In an attempt to educate our users against the dangers of ransomware we have come up with a Ransonmare Prevention Best Practices guide. We have written about ransomware in the past outlining the way ransomware is quickly spreading around the world. See Ransomware By Numbers. Without a good plan in place handling the aftermath of a ransomware attack is costly and near impossible. The cryptographic suites used by ransomware is far beyond the computational power needed to bruteforce the decryption keys, hence prevention and damage mitigation techniques come to the fore as the only viable defence against such attacks. Sometimes even paying the ransom is not enough to get your valuable data back.
Widespread attacks from ransomware strains like CryptoLocker, CryptoWall, CTB Locker, Locky, Petya Trojan and more recently WannaCry share some features that allow formulating a tactical plan to help prevent infiltrations before they happen. Most ransomware is distributed through phishing attacks, these are sophisticated emails based on social engineering to try and get the user to open a document containing a macro or clicking a link that will allow the installation of the ransomware scripts.
It is therefore good practice to refrain from opening attachments received from unfamiliar senders, especially if those attachments are binary executables or Office documents that require macros to be enabled. Exercising caution with email attachments is an important tip, but there are a few more.
It is always good practice to have a backup systems in place, especially now with widespread ransomware attacks. It is however not a good idea to have only one backup and an even worse idea to keep that backup disk connected to your computers at all time.
A good disaster recovery plan should include
- Backup disks that are rotated regularly
- An offsite backup
Keep Software Up To Date
WannaCry managed to spread through a vulnerability in the SMB protocol which could have been prevented if people had up to date security patches installed. Keeping your operating system and other applications up to date help prevent attacks as vulnerabilities are closed down with these patches. Keeping computers with unsupported operating systems like Windows XP is also no longer a good idea as Microsoft no longer releases security updates for these products so if a vulnerability is detected as in the case of WannaCry it will be exploited so your risk increases exponentially.
Users should not be sending binary executables via email, in fact most modern email clients automatically block some binaries from being delivered. It is also a good idea to have your mail server filter out these attachments before even delivering them to you inbox. Most modern mail servers can actively scan emails at transport level and can be fine tuned to detect and block most malicious attachments.
Configure Windows To Display File Extensions.
Most malicious attachments have double extensions for example filename.jpg.exe by default windows will hide the “.exe” extension so users could assume that the attachment is a JPG image file and open it thinking it is harmless. By enabling windows to display file extensions users would be able to spot a double extension file and exercise caution with these attachments.
Treat Macros With Caution
Macros in documents should only be allowed to run if obtained from a trusted source. While macros do make user’s life easier in Office documents they are also an effective way to spread malicious code within an Office document as most of the time the macro will run without the user even knowing it.
Disable Process Launching from AppData and LocalAppData Folders
Most ransomware infections copy themselves to these folder as they are easily accessed through system variables allowing the ransomware creator to easily deploy their code on different machines. With the help of group policies a user can prevent the execution of processes from these folders rendering the attack unable to run.
Use Lowest Possible Privileges
Most ransomware requires administrative or power users rights to run. Lowering the privilege level for users should still allow them to do day-to-day tasks while keeping ransomware from running. Lock down any file shares that do not require write access will also prevent ransomware from being able to encrypt and then delete a file.
Disable Remote Desktop
Remote desktop allows users and administrators to easily connect to remote servers or workstations to do certain tasks, however some ransomware variants are actually triggered by remote desktop sessions being brute-forced. It is much better to use a VPN to connect to these computers as opposed opening the RDP ports on your firewall.
Enable Multi-Factor Authentication When Possible
With multi-factor authentication protocols in place it is also more difficult to breach weak links in the authorization processes required for remote management and execution
At this point there is no fool-proof remedy to prevent ransomware but with a little savvy most cases can be prevented. With a good disaster recovery plan users can also ensure that should the worst happen the damage is limited. First and foremost take your backup routines seriously and never click on links that you are not certain are safe.