Dealing with the aftermath of ransomware attacks is like Russian roulette. Submitting the ransom might seem like it’s the sole option for recovering locked data. But paying the ransom doesn’t mean that your organization will get its affected data back.
Let’s not forget that ransomware also continues to evolve as a threat category. Beginning in late November 2019, crypto-malware gangs like Maze and DoppelPaymer began stealing the data of non-compliant victims prior to activating their encryption routines and subsequently publishing this information on dedicated data leak sites. These malicious actors resorted to this technique as a way to bypass data backups and to compel organizations to pay—sometimes twice—so that they’d avoid the costs associated with suffering a data breach.
This is precisely why detecting a ransomware attack that’s in progress is not enough. You need to focus on preventing a ransomware infection in the first place. You can do so by following the security measures listed below.
- Inventory your assets.
In order to protect yourself against a ransomware infection, you first need to know what hardware and software assets are connected to the network. Active discovery can help, but it will not uncover assets deployed by personnel from other departments. Acknowledging this shortcoming, you should embrace passive discovery as a means of building a comprehensive asset inventory as well as keeping that list of connected hardware and software up to date.
- Personalize your anti-spam settings the right way.
Most ransomware variants are known to spread via eye-catching emails that contain malicious attachments. Some of these attachments might involve Word documents or other file formats that are commonly used in your organization. But some might arrive in a format that’s rarely if ever used. Subsequently, you can configure your webmail server to block those attachments. (File extensions like .EXE, .VBS or .SCR are some common examples.)
- Refrain from opening attachments that look suspicious.
This doesn’t just apply to messages sent by unfamiliar people. It also pertains to senders who you believe are your acquaintances. Phishing emails may masquerade as notifications from a delivery service, an e-commerce resource, a law enforcement agency or a banking institution.
- Avoid giving out personal information.
Malicious actors need to get your information from somewhere if they hope to send you a phishing email that secretly harbors ransomware as its payload. Sure, they might get that information from a data breach that’s been published on the dark web. But they could just get it using OSINT techniques by rifling through your social media posts or public profiles for key pieces of information. With that said, it’s important to not overshare online and to generally avoid giving out identifying pieces of personal information unless it’s absolutely necessary.
- Think twice before clicking.
It’s possible to receive dangerous hyperlinks via social networks or instant messengers. More often than not, digital criminals compromise someone’s account and then send out bad links to their entire contact lists. That explains why the sender of a bad link could be someone you trust such as a friend, colleague or family member. Don’t click on a suspicious link regardless of who it comes from. If you’re unsure whether the contact intended to send you the link to your attention, use an alternate means of communication to reach out to them and verify.
- Educate your Users.
The best practices discussed above highlight the need to educate your users about some of the most common types of phishing attacks that are in circulation. To do this, you should invest in cultivating you security culture via ongoing security awareness training of you entire workforce. This program should use phishing simulations to specifically test employees’ familiarity with phishing tactics.
- Use the Show File Extensions feature.
Show File Extensions is a native Windows functionality that allows you to easily tell what types of files are being opened so that you can keep clear of potentially harmful files. This is useful for when fraudsters attempt to utilize a confusing technique where one file looks like it has two or more extensions, e.g., cute-dog.avi.exe or table.xlsx.scr. Pay attention to tricks of this sort.
- Patch and keep your software up to date.
In the absence of a patch, malicious actors can exploit a vulnerability in your operating system, browser, antivirus tool or other software program with the help of an exploit kit. These threats contain exploit code for known vulnerabilities that enable them to drop ransomware and other malicious payloads. As such, you need to make sure that your vulnerability management covers all of your connected software assets so that your security professionals can prioritize their remediation and mitigation efforts accordingly.
- Instantly disable the web if you spot a suspicious process on your computer.
This technique is particularly efficient on an early stage of the attack. Most ransomware samples need to establish a connection with their command and control (C&C) servers in order to complete their encryption routine. Without access to the Internet, the ransomware will sit idle on an infected device. Such a scenario gives you the ability to remove the malicious program from an infected computer without needing to decrypt any data.
- Only download from sites you trust.
Trust plays an important role in preventing a ransomware infection. Just as you should try to stop any untrusted processes from running on your computer, you should also try to authorize downloads from only locations you trust. Those include websites that use “HTTPS” in the address bar as well as official app marketplaces for your mobile device(s).
- Add applications to Allowed Lists.
Speaking of trust, it’s important to not install applications that could introduce risk into your environment. You should add applications to an allowed list as a means of approving which programs your systems can execute, as per your organization’s security policies.
- Keep the Windows Firewall turned on and properly configured at all times.
The Windows Firewall can help protect your PCs against instances of unauthorized access such as a ransomware actor attempting to infect your machines. You can learn more about the Windows Firewall on Microsoft’s website.
- Use the principle of least privilege.
Firewalls help to review your North-South traffic in an effort to prevent malicious actors from infiltrating the network. These solutions are less effective at scanning East-West traffic for signs of lateral movement, however. As such, you should consider implementing the principle of least privilege by reviewing the levels of control and the instances of write access that you’re doling out. This will deter ransomware actors from using a compromised account to move through your network.
- Adjust your security software to scan compressed or archived files.
Many ransomware actors think they can get by your email filters by hiding their payloads within attachments containing compressed or archived files. You therefore need tools that are capable of scanning those types of files for malware.
- Use strong spam filters and authenticate users.
Aside from having the ability to scan compressed or archived files, you need strong spam filters that are capable of preventing phishing emails from reaching users in general. You should also use technologies such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC) and DomainKeys Identified Mail (DKIM) to prevent malicious actors from using email spoofing techniques.
- Disable Windows Script Host.
Some malicious actors use .VBS files (VBScript) to run ransomware on an infected computer. you should disable Windows Script Host to block malware from using this file type.
- Disable Windows PowerShell.
PowerShell is a task automation framework that’s native to Windows computers. It consists of a command-line shell and a scripting language. Nefarious individuals commonly use PowerShell to execute ransomware from memory, helping to evade detection by traditional anti-virus solutions. You should therefore consider disabling PowerShell on their workstations if you have no legitimate use for the framework.
- Enhance the security of your Microsoft Office apps.
Nefarious individuals have a penchant for using weaponized Microsoft files to distribute their malicious payloads. These files commonly use macros and ActiveX, in particular. Acknowledging this fact, you should disable macros and ActiveX to keep malicious code from being executed on the Windows PC.
- Install a browser add-on to block pop-ups.
Pop-ups serve as a common entry point for malicious actors to launch ransomware attacks. You should therefore look into installing browser add-ons to stop pop-ups in their tracks.
- Use strong passwords.
In the presence of a weak password, malicious actors could brute force their way into a system or account. They could then leverage that access to conduct secondary attacks or move laterally throughout the network for the purpose of deploying ransomware. That’s why you should use and enforce strong, unique passwords for all accounts.
- Deactivate AutoPlay.
AutoPlay is a Windows feature that allows users to instantly run digital media like USB drives, memory sticks and CDs. Malicious actors could use these types of devices to sneak ransomware onto your computer. In response, you should disable this feature on all workstations.
- Don’t use unfamiliar media.
It’s one thing for malicious actors to compromise an organization’s supply chain and send out trojanized media devices. It’s another thing to willingly plug an unfamiliar device into your computer. You never know what could be hiding on a USB drive or CD that’s not yours. You should therefore avoid using these types of media unless you’ve purchased them from a reputable provider.
- Make sure you disable file sharing.
You don’t want to give attackers any way to infect multiple machines in your environment. That’s why you should disable file sharing. In the event of a ransomware attack, the crypto-malware will stay isolated on your machine and won’t spread to other assets.
- Disable remote services.
The Remote Desktop Protocol can be leveraged by black hat hackers to expand the attack surface and gain a foothold into your network. To curb this threat, you should disable remote services. Doing so will help to close one vector for remote attacks.
- Switch off unused wireless connections, such as Bluetooth or infrared ports.
There are cases when malicious actors exploit Bluetooth in order to compromise a machine. You should address this threat vector by turning off Bluetooth, infrared ports and other wireless connections that might not be used in the organization.
- Use Software Restriction Policies.
Per Microsoft’s documentation, Software Restriction policies are trust policies that enable organizations to manage the process of running applications on their computers. For instance, it comes with the ability for you to designate where apps are and aren’t allowed to execute. This is helpful for helping to prevent a ransomware infection, as attackers commonly use ProgramData, AppData, Temp and Windows\SysWow to host their malicious processes.
- Block known malicious Tor IP addresses.
Tor (The Onion Router) gateways are one of the primary means for ransomware threats to communicate with their C&C servers. You can therefore block known malicious Tor IP addresses, as those may help to impede the critical malicious processes from getting through.
- Make use of threat intelligence.
Ransomware actors continue to innovate new techniques, launch new attacks and create new strains of crypto-malware. In light of this reality, you need to have some way to keep pace with what’s going on in the threat landscape and what risks could be affecting other organizations in the same region or industry. You can do this by making sure you have access to reputable threat intelligence feeds.
- Segment the network.
Attackers can use a continuous network to spread throughout your entire infrastructure. You can prevent this from by segmenting your network. In particular, you might want to consider placing your industrial assets and IoT devices on their own segments.
- Monitor the network for suspicious activity.
In whatever way you decide to organize your network, you need to keep an eye out for threat behavior that could be indicative of a ransomware attack or security incident. That’s why you need to use tools to monitor the network for suspicious activity.
Have another ransomware prevention tip? If so, let us know on Twitter.