Ransomware is one of the most prolific and dangerous types of cybercrime today. As a result of ransomware, millions of dollars and petabytes of data have been lost by organisations and individual users worldwide. No one is safe from a ransomware attack on their valuable data. However, it is possible to reduce the risks of data loss, minimise the negative impact of ransomware and be prepared for potential attacks. This article provides step-by-step recommendations on how to prevent ransomware attacks and what to do to enable recovery as quickly as possible, if you detect it.
The new ransomware
The increased rate of ransomware attacks in 2020 is the highest in history. New attacks are also becoming more sophisticated, with strikes on servers rising in popularity. By taking control of servers, attackers can infect more computers connected to an enterprise network and cause greater damage.
Ransomware of the late 2000s is a very different animal to ransomware today. When the COVID-19 epidemic hit in full force in 2020, a new wave of Netwalker attacks ensued. Attackers have been distributing Netwalker primarily via phishing links introduced as emails claiming important updates about the coronavirus in attachments. As most people are interested in finding out more about COVID-19, this increased the probability of users opening these malicious attachments. But data loss is a concern for companies and individual users alike. As, while ransomware news coverage indicates the current trend is that attacks mainly occur within large organisations, attacks on individual users also took place as companies shifted to remote work during the pandemic. This has drastically increased the vulnerability of corporate data.
It is vital that organisations be vigilant and move with the times, implementing security measures both within the organisation and at home to prevent being attacked by new ransomware.
How to protect data against new versions of ransomware
Online safety rules and company security policy should strictly be adhered to by enterprise users, even when working remotely. If users have received appropriate training and are made aware of the latest ransomware threats and infecting methods, they are less likely to be infected. Users should be educated about phishing, social engineering and other methods used to infect with ransomware.
Top 10 ransomware prevention tips:
1. Do not open suspicious email messages, attachments to these email messages and any other links. Distributing ransomware via email is one of the most common methods of infecting computers.
2. Configure filters on email servers to reject suspicious email messages that can turn out to be malicious. The best way to ensure that users won’t open malicious email messages is by rejecting these email messages on email
servers. Leading SaaS (software as a service) providers such as Google and Microsoft provide email filters for their email services to protect users.
3. Train users to detect suspicious messages and ensure they are familiar with social engineering methods. The more skilled users are, the less likely it is that their computers will be infected with ransomware.
4. Do not provide any personal information to unknown users even if they introduce themselves as partners, bank workers, social agencies, etc. via email, messengers, phone calls, social media or other communication tools.
5. Install antivirus/antimalware software on all computers. Antivirus must always be up to date. It is also vital to install all available updates and security patches on operating systems and other software installed on all computers.
6. Configure a router and firewall in your network properly. Close unused ports, allow access from trusted networks and IP addresses if possible. Change standard port numbers to custom port numbers for some protocols (SIP, RDP, SSH etc.). Often attackers scan standard ports to detect which of them are open. It is also worth considering configuring a firewall on user computers.
7. If you find a USB flash drive, flash card or other medium near your office or home, don’t rush to plug it into a computer. An attacker can drop an infected flash drive near your home or office to distribute ransomware. Notify users about this threat and tell them that they should report such cases to the system administrator. If the content needs to be checked on the found device, an isolated computer should be used, Linux should be booted and checked.
8. Configure an operating system on each computer to show hidden files, system files and extensions for all file types. Use strong and unique passwords for different accounts.
9. Choose a wired network over Wi-Fi. When using wired networks, physical access is required for connecting to a network. Attackers can crack the password to the wireless network. If a wireless network is in use, make sure to set a strong password. Keep in mind that attackers can steal a saved password from computers or mobile devices. If any user loses a computer or any other mobile device that was used for connecting to a Wi-Fi network, the user must notify the system administrator. It is highly recommended to change the Wi-Fi password in this case. When on a business trip, try not to connect to public and untrusted Wi-Fi networks. In addition, restricting permissions for users on their work computers is advisable if this is at all possible, as long as this doesn’t prevent users from doing their work.
10. Create regular backups of important data. Creating a backup is the most effective method of protection against ransomware attacks. According to Sophos white paper on the State of Ransomware 2020, more than 56% of victims (organisations) have restored their data from a backup. However, backing up files from internal disk drives to USB drives that are always plugged into the computer is not effective. If the computer is infected after a ransomware attack, ransomware encrypts files on all the attached disks, including USB drives. Burning backed up data to DVD discs, Blue-ray discs or tape drives is a reliable solution because ransomware cannot re-write data on these types of media. Follow the 3-2-1 backup rule and keep at least three copies of data, store copies on different media, and keep at least one copy offsite.
Ransomware detection and response
What should you do if you detect ransomware? Typically, ransomware will appear as a splash (lock) screen with a notification that files have been encrypted and will be irreversibly deleted, along with a countdown (designed to pressure the victim into making mistakes like paying the ransom).
Should you become compromised, it is recommended that you do not pay the ransom. There are ample cases where organisations never got their data back after paying the attackers. Psychological tricks are often used to inspire fear and panic. Paying the ransom would only reinforce this type of attack, encouraging cybercriminals to continue to stage more ransomware attacks in the future. In addition, even after paying the ransom, there is no guarantee that the files can be decrypted, or that the stolen data will not be sold to other criminals, or even competitors.
A ransomware attack can infect multiple computers in the network and irreversibly corrupt terabytes of files. Considering that cybercriminals are continuously coming up with new and more dangerous versions of ransomware, with attacks becoming increasingly sophisticated, it is vital that a set of protection measures be implemented for adequate ransomware protection. This should include proper configuration of firewall, installing security patches, educating users, using an up-to-date antivirus, and regular data backup. Regularly backing up data is one of the most effective methods to prevent data loss due to a ransomware attack. If organisations properly prepare themselves against any potential attackers in advance, they will be in a position to protect their valuable data, ensuring business continuity should the worst happen.
*Sophos white paper on the State of Ransomware 2020: https://secure2.sophos.com/en-us/content/state-of-ransomware.aspx
3-2-1 backup rule: https://www.nakivo.com/blog/3-2-1-backup-rule-efficient-data-protection-strategy/