A guide on how to prevent ransomware

Ransomware is fast becoming a major threat to computer systems in many organisations. It is an aggressive form of attack which criminals use to infect computers and block the victim from accessing their own data unless they pay a ransom. Ransomware is not a new threat but has become more widely used among criminals simply because it is highly profitable.

At its heart, ransomware is simply another form of a computer virus, albeit a very potent one. The methods it uses to infect a computer are the same ones other computer viruses employ.

This article details several recommendations to help you in reducing the likelihood of future infection by ransomware, or indeed any other computer viruses or malware, against systems within your organisation.

Note that each of these recommendations should be assessed for their applicability to your specific environment and you should conduct a thorough risk assessment to determine if the recommendations outlined in this document are suitable for your environment and are proportionate to the identified threat and risk.

For ease of use the recommendations in this document have been divided into three categories and colour coded accordingly. These categories are:

Will have a large impact in preventing ransomware.
Will have a big impact in preventing ransomware.
Will have some impact in preventing ransomware.

Implement geo-blocking for suspicious domains and regions

Criminals often host their infrastructure on domains in regions or countries that staff in your organisation would not regularly need to access. If there is no business requirement for staff in your organisation to access systems in these areas, you should consider configuring your firewalls to block all incoming and outgoing traffic to these domains and geographical areas.

Block outgoing I2P traffic

Ransomware often employs the Invisible Internet Project (I2P) which is an overlay network and darknet that allows applications to send messages to each other pseudonymously and securely. You should consider blocking all outgoing I2P and other unnecessary peer-to-peer network traffic at the firewalls on the perimeter of your network. This will prevent infected computers communicating with their masters and receiving further instructions.

Review backup process

One of the most effective ways to recover from a ransomware infection is to have a comprehensive and up-to-date backup in place.

You should regularly review your backup processes to:

• Ensure all relevant data is being backed up
• Ensure the backups are completed successfully
• Ensure the backup media is protected from being overwritten by ransomware
• Implement the 3-2-1 backup rule. Have at least three copies of the most valuable data, keep two of them on different external media, and store one copy offsite.

Conduct regular testing of restore process from backup tapes

While backing up data is critical process, equally as important is the ability to restore the data successfully when needed. You should conduct regular tests to restore data from backups to:

• Ensure the restore process works as expected
• Ensure that data has been properly backed up
• Ensure the data has not been modified or altered by ransomware
• Ensure the timely recovery of critical data.

Enhance email security with DMARC, SPF and DKIM

By analysing publicly available information relating to an organisations email configuration, it is possible to see if Domain-based Message Authentication, Reporting & Conformance (DMARC) is implemented. DMARC can help to reduce the amount of fraudulent email which may contain ransomware. Implementing DMARC also protects from other security risks such as phishing, spoofing and CEO fraud.

It is recommended that you implement DMARC for your email systems. It is also recommended that you regularly review the email configuration of your email servers to ensure that it has properly configured Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM).

Review your incident response process

You should develop a comprehensive Incident Response Process to include how to deal with ransomware infections. This process should include how incidents are prioritised, recorded, managed, remediated, recovered, and escalated where necessary. This process should also include:

• Referring to the NoMoreRansom to see if decryption keys are available for the ransomware being dealt with.
• Understanding what conditions call for the issue to be reported to your local law enforcement agency. Refer to the Europol website to determine how you can report issues in your jurisdiction.
• Understanding whether you will need to report an issue to relevant regulators. You should also develop a range of Standard Operating Procedures to manage security incidents. There are resources available from the European Union Agency for Network and Information Security (ENISA) in relation to incident response. In addition, you should review the Incident Response Methodologies published by the Computer Emergency Response team for Société Générale.

Implement a robust cybersecurity awareness training programme

Technical controls may not detect and contain all ransomware, or indeed all malware, especially given the rapidly evolving nature of these threats. In this event, the last line of defence is the end user who receives the email or browses the web. Therefore, it is essential that all users are properly empowered to identify security threats and deal with them accordingly.

You should review your current security awareness training programme to ensure that it is appropriately resourced and that it targets all users. Although technical controls can minimise the risk posed by various threats, the human factor needs to be constantly managed. If people are not made aware of the threats posed to their systems or data, of the reasons why certain policies and controls are in place, or how to react to a suspect security breach, then the risk of a security breach occurring increases significantly.

The security awareness programme should be tailored for the audience. For example, developers should have a different programme and focus on topic relevant to their role compared to the programme aimed at the sales and marketing function.

Ensure anti-virus software is updated and all features enabled

You should ensure that all PCs have up to date anti-virus software installed and that they are regularly updated with the latest software updates, virus signatures, and security features. In addition, you should ensure that the anti-virus suite deployed on all PCs has all the anti-malware features implemented so that any unusual behaviour that may indicate an infection can be quickly identified.

Ensure all operating system and software patches are applied

You should ensure that all PCs have the latest operating system and software updates deployed and applied in a timely manner. You should investigate and implement a means to keep all PCs and laptops patched with the latest updates for all software applications installed on those computers.

Disable ActiveX in Office files

You should disable ActiveX content in the Microsoft Office Suite of applications. Many computer viruses use macros to take advantage of ActiveX and download malware onto the affected PC. This would be particularly recommended to any organisation running devices with any Microsoft operating system earlier than Windows 10.

Block executable files from the %APPData% and %TEMP% paths

You should look at methods to block executable files from the %APPDATA% and %TEMP% paths on computers with the Microsoft Windows Operating System installed. These folders are often used by malicious software to download and execute the files associated with ransomware and other malicious software.

You could employ Software Restriction Policies to protect systems from infection from the use of unauthorised software. Exclude files of the following types:

• SCR
• PIF
• CPL
• EXE
• DLL
• SYS
• FON
• EFI
• OCX.

Your PC should be configured to not allow executable files to be run from the following folders:

• Appdata
• LocalAppData
• Temp
• ProgramData
• Desktop

It is strongly recommended that all policies are comprehensively tested before being deployed into a live environment.

Deploy Windows AppLocker

On computers installed with Microsoft Windows, you should consider deploying AppLocker to manage which applications can be run.

AppLocker is a more advanced way than Software Restriction Policies for managing the applications users can access. It has several features that allow it to be centrally managed, for it to be tested more rigorously before deployment, and create exceptions to the rules.

Deploy Microsoft EMET

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) is a free security utility which helps security vulnerabilities in software from being successfully exploited. They use security mitigation technologies as special protections and obstacles that an exploit author must defeat to take advantage of any software vulnerabilities.

You should deploy EMET throughout your computer estate to reduce the likelihood of malicious software, or an attacker, exploiting a software vulnerability.

Disable macros in Office files

You should disable Macros in the Microsoft Office Suite of applications. Many computer viruses use Macros to download malware onto the affected PC.

Upgrade to the latest version of Windows

You should upgrade computers with Microsoft Windows installed on them to the latest version of the operating system. At the time of writing, Windows 10 Professional is now considered to be one of the most secure desktop operating systems.

Implement network segmentation

Consider segmenting your network to reduce the ability of computer worms, whether ransomware or otherwise, to spread rapidly from one system to another. This will give you the ability to cut off infected sections of the network and prevent the infection spreading further.

Run regular phishing tests

You should run regular phishing simulations against staff to determine how many would potentially fall victim to such an attack. A phishing simulation is a tool to send fake emails to staff with an attachment or link to determine how many staff would click on the attachment or link. As most ransomware attacks are the result of phishing emails, this type of testing, combined with an effective cybersecurity awareness programme, can be quite effective in conditioning staff not to trust all emails and to be cautious when dealing with emails.

You should aim to have the click-through rate of staff responding to the phishing simulations to be consistently below 15%, which is considered the industry recognised norm.

Staff who consistently fail the phishing simulations should be given additional security awareness training and/or have additional technical controls and restrictions placed on their systems.

Improve visibility of security events

You should consider deploying a Security Information and Event Management (SIEM) solution to provide visibility into ongoing threats within your network. This SIEM solution could either be deployed internally, or if you do not have the required resources available, it could be outsourced to a Managed Security Service Provider that specialises in this area.

Implement an Intrusion Detection System/Intrusion Prevention System (IDS/IPS) solution

A properly configured IDS/IPS solution can be a very effective platform to detect and manage threats on a network. You should initiate a project to ensure the IDS/IPS is fully and properly deployed and that it is regularly reviewed.

Intrusion Detection/Intrusion Prevention models can be:

Signature-Based: This is where patterns, or signatures, of known attacks are downloaded by the system. Network traffic is compared against these patterns to identify potential attacks. A disadvantage for signature-based detection is that it cannot detect new attacks because it only compares attacks against known signatures.

Anomaly-Based: Intrusion Software first needs to learn the “normal” behaviour of your network and the types of traffic and network packets it usually handles. Then, it can be put in to action when traffic is detected that is out of the normal state.

Rule-Based: Rule-based systems employ a set of rules or protocols defined as acceptable behaviour. The IDS analyses the behaviour of network traffic or application traffic and if it is deemed as normal behaviour it is allowed. If the traffic is outside the norm, then it is blocked.

Establish baseline network behaviour

You should ensure that you have full visibility of how your network traffic behaves under normal business conditions. This knowledge can then be used as a baseline to identify any unusual activity which should then be investigated to determine whether it is the result of a potential breach or an issue with the network.

Ensure User Access Control (UAC) is enabled on Windows

User Access Control is a security feature built in to Windows Vista, 7, 8 and 10 which helps prevent unauthorised changes to a computer. Changes can be initiated by applications, viruses or other users. When UAC is enabled, it makes sure these changes are made only with approval from the person using the computer or by an administrator.

Enable the operating system to show file extensions

Attackers can trick users into running a file infected with a computer virus by appending a hidden extension to a filename. For example, a user receives a file called “Not Ransomware.jpg” but the file has a hidden extension of .EXE, thus making the actual filename “Not Ransomeware.jpg.exe”. The user, thinking the file is a picture, opens the file, but because the file is an executable (.exe) file the ransomware hidden in the file is launched. You should change the operating system to show Hidden File Extensions.

Disable AutoPlay

Windows’ AutoPlay feature begins reading from media as soon as it is inserted into a device. You should disable it when plugging in external media to reduce the chances of an attack infecting your device from that source. AutoPlay can also be disabled via Group Policy.

Implement User Behavioural Analytic (UBA) systems

In line with the Network Baselining recommendation, you should implement a User Behavioural Analytic (UBA) system to identify any unusual or suspicious user activity on the network. Many ransomware infections can be quickly identified by the high rate of file system access to network shares as the ransomware encrypts the targeted files. UAB technologies could detect such activity and enable you to proactively react to a ransomware infection.

Implement ad blocking software at the network perimeter

Ransomware can be deployed via compromised adverts displayed on websites. This can result in a computer becoming infected with ransomware simply by visiting a website that is displaying the malicious advert.

To reduce the attack surface from this vector, you should consider implementing blocking software on your network’s firewall to prevent infections via infected advertising on websites.

Implement threat intelligence

You should subscribe to reliable threat intelligence services which would provide you with Indicators of Compromise (IoCs) and other data which could be used to identify malware threats within your network. These will regularly update you with details of malicious and suspicious URLs, domains, and IP addresses on the internet, to which you can then block access from your network.

Although several of these threat intelligence services are commercial and require a subscription, there are open source options available such as the Malware Information Sharing Project (MISP). This is a free threat sharing platform which enables organisations to share information on security incidents to help other organisations better protect themselves.

Ensure appropriate training for technical staff

You should develop a technical training programme to ensure that technical staff have the relevant training to enable them to confidently manage the various security platforms installed in your environment.

Deploy honeypots

You should deploy honeypots on your network to help you proactively detect an intrusion on your network, including intrusions relating to ransomware. A honeypot system is a decoy set up to look like a live system; any activity on it could be a strong indicator that the network is compromised.

Honeypots can be an effective tool if used correctly, however caution is advised when working with honeypots to ensure they do not adversely impact your environment or be compromised by attackers to attack other systems within your network, or indeed systems external to your organisation. ENISA has a very good paper on how best to deploy honeypots.

Implement appropriate rights/permissions for users

You should create and maintain users’ rights and permission sets within their network operating system. Users should only be issued the rights/permissions required for their job role. If they change role within the organisation, then their rights/permissions need to change accordingly.

Monitor Domain Name System (DNS) logs for unusual activity

The DNS servers have logs which contain records of all the domains and networks accessed by devices on your network. Regular monitoring of the DNS server logs could identify traffic being relayed to or from unusual hosts which may not be associated with normal business activity. This unusual traffic could indicate a malware infection.

Review security of mobile devices

You should note that ransomware is migrating towards mobile devices such as smartphones and tablets, and it would be prudent for you to review the security of mobile devices to include:

• Ensuring anti-malware software is installed, running, and regularly updated on mobile devices
• Software and operating system patches are applied in a timely manner
• Sensitive data is backed up from mobile devices.

Brian Honan, CEO and principal consultant at BH Consulting contributed to this article.