As ransomware attacks rise in popularity, companies (and individuals) need to rethink and do whatever they can to minimize the risk of these malicious files from encrypting their data and holding them ransom for a couple of bitcoins.
In Q2 of 2015, McAfee Labs saw over 4 million samples of ransomware, 1.2 million of which were new. And, with time, we only expect this sample size to grow. This has become such an epidemic that a new term has been coined for some of the threat actors offering it is a service - ‘RaaS: ransomware-as-a-service.
Prevent to Protect
But how do ransomware incidents stumble upon us?
They’re not short of options; websites, social media, browser plug-ins, online ads, and so on.
One of the new emerging vehicles cyber criminals use to deliver ransomware to the masses is to hack into popular, very active Twitter accounts, like Katy Perry's, and tweet a viral tweet that links to a pre-prepared website, which automatically prompts a malware installation on the host/computer.
Incase you haven’t seen it before, this is what the typical ransomware incident will look like:
(source: Microsoft Cyber Trust Blog)
These 12 steps are not foolproof, but they kickstart your initiative to bolster cyber resilience. In practice, the most effective approach is to work on your cyber awareness, and the rest is easy;
12 Steps to a Minimized Ransomware Risk
1. Updated Anti-Virus
All anti-virus software must be up to date and fully functioning, which means it scans any write to the Hard Disk Drive (HDD) or to the Solid State Drive (SSD), and it also performs weekly, full scans.
These scans include the memory, registry, temp folders, and the windows folder.
2. OS and Security Systems Updates
Your Operating System, including all security systems, must be up to date --- which includes all the latest security updates and patches. If you’ve been getting notified of software updates or any additional bug fixes -- now is the time to follow up.
3. DNS Record Policy
Consider blocking emails that contain” CAB, MSI, EXE, SCR, ZIP, RAR attachments.
In order to prevent spoof emails from being delivered, it’s advised to set the SPF records to “hard fail” (-all) and NOT to “soft fail” (~all).
4. Employee Awareness
Running Awareness Training in your company can prevent most phishing and website infection attempts. Go the extra mile.
5. Ad Blocking
Use a third party software that prevents accidental clicks on a malware pop-up. All it takes is one malicious pop-up for you to fall victim. If you haven’t been taking this seriously until now, now’s the time to start;
Our personal preference as a cybersecurity company is actually pretty basic and easily available: ‘AdBlock’ browser extensions (FREE, too!)
For Chrome --
For Firefox --
You may be thinking ‘too easy’. It’s not too easy -- it’s just: easy.
6. DLP Alert
Program a DLP Alert for anytime an extensive change of file occurs.
7. C&C Servers
Research for every known C&C Server possible, and block each one as you discover it. (This is an invaluable precaution measure, you’ll be doing yourself a big favor.) In fact, threat intelligence tools are very conducive to this need.
If you have one in place, you can get informed of C&Cs that exist as they appear, so that you’re preemptively protected from them, and don’t need to seek them out yourself.
8. Permissions on Network Drives
Maintain a continuous effort to monitor your shared network drives, so that all permissions are aligned with your security needs.
9. Hardening the Operating System
Hardening the Operating System means you are doing so to the Group Policy Objects. This hardening method lets you create and restrict permission on the registry keys that ransomwares use (for example, HKCUSOFTWARECryptoLocker...among others).
Once you restrict the permissions on these keys, they’re not accessible for malware to open or write, nor to encrypt any files.
Once keys are restricted, users are effectively preventing malware from encrypting files.
In practice, this is what the file restrictions involve:
- GPO Hardening – disallow EXE files to run from
- AppData and the subfolders (including from ZIP / RAR / 7ZIP files)
- LocalAppData and the subfolders (including from ZIP / RAR / 7ZIP files)
- GPO Hardening - Disallow Macros from Microsoft office documents by default without notification to the user.
There are plenty of simple tools that prevent the ransomware threat from affecting your device, such as Bitdefender.
Using Bitdefender can alleviate the ransomware concern that most IT Professionals have in the back of their minds.
At the end of the day, one thing is for sure: cyber risks are as real as ever, but so are our capabilities to mitigate them.
By the way, check out our new Post-Incident Board Presentation Kit, made especially for CISOs!