With its strong cryptography and clever ways to beat both detection and human distrust, ransomware is malware's killer app - but it's still largely avoidable and recovering from an infection without paying a ransom is possible. It comes down to the old adage - an ounce of prevention is worth a pound of cure.
At its core, ransomware is still a virus – and as a virus, it only works if there’s a host that is friendly to infection. Here are the four best ways to protect yourself from Ransomware and to help recover faster if you get infected.
1. Keep Ransomware from Getting in.
Ensuring that ransomware never arrives on your computer in the first place is the only way to truly prevent infection and avoiding the attack. While this is often easier said than done, a defense-in-depth approach to this information security problem is the best way to protect yourself:
- Email Security – Email filtering with cloud intelligence (features like real-time updates and sandboxing) goes a long way. By performing bulk analysis of inbound email, these services can identify and prevent emerging threats more effectively than any standalone solution.
- Web Filtering – Some web filters may be able to block access to ransomware command-and-control servers (the system by which some forms of ransomware communicates back to its developer that it has found a viable target).
2. Prevent the Spread of Infection.
If the ransomware is run, whether from a link in an email or by visiting an infected site, the last line of defense before it begins working are endpoint security products, such as antivirus or application whitelisting.
- User Education – Users are an often overlooked but critical component in an organization’s defenses. A user can decide to click a link and allow malware to run, or they can decide to notify their IT team and delete the email. An effective security awareness program trains users to detect and respond appropriately to common security issues – an invaluable resource in a ever-evolving threat landscape.
- Patch Management – Drive-by downloads infect a computer by exploiting unpatched vulnerabilities in a computer’s software. By ensuring that only necessary and regularly updated software is installed on your systems, you protect against easy exploits.
- Endpoint Protection – While its efficacy in protecting against a targeted attack using custom malware is limited, consumer-grade ransomware is exactly the kind of problem that endpoint security products such as antivirus were designed to solve. Many modern anti-malware solutions include specific safeguards against ransomware.
- System Hardening – By preventing the execution of software from commonly used malware folders (%TEMP%, Desktop, Home Directories) and changing file handlers for common scripts (vbs, js, etc.) from execute to edit, the initial launch of the ransomware can be disrupted.
3. Limit the Spread.
If previous protections against ransomware have failed, or weren’t present, there are still ways to limit the damage of an infection, the core of which is limiting its spread:
- Administrator rights for Administrators only - Viruses run in the context of the currently logged-on user. If the user is an administrator, there is very little a virus can’t do to a machine. When it comes to ransomware, this means encrypting other user’s files (on a shared server, for example), rather than just those of the currently logged-on user. Keeping user and administrator accounts separate helps limit the potential damage of an infection.
- Limit access to network shares - Limit the impact of a ransomware infection by restricting write access to shared drives unless absolutely required for the user. If a user can’t modify the file, neither can the ransomware.
- Be the CDC and develop an infection protocol – Just like a fire drill, prepare for ransomware on your network ahead of time by developing an infection protocol to follow when a detection occurs – and make sure every user knows what to do. Good first steps are to notify IT, disconnect the infected computer from network, and ensure you have all necessary technical resources available to you to help with the recovery.
4. Recover Like a Champ.
Finally, when all else has failed, there is always the option to recover from backup.
You have current backups, right? When was the last time you tested them to ensure they are valid?
- Back it all up - Storing all work files on a network share that is backed up regularly gives you the best chance at recovery. Files on a local workstation without backups are almost always lost forever.
- Test your backups. For backups to be of any value, they must be complete, current, and tested regularly. The ability to recover from a hardware failure, accidental file deletion, or any other event that threatens your organization’s data is critical to any business. Ransomware, while scary, is just another threat to your organization’s data, and a complete and valid backup is what many organizations turn to help them recover from a ransomware infection.