6 steps to protect your company from crypto-ransomware attacks

Harnessing the latest social engineering techniques and strong cryptography algorithms, ransomware can encrypt user files on a local system or shared network to effectively hold data hostage.

Although ransomware is sophisticated and constantly evolving, there are some basic steps companies can take to reduce their risk of falling victim to a ransomware attack.

Although not all crypto-ransomware behaves the same way, attacks do share certain common characteristics. Knowing the enemy is the first step to stop the encryption process at its early stages to minimise the damage.

To trigger a ransomware attack, a user simply has to open or access unintentionally a malicious .exe file via a compromised website, infected email attachment or other malware source. This releases the ransomware client.

Unlike most malware, crypto-ransomware can work independently of normal network defences and automatically encrypt the data.

>See also: Ransomware and DDoS combine to form a dangerous new two-pronged cyber attack

Once activated and stored in the victim's registry, the ransomware client initiates an SSL connection with the attacker’s server and generates a public-private key to encrypt the victim’s files.

The ransomware then scans all physical, cloud-based and backup drives for files with certain extensions (typically .doc, .xlsx, .ppt, .pdf and so on). It copies and encrypts them and then deletes the original files.

However, a ransomware client cannot encrypt the entire volume at once – rather, encryption speed is estimated at around 1000 files per minute.

When a user tries to open an encrypted file, a window pops up with instructions to pay a ransom to unlock it. A deadline is also given, threatening to delete the data if the ransom is not paid.

One of the latest crypto-ransomware variants is Petya, discovered in March 2016. Instead of encrypting files one by one, Petya requests administrative privileges and then overwrites the affected system’s master boot record (MBR), thereby blocking Windows from loading and denying access to the system.

If Petya can’t get admin privileges, it will install Mischa, standard ransomware that is able to work without admin level access.

Multi-level protection strategy

Even as concern over ransomware continues to sweep the IT community, there are at least six key actions organisations can take in pursuit of an effective prevention strategy against ransomware intrusion.

1. Block ransomware at the perimeter

Use spam filtering solutions and ad-block services to keep ransomware out of your IT infrastructure. Also be sure to set your computers to show hidden file extensions so executables are visible.

2. Install up-to-date anti-malware solutions

Traditional antivirus products may fail to detect ransomware. To improve your defense, choose anti-virus and anti-malware solutions that use heuristics and user behavior analysis, rather than signature-based applications.

3. Limit data access

Since ransomware can reach all files and folders that the infected user account has access to, limit the attack surface by rigorously controlling effective permissions and detecting and removing excessive access rights.

4. Gain insight into user activity

To quickly detect ransomware and start taking measures against it, deploy a user behavior analytics solution that can detect unusual spikes in user activity.

Make sure you get visibility into all file access attempts, both failed and successful, and any critical modifications to your files, folders, file servers and shares.

5. Be prepared to restore from backup

Use backup software that enables minimal or even zero recovery point/time objectives. Additionally, backup all important files and store offline.

6. Educate your personnel

Make sure staff understand safe computing practices to minimize the risk of crypto-ransomware infection.

>See also: The evolution of ransomware: what lies ahead?

Building an effective defense against ransomware is challenging. A key element for success is having compete visibility of everything that is happening in the IT environment.

As ransomware continues to evolve it will be vital to have the ability to enforce rigorous control over activity right across on premises and cloud IT environments.

Knowing in fine detail about everything that is happening ensures better data management decisions and enable threat patterns to be identified before they become incidents.


Sourced from Alex Vovk, CEO and co-founder, Netwrix Corporation

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics