Hospital extortions, ransomware for Macs, and more – 2016 appears to be the year of ransomware. This malicious software allows attackers to access your computer, encrypt sensitive data and demand payment to decrypt. Ransomware is one of the most serious threats you face, whether you’re an employee at a Fortune-500 company or a self-employed contractor. And, you don’t have to be a high-profile executive to fall victim to ransomware, it can happen to anyone.
That’s why taking precautions to avoid infections in the first place is critical. Can your business afford to be down for hours or days? If the answer is no, check out the below tips to help prevent a ransomware disaster:
1. Start with data backups, but don’t stop there
When it comes to a good defense, the most commonly seen tip to protect against ransomware is properly backing up all critical data. And, this is great advice. In the event of an infection, having a way to recover your data without funding the bad guy’s future endeavors is a must. Unfortunately, simply connecting an external hard drive or backing up to a network share isn’t adequate.
Modern ransomware evolutions like Locky and CryptoFortress will search out and encrypt any storage location where you have write privileges, even if those locations are unmapped on your system. To combat this, you must keep your data backups offline to avoid the threat. But, even with the best backups, you will still lose productivity while restoring data after an attack.
2. Stop ransomware from crossing your network perimeter
A common ransomware delivery methods is drive-by downloads through your browser. Drive-by downloads can exploit unpatched browser plugins to install ransomware without your involvement. Even more frightening, cross-site scripting vulnerabilities in popular websites can force your browser to load a malicious site even without your knowledge.
To give yourself the best chance against an attack you might not be able to see, you should move your first line of defense as far up as possible. Your network perimeter is an excellent place to block an oncoming assault before it can inflict damage. Network-based antivirus and APT scanning solutions can identify and block malicious payloads before they have a chance to reach your internal clients. This is especially useful when your clients don’t even know that they’re loading ransomware or other harmful downloads.
3. Prevent alternative delivery methods like phishing
Before CryptoLocker was taken down by Operation Tovar, it most commonly infected clients as a malicious attachment on phishing emails posing as Fedex and UPS shipment tracking notices. Locky, a ransomware variant mentioned earlier, continues this trend by installing itself via macros in a malicious Word document disguised as an invoice.
Implementing an email anti-spam solution can help stop phishing scams aimed at delivering ransomware. Most of these phishing emails are sent from botnet-infected clients and contain similarities that can be identified by anti-spam service providers. By using an anti-spam service, you can limit the amount of phishing emails that show up in your inbox, which will ultimately limit the opportunities of success for a well-disguised attack.
4. Don’t forget about your clients themselves
Endpoint protection is nothing new in the information security world. Even a signature-based antivirus scanner can help catch obvious ransomware samples. More importantly, modern heuristic-based endpoint protection cranks client defenses up a notch. As an example, the ransomware variant named VIRLOCK uses polymorphic code (code that mutates while retaining the original algorithms) to evade signature-based detection. When no two samples of the same ransomware are the same, signatures-based scanning isn’t enough.
Instead of only checking what the ransomware looks like code-wise, heuristic-based scanning watches what actions the ransomware application actually performs. If the behavior of a download matches enough suspicious flags, heuristic-based protection can lock it down before it can cause any harm.
5. Patch early and patch often
Earlier I mentioned the ability for drive-by downloads to infect your system without your knowledge. Drive-by downloads can be launched from malicious websites loaded using cross-site scripting attacks or by compromised advertising campaigns on legitimate websites. These attacks often rely on unpatched browser plugins for success. While frequent updates can seem a nuisance, they can play a critical role in keeping you protected. Attackers love to exploit unpatched versions of Flash and Java to run malicious code.
Simply installing updates is the easiest step you can take to up your odds against ransomware attackers. You should also investigate if Flash and Java are even necessary on your clients. Oracle announced this year that it is eliminating its Java browser plug-in in the next major release of the Java Development Kit. Flash is also exceedingly being replaced with HTML5 and may no longer be necessary in your daily web browser use.
6. A little education goes a long way
Ransomware attacks are largely untargeted, infecting systems through bulk phishing emails or drive-by downloads. That’s why it’s critical to educate the workforce so the business doesn’t end up losing thousands of dollars in ransom payments while IT teams or security consultants works to recover the encrypted files. In the end, it is the user that opens a tainted attachment or visits a compromised link. This makes user education the most critical aspect of your ransomware defense. Users need to know how to spot and respond to phishing attempts. They need to be aware of the potential consequences of clicking certain links. Users need to realize the critical nature of those pesky application update notifications.
As I’ve mentioned, backing up is important, but it’s even more important to understand and employ these ransomware defense tactics. And, while technical protections can increase your chances against ransomware infections, they alone are still not enough. You and your fellow users will almost always be the easiest point of entry for an attack. Knowing how to recognize an attack can be the difference between continuing your day normally or wasting the rest of it restoring backups.