Ransomware: Prevention and Response

by Joseph Blanda

The number of ransomware-related news headlines continues to spike, and for good reason.

Ransomware is globally pervasive, capable of quickly and efficiently infecting unsuspecting targets, has a relatively low cost of entry for criminals, and is often impossible to recover from. Often, victims generally have little choice other than to just pay the ransom demand and hope for the best.

What is ransomware and how does it spread?

Similar to many other types of infections, an end user is lured into unintentionally installing malware onto their computer, in this case, the malware is a ransomware program. Malicious email content, such as infected attachments or clickable links to infected URLs, are two common methods of triggering a ransomware installation.

Unintentional surfing to a compromised website can also trigger a ransomware infection. Once the user triggers a ransomware program download, the malware acts quickly by installing itself on the target computer, and contacting a repository where encryption keys reside. These keys are used to methodically encrypt (or scramble into an unusable and unreadable format) valuable files on the compromised machine, essentially locking users from access to those files.

The ransomware will also attempt to propagate itself across the network. If the infected machine is connected to any Enterprise network shares, there is a high probability the program will propagate across those shared directories as well, compounding the infection. The compromised user is helpless without the decryption key. To make matters worse, there’s usually a limited amount of time to pay the criminal before the encrypted files are systematically deleted.

After the encryption process completes, instructions to decrypt the files to their original usable state will be left behind. The instructions are often posted to each compromised directory as a plain text file or splashed across the computer screen in a popup window. Bitcoin is the preferred payment method.

A variety of different types of ransomware attacks have been reported over the past several years. One variant, addressed in this blog, is seen as a common “go to” method for digitally extorting money from compromised companies. It uses encryption to hold your valuable data files hostage.

A fundamental understanding of the composition of this type of ransomware attack helps to identify potential gaps or weaknesses in your security policy and procedures, which can aid in improving controls and reducing exposure.

Steps to take upon indication of ransomware:

  • Understand how the Bitcoin payment process works in the event you have no alternative but to pay the ransom
  • Immediately perform a complete production server file system scan to determine extent of ransomware spread
  • Inspect all critical online and offline backup stores to confirm file integrity
  • Review all pertinent Enterprise logs to help further determine extent of damage (endpoints, servers, firewalls, intrusion detection systems, proxies, etc.)
  • Contact a trusted Security Consultant to help with remediation

Some best practices to help mitigate exposure to ransomware attacks:

  • Continuously review and assess your current security framework against emerging and existing attacks
  • Routinely scan your network for vulnerabilities
  • Institute rigorous highly secure data backup and recovery processes
  • See to it that all systems are patched to current recommended levels
  • Review all user access permissions and privilege levels to local and shared resources
  • Restrict use of administrator accounts on all PCs and servers
  • Run endpoint protection software that includes anti-virus, anti-malware, and intrusion detection
  • Roll out a continuous corporate cybersecurity awareness campaign to educate and test employees on safe practices
  • Consider partnering with a trusted Managed Security Services provider with extensive threat analytics expertise to augment your in-house support

These best practices are not foolproof against every variant of ransomware, and new and more effective strains are popping up daily. Keep well informed of the changing threat landscape to see to it that you employ the most current prevention methods.

One final thought – if you are fortunate enough to detect a ransomware attack in process, immediately disconnect your computer from the network in an attempt to prevent the key negotiating process from completing. You might just avoid a significant headache.