Harnessing the latest social engineering techniques and strong cryptography algorithms, ransomware can encrypt user files on a local system or shared network to effectively hold data hostage.
Although ransomware is sophisticated and constantly evolving, there are some basic steps companies can take to reduce their risk of falling victim to a ransomware attack.
Although not all crypto-ransomware behaves the same way, attacks do share certain common characteristics. Knowing the enemy is the first step to stop the encryption process at its early stages to minimise the damage.
To trigger a ransomware attack, a user simply has to open or access unintentionally a malicious .exe file via a compromised website, infected email attachment or other malware source. This releases the ransomware client.
Unlike most malware, crypto-ransomware can work independently of normal network defences and automatically encrypt the data.
Once activated and stored in the victim's registry, the ransomware client initiates an SSL connection with the attacker’s server and generates a public-private key to encrypt the victim’s files.
The ransomware then scans all physical, cloud-based and backup drives for files with certain extensions (typically .doc, .xlsx, .ppt, .pdf and so on). It copies and encrypts them and then deletes the original files.
However, a ransomware client cannot encrypt the entire volume at once – rather, encryption speed is estimated at around 1000 files per minute.
When a user tries to open an encrypted file, a window pops up with instructions to pay a ransom to unlock it. A deadline is also given, threatening to delete the data if the ransom is not paid.
One of the latest crypto-ransomware variants is Petya, discovered in March 2016. Instead of encrypting files one by one, Petya requests administrative privileges and then overwrites the affected system’s master boot record (MBR), thereby blocking Windows from loading and denying access to the system.
If Petya can’t get admin privileges, it will install Mischa, standard ransomware that is able to work without admin level access.
Multi-level protection strategy
Even as concern over ransomware continues to sweep the IT community, there are at least six key actions organisations can take in pursuit of an effective prevention strategy against ransomware intrusion.
1. Block ransomware at the perimeter
Use spam filtering solutions and ad-block services to keep ransomware out of your IT infrastructure. Also be sure to set your computers to show hidden file extensions so executables are visible.
2. Install up-to-date anti-malware solutions
Traditional antivirus products may fail to detect ransomware. To improve your defense, choose anti-virus and anti-malware solutions that use heuristics and user behavior analysis, rather than signature-based applications.
3. Limit data access
Since ransomware can reach all files and folders that the infected user account has access to, limit the attack surface by rigorously controlling effective permissions and detecting and removing excessive access rights.
4. Gain insight into user activity
To quickly detect ransomware and start taking measures against it, deploy a user behavior analytics solution that can detect unusual spikes in user activity.
Make sure you get visibility into all file access attempts, both failed and successful, and any critical modifications to your files, folders, file servers and shares.
5. Be prepared to restore from backup
Use backup software that enables minimal or even zero recovery point/time objectives. Additionally, backup all important files and store offline.
6. Educate your personnel
Make sure staff understand safe computing practices to minimize the risk of crypto-ransomware infection.
Building an effective defense against ransomware is challenging. A key element for success is having compete visibility of everything that is happening in the IT environment.
As ransomware continues to evolve it will be vital to have the ability to enforce rigorous control over activity right across on premises and cloud IT environments.
Knowing in fine detail about everything that is happening ensures better data management decisions and enable threat patterns to be identified before they become incidents.
Sourced from Alex Vovk, CEO and co-founder, Netwrix Corporation