Seven steps to preventing ransomware infection

The recent surge in victims of ransomware attacks continues to rise and evolve with hacking groups preferring to target organizations. 

Recap: Ransomware is a type of malicious software (malware) which attempts to extort money from victims, typically by displaying an alert stating that the computer has been locked or that all files have been encrypted. 

A ransom is demanded to restore access to these encrypted files, hence the moniker ‘ransomware’.

There are two primary methods of infection:

  1. Compromised websites
  2. Malicious email attachments/links

There is no one-stop-shop for ransomware defence. An effective defensive strategy takes an overarching, multi-layered approach and considers a number of angles and all possible avenues to the organization’s network. 

Below we have complied seven actions IT security teams should be implementing to ensure a layered, effective approach. 

Seven steps to preventing ransomware

1. Update anti-virus configuration 

Keeping your anti-virus configuration up to date is a simple first step that should be executed by all IT departments. It goes without saying that your anti-virus vendor will know the best configurations to have in place to prevent ransomware – so don’t be afraid to ask!

Rule-based access protection can be an effective tool in preventing ransomware from being executed on the client machine. 

2. Block malicious and unknown sites

It’s imperative organizations review and implement a web proxy solution to ensure all potentially malicious categories of web sites are blocked for all users. In particular a check should be made to ensure that uncategorized websites are not accessible to staff. 

This is an important safeguard as websites frequently appear as hosts for malware for a short period of time and change regularly. Blocking these sites can protect against short-lived malware distribution points online.

Cloud-based proxies such as Zscaler are much more effective than traditional on premise solutions.

Large cloud based proxies are so effective as any time a new threat is discovered for any one of the services’ users worldwide, the cloud platform immediately protects everyone from that new threat. 

This means no users go unpatched or are vulnerable to known threats for any longer than they need to be. 

This greatly reduces the chances of web-based infection. 

3. Update email attachment scanning configuration

A simple defensive measure is to ensure all attachments are scanned for malware and blocks/filters are put in place for files known to typically include infections such as: 

  • EXE
  • DOCM
  • XLSM
  • VBS
  • JS, etc. 

It’s also imperative to ensure password protected/encrypted ZIPs and executables are blocked from entering the network as these file types are breeding grounds for malware. 

4. Update Plugins and Desktop Software

In our previous blog on Defending Against Cryptowall 4.0 we highlighted the vulnerabilities associated with unpatched Adobe flash plugins. 

An unpatched plugin offers hackers an easy route into your network as they are installed and accessible on target machines but not always controlled by the organization. The owners and operators of such plugin applications will constantly patch and update discovered vulnerabilities to defend against these threats. 

The issue for organizations then lies in rolling out and installing these updates. 

An out-of-date plugin or system is a vulnerable one! 

Organizations need to be vigilant to updating:

  • All plugins but especially Adobe Flash. Also: Silverlight, Java, Adobe Reader etc. It’s also important to consider blocking these plugins, especially those with a poor reputation. 
  • Ensure Windows updates are installed 
  • Ensure browser updates are installed 

Regularly updating plugins should be high on any IT team’s agenda.

5. Security awareness training

An organization can have all the defences in the world but staff who are unaware of security vulnerabilities can undo this work and investment with the click of a mouse. 

Users should be trained about threats associated with web browsing, following web links in emails, successful identification of phishing attempts, etc. Staff should be made aware of the warning signs of ransomware or other malware and be aware of the procedure to follow if they suspect an infection.

In addition, IT Support staff should have a clear understanding and procedure for dealing with any outbreak. A strong, calculated Incident Response plan is vital. 

The strongest defence is constant and effective security awareness training. Staff who are trained and aware of how to spot the tell-tale signs of a phishing attack are much less likely to be victims and much less likely to inadvertently introduce malware into an organization. 

Creating a culture of security awareness in an organization, takes time and investment but can often be the most effective defensive tool. 

6. Review backup policies and data storage permissions

Although not strictly speaking, a prevention method, this is a very important step in any defensive strategy. The ideal situation for an IT team is obviously to avoid infection, however in the event that a team is faced with an infection, the best possible resolution is to simply wipe and restore. 

However, this approach cannot work if regular backups are not performed. Regular backups can greatly minimize the impact of any incident. 

It’s imperative to ensure all vital data is stored on network drives which are backed up regularly and that network share permissions are regularly reviewed. 

Typically ransomware executables are saved to locations the user has write permissions to, often the Temp, AppData or My Documents folders. Tools such as Microsoft’s AppLocker can be used to implement rules to block applications from running from these locations. 

It’s important to remove unneeded permissions regularly as well as running root cause analysis to prevent reinfections (otherwise the restored image may get infected again).

7. Evaluate advanced technological solutions

As Ransomware evolves and develops, so too do the defensive technologies. 

- Consider isolation technology

Organizations who care about their data should consider sandboxing technologies such as Menlo Security. These technologies can provide an additional layer of protection against advanced / targeted threats by scanning files and executing objects within a secure virtual runtime environment (“sandbox”), further analysing activities, exploits, browsing, subsequent downloads, botnet communications and other sophisticated threats.

By Sandboxing your environment, you are essentially making the internet safe for use for all employees without interfering with the user experience.

- Consider application whitelisting

Consider the use of application white-listing software such as Zscaler to protect computers and servers. 

This technology maintains a list of known executable programs and only permits applications in its white list to run on the protected machine. This is a very effective defence against unknown executables being downloaded and run from the internet or other sources of malware and can protect effectively against zero-day exploits.