Unlocking the secrets to ransomware attacks

A layered approach to security is the best defense

Cryptolocker, Cryptowall, Locky, Samas, WannaCry. Chances are, you have heard of one or several of these, but what are they? 

Each one is a different ransomware variant. Ransomware is a type of malware that infects your computer systems, and limits access to the infected devices. The previously mentioned ransomware strains are all crypto-ransomware. Crypto-ransomware variants will encrypt the files on your system, rendering them unreadable unless they can be decrypted. When an infection occurs, the files are encrypted and users are presented with an alert on their machines letting them know the only way they can get their files back is to pay a ransom. The payment is typically required to be paid through the digital currency Bitcoin, and the ransom demanded can be range from few hundred dollars to thousands of dollars.

As Sun Tzu mentioned in The Art of War, “If you know the enemy and know yourself, you need not fear the result of a hundred battles”. The most important part of fighting the battle against ransomware is knowing how you can become infected. There are the two most common ways in which you, your company and employees can all be infected.

The most common method for infection is by email. A user will receive an email that is made to look like it is coming from a place they just did online shopping (i.e. Amazon) or a coworker’s account. The email will tell the user to open an attachment or click on a link, both of which are infected. The newest ransomware will not only encrypt and lock you out of your files on your machine, but it will also scan the network for another PC or server you have access to and infect those files as well.

Another route of infection is by visiting a malicious website. These websites are often legitimate websites that have been compromised by cyber criminals leaving behind a hacking tool called an “exploit kit”. Upon visiting the infected website, the exploit kit attacks known vulnerabilities of your system and installs ransomware silently. Now, what you thought was a clean website that you have been using for a long time is now the most dangerous minefield on the web!

To defend against ransomware, there is no silver bullet or foolproof method to block these attacks. Therefore, the best method is to implement a layered approach to security.

  1. Perimeter Protection: Most organizations have some type of firewall device in place.  Some just rely on the all-in-one device provided by their internet provider.  With today’s advanced threats, it is recommended to implement a firewall that can detect and block intrusion attempts, as well as viruses and malware before they enter your network.
  2. Antivirus and Antimalware: These solutions have been used for decades, but not all are created equal. It is important that your antivirus and antimalware tools are kept up to date with the latest definitions, and can provide real-time alerts when an infection occurs. This will provide insight into the infection, and help with any additional remediation efforts. Some antivirus solutions have created specific features to combat ransomware, by detecting the unauthorized encryption of files and stopping the process in its tracks, bolstering your anti-ransomware defense.
  3. Email SPAM and Virus Filtering: As a best practice, it is recommended to route your email through an anti-spam service, which will filter out SPAM emails, as well as emails infected with viruses. Most of these anti-spam services not only provide anti-spam and virus filtering, but also allow you to encrypt outgoing email to protect emails with sensitive data from prying eyes.
  4. Patching and Updates: The most recent and highly publicized attack was the WannaCry ransomware. This attack was unique in that systems did not get infected via email as is typical. They were infected using a known vulnerability in Windows. Microsoft released updates to patch this vulnerability 3 months prior to the WannaCry ransomware outbreak, but those who did not proactively patch their systems were infected, which totaled over 300,000 systems. Windows updates and patches need to be installed on a regular, automated basis to fix known vulnerabilities.
  5. Backups: If your computer or server is infected with ransomware, you have a few options. You can pay the ransom, which is never recommended, or you can remove the malware and restore from backup.  It is important to make sure you have an offsite copy of your backups for safe keeping. It is also paramount that you frequently test restoring from backup. You do not want to find out after the fact that the backups you have been running have issues when trying to restore.
  6. Education: Finally, education of the employees is of paramount importance. As ransomware is most commonly spread through infected emails, training a user to spot these infected emails is key to preventing attacks. If a user receives an email with an attachment, they should first look to authenticate the sender as well as the content being transcribed in the email. As a company, you should look to bring in experts from the field to provide security awareness training. This type of training will answer employees’ questions such as, “I got an email attachment. Should I open it?” Or, “If someone calls claiming to be from IT and is requesting my password, should I give it?” An educated user will learn how to spot fake and infected emails, and will know the correct course of action to take.

For the most comprehensive analysis and protection, it is recommended that you bring in a professional IT consultant or IT provider to review your security tools and practices and provide recommendations on how to keep your company and its data safe.

Jeff Kuhn is a senior solutions architect at New England IT Partners. New England IT Partners now has offices in Bedford, New Hampshire, and Burlington, Massachusetts. Jeff can be reached at 603-546-2978 or at www.newitpartners.com/free-security-assessment

Categories: Tech Advice