The growth of ransomware over the past few years has attracted a lot of attention and driven the security industry to create myriads of tools applicable for blocking these types of threats from being executed on computers.
While media coverage of ransomware has decreased in recent months, the threats are still very real. A combined effort by security and anti-malware organizations spreading awareness and education has helped reduce the quantity of attacks year over year.
According to Kaspersky, ransomware infections have dropped 30% over the last 12 months.
Interestingly, the different families of ransomware has decreased 71%, but the variants have increased 46%.
As a last statistic, over 75% of businesses that were affected were running end-point protection. Clearly end-user education is very important.
Top 5 things to be aware of:
1) Beware of phishing type emails. Think before you open anything. They might indicate something you won, money sent, a bill or invoice and it might be from someone you know. They usually contain MACROs or scripts that ransomware launches from.
2) Disable your macros, especially in Microsoft Office. This can limit the type of attacks.
4) Keep your systems and workstations patched and maintained at all times.
5) Constant security awareness, end-user education and good firewalls/rules.
Here are some additional measures that users should employ to ensure a higher level of defense against ransomware threats.
1. First and foremost, be sure to back up your most important files on a regular basis.
Ideally, backup activity should be diversified, so that the failure of any single point won’t lead to the irreversible loss of data. Store one copy in the cloud, and the other on offline physical media, such as a portable HDD. NetAccess deploys Unitrends with a cloud archive. This puts your data in 2 places.
An efficient tactic is to toggle data access privileges and set read/write permissions, so that the files cannot be modified or erased. An additional tip is to check the integrity of your backup copies once in a while.
2. Personalize your anti-spam settings the right way.
Most ransomware variants are known to be spreading via eye-catching emails that contain contagious attachments. It’s a great idea to configure your webmail server to block dubious attachments with extensions like .exe, .vbs, or .scr.
NetAccess spam protection quarantines .xlsm, .vba and .vbs attachments and blocks .docm and .xlsb.
3. Refrain from opening attachments that look suspicious.
Not only does this apply to messages sent by unfamiliar people but also to senders who you believe are your acquaintances. Phishing emails may masquerade as notifications from a delivery service, an e-commerce resource, a law enforcement agency, or a banking institution, or named members within your organization. Be very careful of invoices and PDF linked attachments.
4. Think twice before clicking.
Dangerous hyperlinks can be received via social networks or instant messengers, and the senders are likely to be people you trust, including your friends or colleagues. For this attack to be deployed, cybercriminals compromise their accounts and submit bad links to as many people as possible.
It is also important to ensure that you are on the right website. A technique to spoof a website is to make an exact copy at a different address. http://twiiter instead of http://twitter for example
5. The Show File Extensions feature can thwart ransomware plagues, as well.
This is a native Windows functionality that allows you to easily tell what types of files are being opened, so that you can keep clar of potentially harmful files. The fraudsters may also utilize a confusing technique where one file can be assigned a couple of extensions.
For instance, an executable may look like an image file and have a .gif extension. Files can also look like they have two extensions – e.g., cute-dog.avi.exe or table.xlsx.scr – so be sure to pay attention to tricks of this sort. A standalone known attack vector is through malicious macros enabled in Microsoft Word documents
6. Patch and keep your operating system, antivirus, browsers, Adobe Flash Player, Java, and other software up-to-date. This habit can prevent compromises via exploit kits.
NetAccess highly recommends maintaining a regular patch and maintenance schedule for all critical business systems and workstations. Often we find that workstations are ignored, these are equally as important and ransomware often affects a workstation and then encrypts file shares from that workstation.
7. In the event a suspicious process is spotted on your computer, instantly turn off the Internet connection.
This is particularly efficient on an early stage of the attack because the ransomware won’t get the chance to establish a connection with its Command and Control server and thus cannot complete the encryption routine.
Although this requires a very aware end-user, it can help.
8. Think of disabling vssa.exe.
This functionality built into Windows to administer Volume Shadow Copy Service is normally a handy tool that can be used for restoring previous versions of arbitrary files. In the framework of rapidly evolving file-encrypting malware, though, vssadmin.exe has turned into a problem rather than a favorable service.
If it is disabled on a computer at the time of a compromise, ransomware will fail to use it for obliterating the shadow volume snapshots. This means you can use VSS to restore the blatantly encrypted files afterwards.
9. Keep the Windows Firewall turned on and properly configured at all times. Do not let lazy administrators turn off local firewalls.
10. Enhance your protection more by setting up additional Firewall protection.
There are security suites out there that accommodate several Firewalls in their feature set, which can become a great addition to the stock defense against a trespass.
NetAccess deploys a security suite of tools, AV Defender, included with all our managed customer workstations.
11. Adjust your security software to scan compressed or archived files, if this feature is available.
12. Disabling Windows Script Host could be an efficient preventive measure, as well.
13. Consider disabling Windows PowerShell, which is a task automation framework.
Keep it enabled only if absolutely necessary.
14. Enhance the security of your Microsoft Office components (Word, Excel, PowerPoint, Access, etc.).
In particular, disable macros and ActiveX. Additionally, blocking external content is a dependable technique to keep malicious code from being executed on the PC.
15. Install a browser add-on to block popups as they can also pose an entry point for ransom Trojan attacks.
16. Use strong passwords that cannot be brute-force discovered by remote criminals.
Set unique passwords for different accounts to reduce the potential risk.
NetAccess recommends changing password policies at regular intervals. Do not use the password10, password11 method each time the password changes. Use long sentences such as “My dog’s name is Warren and he loves treats!”
17. Deactivate AutoPlay.
This way, harmful processes won’t be automatically launched from external media, such as USB memory sticks or other drives.
18. Make sure you disable file sharing.
This way, if you happen to get hit, the ransomware infection will stay isolated to your machine only.
NetAccess deploys Unitrends as its backup device as it uses its own proprietary way for storing data and is not susceptible to file sharing encryption. The last thing you need is your backups being encrypted.
19. Define Software Restriction Policies that keep executable files from running when they are in specific locations in the system.
The directories most heavily used for hosting malicious processes include ProgramData, AppData, Temp and Windows\SysWow.
20. Block known-malicious TOR IP addresses.
TOR (The Onion Router) gateways are the primary means for ransomware threats to communicate with their C&C (Command and Control) servers. Therefore, blocking those may impede the critical malicious processes from getting through.
NetAccess does recommend implementing outbound firewall rules. Even through it is difficult and requires more maintenance and upkeep, business downtime can be extremely costly or business ending.
In summary, since ransomware is definitely today’s number one cyber peril due to the damage it causes and the prevalence factor, the countermeasures above are a must. Otherwise, your most important files could be completely lost.
The key recommendation, though, is the one about backups – offline or in the cloud. In this scenario, the recovery consists of removing the ransom Trojan and transferring data from the backup storage.
Currently, dealing with the consequences of ransomware isn’t very promising from the file decryption perspective. That is why thwarting the virus attack can save you a pretty penny and guarantee peace of mind.