check for misspelled domains in e-mails (e.g. rncom instead of microsoft.com)
  • Check for bad spelling and incorrect formatting in the e-mail subject and/or body
  • Report any suspicious files or e-mails to the IT Help Desk or Information Security team

10. Scan all Internet downloads

Use a Web Monitoring and Scanning solution to scan all Internet downloads. This will prevent users from accessing known malicious sites and allow you to scan or block certain file types. With such a solution in place, even if a phishing e-mail gets through and a user clicks on a malicious link, a web monitoring and scanning solution like GFI WebMonitor can block access to that malicious site or file download.

TL; DR?

It sounds like a bit of a cliché but a multi-layered approach to ransomware prevention is going to give you the best chance of avoiding infection. If we had to break it down and provide a brief summary of a prevention methodology to get you started, the recommendation would be:

  1. Begin by ensuring you have a solid backup and recovery plan in place. This will ensure that even if you do get infected, you have a recent copy of the non-encrypted data to fall back on.
  2. Limit your exposure to ransomware by re-enforcing the two most common attack vectors – e-mail and Internet downloads (a solution like GFI MailEssentials and GFI WebMonitor can help you achieve this).
  3. Implement settings and policies across the board that will increase visibility into ransomware within your network, allowing you to detect suspicious files or activity and decrease the chances of a piece of malware successfully executing on one of your machines.
  4. Finally, and arguably the most important, educate your users on how to spot anything suspicious and what steps to take if they do.