October Is Cyber Security Awareness Month - Click Here To View Our Resource Hub

amtivo logo seasalt

How To Prevent Ransomware

Get Started Today

  • Customised certifications
  • Located nationwide
  • Save time & money
  • No extra or hidden fees
Get a Quote

Modern ransomware is among the most dangerous malware ever created. Countering it requires organisations to deploy defence in depth.

Our Group IT Director, Mark Nutburn, explores the methods you can implement to address these risks and prevent your organisation from becoming a victim.

Of all the malware that threatens computers today, none strikes as much fear into IT staff as ransomware. In 2013, ransomware was largely a problem for consumers, encrypting files and demanding what now seems like a laughably modest ransom of around $100 to supply a decryption key. How things have changed.

These days, even the biggest and best-defended companies are being caught out on a regular basis, and ransoms have reportedly risen into the millions. Now, entire networks are under threat, not just from encryption but the threat of public data release.

For organisations large and small, this has become a serious existential threat, with the potential to take a company offline for weeks or even months, with some predicting organisations could even be pushed out of business at a time when the global pandemic has already stretched businesses. What, then, can organisations do to defend themselves against ransomware?

The good news is that there is quite a lot that organisations can do, but doing so requires a closer understanding of the enemy than might have been the case with established threats such as botnets, worms, keyloggers, adware, or cryptocurrency miners, all of which continue to present their own threats.

Steps You Can Take To Prevent Ransomware

It’s helpful to think of ransomware attacks as having three phases:

  1. The pre-infection phase involving social engineering and technical manipulation.
  2. The infection event itself where the malware jumps to a computer or server.
  3. Network traffic generated by its subsequent attempted spread to other computers or from its command & control (C2) communication and data theft.

In the old anti-virus world, the second of those – the bit where the malware tries to copy itself into memory or on to the hard drive – was the one everyone focused on, hence the huge anti-malware industry we have today. These days, if that second layer fails – which the number of successful attacks suggests it does reasonably often – this argues that defenders should formulate better defences at stages one and three as well.

Phase One: Pre-infection defence

Email is a front door through which many ransomware attacks arrive, usually as a link or attachment. Email filtering should stop these but sometimes doesn’t because addresses are spoofed, or anti-spoofing technologies aren’t being used at network level (standards such as SPF, DKIM, DMARC), or the communication comes from a legitimate but compromised contact or email domain. Nevertheless, many recipients are wary of opening attachments, which is why ransomware employs other techniques to improve its chances. These include:

  • Hiding malicious attachments inside compressed archives such as Zip files, often hidden behind icons and filenames that make them look like legitimate PDFs.
  • Because Windows locks down the privilege level of standard user accounts (necessary for a computer to perform some actions), malware constantly probes for ways to elevate that without the user realising. This can either involve tricking the user into manually elevating privileges or exploiting a software vulnerability to achieve the same result.
  • Phishing for account credentials, especially ones that allow wider access such as admin accounts.
  • Persuading users to click on links that appear to link to legitimate accounts and contacts, for example on popular cloud hosting services. Increasingly, these are relevant to look convincing to employees of the target organisations.
  • At least two types of ransomware, Spora and Try2Cry, infect media such as USB sticks, creating a backdoor into organisations.

How to avoid initial ransomware infection:

  • If using hosted email such as Outlook, check what email filtering protections comes with that service level and ensure you take advantage of what’s available.
  • Lock down attachments, blocking all unusual types in the email client.
  • Turn on email server protections such as DMARC, which reduces the possibility of spoofing.
  • Remember that inhouse email servers such as Exchange have vulnerabilities which can be targeted directly by ransomware and other cyberattacks.
  • Consider using services such as the National Cyber Security Centre’s (NCSC) Protective Domain Name service (PDNS), which filters the domains employees visit for malicious domains.

Phase 2: Infection defence = isolation

Once malware has beaten endpoint security, it will spread so rapidly that it is futile to try and stop it by interacting with the compromised device. At this point it is a race against time to stop it spreading. If you suspect a device might have been compromised, it should be isolated immediately by unplugging it from the network.

Phase 3: Network defence

If ransomware has spread to other parts of the network, detecting that becomes a forensic job best left to a specialist company. These days, ransomware doesn’t simply encrypt data but attempts to steal as much of it as it can lay its hands on. This is later held hostage to force victims to pay even higher ransoms on pain of that data being released publicly. This theft is usually conducted in a compressed format using protocols such as FTP, sent to private servers or to cloud storage platforms such as OneDrive, Amazon S3 or Google Drive. At the same time, they often hunt for backups, deleting any they find. How to reduce the impact of ransomware infection:

  • Monitor outbound traffic: Unified Threat Management (UTM) firewalls have the ability not simply to block application ports and protocols but monitor and correlate traffic for unusual traffic patterns, especially outbound. If something unusual is happening, outbound traffic and encrypted TLS connections, used to hide communication, are where that will show itself.
  • Watch your servers: all computers, including non-Windows PCs, are targets, but servers are always the biggest prize because they have more storage and CPU, more privileges, and might not be closely monitored. Servers must be watched with alerts should they experience an unusual number of login attempts (a sign of a brute-force password attack).
  • Lock down RDP: the popularity of Remote Desktop Protocol (RDP), used for remote IT support, has turned it into the back door all ransomware attackers look for. The problem is RDP can go wrong in so many ways, including weak credentials and unrestricted port access. If an attacker hijacks RDP, not only will they have the power to target network computers at will but it’s unlikely to be noticed. This can be defended using firewall rules, strict password management and authentication.
  • Expand backup routines: backup is long established as an effective anti-ransomware tool but managing what this means in practice isn’t always straightforward. The first challenge is that ransomware attackers have grown wise to backup and now target it, including some more casual cloud systems often used by SMEs such as Dropbox and Google Drive. Overcoming this requires either mandating regular offline backups or upgrading to systems such as Microsoft Azure Backup which come with access control.
  • Make multi-factor authentication default: the single biggest protection, applicable to all the above layers, is better authentication. This usually means stronger passwords backed by some form of multi-factor authentication. The challenge, of course, is which FIDO U2F tokens such as the YubiKey are good for admins because they offer a high level of security. Mass market solutions such as SMS authentication are arguably no longer secure enough while dedicated OTP apps are better but don’t scale well. That leaves either single sign-on (SSO) services and Microsoft-specific biometric solutions such as Hello for Windows 10, both of which add cost. The important thing is that SMEs use something.
  • Remember patching blind spots: competent IT teams know to patch early and often, keeping applications such as browsers and Microsoft Office up to date. But it’s easy to miss less obvious software such as graphics drivers, network card interfaces, both of which now report a steady stream of security flaws which could aid dangerous remote code execution (RCE) exploits. Another concern is low-level firmware such as UEFI (which at least one ransomware campaign has developed an interest in) and vulnerabilities in Intel’s complex Management Engine. Some of the updating interfaces for these layers have also suffered flaws. Low-level vulnerabilities are not as easy to target but they’re also much harder to patch, and defenders might not even know they exist until researchers uncover them.

Hackers Are Not Your Greatest Threat

As one of the UK’s leading providers of ISO 27001 certification, we know plenty about the risks organisations face as well as the methods you can use to protect yourself against a security incident. Our white paper is a deep dive into the cybersecurity risks facing your organisation today. We’ve worked hard to put together a powerful resource that reveals:

  • The surprising financial impacts of a breach
  • How and why breaches occur
  • The true cybersecurity risks facing your organisation
  • What you can do to protect yourself

Get Started on Your Certification Journey Now

Your certification costs will depend on the size of your business, location, and the sector you’re in.

Get started on your certification journey