5 Things You Can Do to Avoid Ransomware

Ransomware is a type of malware that encrypts your files and demands payment to access them. It essentially takes the files hostage, demanding a ransom in exchange for the decryption key needed to restore the files.  It is a criminal money-making scheme that is triggered by tricking users into clicking on deceptive links or by exploiting system vulnerabilities.

This affects mostly small and mid-sized businesses with weak security postures. But on several occasions, ransomware attacks have shut down large sectors of the American economy, with hackers taking advantage of lax security measures for an easy payday.

Here are five things you can do now to create in-depth defense and avoid ransomware.

1. Educate your employees continuously using a comprehensive security awareness training program.

Provide your employees with ransomware security awareness training to protect your organization against an attack. Employees must understand how to detect and avoid common attack vectors.  Teach them to delete suspicious emails containing links, leave attachments unopened, and stay away from malicious websites.

Remember: Taking the time to prevent ransomware attacks is much easier than reacting to them. By educating your employees on ransomware prevention, you can save time, resources, and potential downtime needed to respond to an attack.

ERM Protect can help.  Our cybersecurity training for employees is personalized to individual needs, efficient for end users to complete, and - above all - effective at changing behaviors to reduce risk at all levels of your organization.

2. Ensure you are regularly backing up the organization’s important data and applications, with periodic copies offsite.

The best defense against malware is being able to restore data from clean, uninfected backups. Even when an organization pays a ransom, there is no guarantee that the attackers will hand over the decryption key. Restoring from backups is more reliable, cheaper, and avoids handing money over to criminals.

Organizations should back up their data regularly. Keeping separate backups for critical business systems should also make recovery easier.

Best practice for backup remains the 3-2-1 rule: make three copies of data, store across two different forms of media and keep one copy off-site. To protect against ransomware, the offsite backup should be isolated from the business network. Remember: All backup and recovery plans need to be tested. This is critical to calculate recovery times – and to establish whether data can be recovered at all.

3. Implement, continuously monitor, and adjust firewall technologies.

Firewall technologies can protect against attacks getting into the network in the first place. And if an attack should somehow penetrate the network, firewalls can also prevent ransomware from spreading and infecting other systems.  A key step is to review all port-forwarding rules to eliminate any non-essential open ports. Where possible, use VPN to access resources on the internal network from outside rather than port-forwarding.

When it comes to networks, every opening to the outside world is a potential vulnerability waiting to be exploited.  Remote Desktop Protocol (RDP), which is built into Windows by default, presents a significant concern.  This proprietary protocol remotely connects to a Windows system using a graphical user interface. RDP listens on TCP port 3389 and UDP port 3389. Potential hackers could brute-force the username and password in order to gain access.  Ensure port 3389 is not open on your firewall. If it is, it is recommended that you change the default port from 3389 to something above 10,000.  One popular security method is to require all users to use a VPN  before they can access RDP and to restrict VPN access to known IP addresses.

Another best practice is to segment the LAN into smaller subnets using zones or VLANs and then connecting these together through the firewall to enable the application of anti-malware and IPS protection between segments. This can effectively identify and block threats attempting to move laterally across the network.  Whether you use zones or VLANs depends on your network segmentation strategy and scope, but both offer similar security capabilities by providing the option to apply suitable control over traffic movement between segments.

4. Take advantage of today’s advanced endpoint protection technologies to protect your organization from malicious email and attachments.

Endpoint security solutions provide one of the most important ways to stop ransomware. These solutions can malware from infecting your systems. They also give administrators the ability to see when devices have been compromised and to ensure that security updates have been installed.

Since ransomware is commonly delivered through email, email security is crucial to stop ransomware. Secure Email gateway technologies filter email communications with URL defenses and attachment sandboxing to identify and block threats from reaching users.

These solutions can help protect against malicious downloads and can alert users when they are visiting risky websites. But they are not guaranteed to be 100% effective since cybercriminals are always trying to create new pieces of malware to defeat security tools. Still, endpoint security is a crucial step in protecting against malware.

5. Use technologies that will proactively detect ransomware and other forms of advanced security threats, based on behavior or heuristics analysis.

Behavior, or heuristic analysis, is an approach to discovery, learning and problem-solving that uses rules, estimates, or educated guesses to find a satisfactory solution to a specific issue.  Heuristic analysis looks for specific commands or instructions that would not typically be found in an application. In this approach, the antivirus software allows a suspected program to run in a controlled environment on the system before allowing it run on the user’s system.  If the suspected program performs any functions that are associated with malware, the antivirus application stops the program and notifies the user.

Some antivirus programs utilize behavior or heuristics analysis by executing the programming commands of a questionable script within a specialized virtual machine, thereby allowing the anti-virus program to internally simulate what would happen if the suspicious file were to be executed, while at the same time keeping the suspicious code isolated from the real-world machine. It then analyzes the commands as they are performed, monitoring for common viral activities such as replication, file overwrites, and attempts to hide the existence of the suspicious file. If one or more virus-like actions are detected, the suspicious file is flagged as a potential virus, and the user alerted.

Another common method of behavior or heuristic analysis is for the anti-virus program to decompile the suspicious program, then analyze the machine code contained within. The source code of the suspicious file is compared to the source code of known viruses and virus-like activities. If a certain percentage of the source code matches with the code of known viruses or virus-like activities, the file is flagged, and the user alerted.

While ransomware is the big news today, it is not the only security threat your business should be concerned about. The challenge is developing a path forward that allows you to avoid ransomware now, but also allows you to efficiently integrate additional security technology solutions in the future.

ERM Protect can help.

GLOSSARY OF TERMS 

Attachment sandboxing: Used to isolate and scan all documents that go to the recipient, blocking any that it deems malicious. Mostly used in mailing systems

Backups: A copy of some data. Mostly used as a restore point in case the original data is corrupted, lost, or destroyed.

Brute-force attack: An attempt to guess a password by trying every possible combination.

Decompile: Turning a binary computer code into its original human readable source code.

Endpoint: Single device connected to the internet though only one connection. Example: Laptops, desktops, smartphones.

Heuristic analysis: Method for detecting unknown malicious programs, based on patterns or other conditions.

IP address: A required unique identification number used in the Internet Protocol (IP) for the purpose of achieving a consistent localization method.

IPS: (Intrusion Prevention System) Network protection/threat prevention technology that monitors the network traffic and blocks any anomaly in the network.

LAN: Local Area Network. A restricted computer network connecting all devices within one area.

Port: A virtual point where the system/computer connects to the internet. Ports can be opened or closed.

Port 3389: Default port for RDP.

Remote Desktop Protocol (RDP): Protocol developed by Microsoft, that allows remote control to another system/desktop with a graphical interface.

Security awareness training: Form of education aiming to teach employees on cybersecurity risks posed to them.

URL defense: Used to scan all URLs that go to the recipient, blocking any that it deems malicious. Mostly used in mailing systems

VLAN: Virtual LAN. Isolating the LAN into smaller sectors so that not all devices see each other.

VPN: Virtual Private Network. A secure/encrypted connection between two endpoints, both which see each other as in the same LAN, regardless of their actual physical locations.