Solution to Prevent and Protect from Ransomware Attacks

There are different ways to prevent ransomware attacks, including systems, software, processes, and training. However, the battle rages on, despite a proliferation of ransomware attack solutions, based on the financial success of many nefarious cyber-attackers.

Even the most well-executed ransomware attack solution can be overwhelmed by attacks ranging from the highly sophisticated, large-scale ones to less technical criminals who use one of the many ransomware-as-a-service offerings that are available on the dark web.

When crafting a ransomware attack solution for prevention and protection, it is important to understand the threats. Knowing the mechanics of the threats helps ensure that the right ransomware attack solutions are implemented.

How to Stop Ransomware Attacks?

• Educate employees
  It is well documented that employees can be one of the most exploited vulnerabilities in an organization. Cybersecurity education turns employees from liabilities into assets, by raising their awareness of threats and vulnerabilities, helping them to avoid potential traps like phishing and social engineering, and encouraging them to become active participants in cyber defense. 
  
• Isolate backup data and recovery systems
  A copy of all data and system backups and recovery systems should be completely isolated and off the network. Everything required for a full resumption of operations should be ready to go with the flip of a switch. That being said, all systems should be scanned before bringing them online to ensure that they were not compromised. 
  
• Leverage outside experts
  Internal security assessments, testing, and preparation can only go so far. To avoid blind spots, take advantage of outside experts who can evaluate and test existing systems and processes for vulnerabilities and identify areas for optimization. They can also assess recovery plans to ensure that nothing is missing.
  
• Map the entire potential attack surface
  The only way to effectively deploy a ransomware attack solution is to know what is being defended. The first step is to identify and prioritize systems, devices, and services based on their importance to the organization—based on their day-to-day use and overall value.
  
  The objective is to identify vulnerable and mission-critical targets that require the most attention, as well as those that are not a top priority but could be an easy entry point for launching a potential cyberattack. This process also helps create an all-encompassing recovery plan.
   
• Patch and upgrade all software on a regular basis
  Software vulnerabilities are a common point of entry for cybercriminals. Any ransomware attack solution plan should have patches and upgrades at its core. Creating processes for regular maintenance and speedy application of patches is a key part of this.
  
• Pay attention to ransomware events
  Forewarned is forearmed. To refine ransomware attack solutions, stay on top of the threat ecosystem with subscriptions to threat intelligence and related ransomware news. Knowing what ransomware attacks are happening can help direct security optimizations to ensure optimal defenses.
  
• Review and practice recovery plans
  Plans for recovery should be part of any ransomware attack solution. However, just writing out plans and having backup data and systems is not enough.
  
  Teams need to practice recovery with simulated exercises (sometimes referred to as table-top exercises), to ensure that any issues are remedied and missing resources are procured prior to an incident.
  
  It also ensures that chains of command are in place and that all individuals and teams understand their responsibilities.  
  
• Secure extended network
  Too often, network security focuses on the core. Because of this, extended networks (e.g., cloud, OT, branch offices) are left vulnerable. To prevent security gaps, core network security should be replicated across the extended network. 
  
  This should include hardening connections with other organizations, such as customers, supply-chain partners, and vendors, and ensuring that filtering is in place.
    
• Segment networks
  Network segmentation is a top ransomware attack solution because it physically limits the damage that can be done by ensuring that compromised systems and ransomware are only able to spread as far as a limited part of the network.
  
  This also allows certain sections of a network to have enhanced security to isolate sensitive information, such as intellectual property and  (PII) of employees and customers. In addition, critical services (e.g., communications, emergency services, operational technology, or OT) should be on a separate, segregated network.
  
• Warn users about clicking links in email or opening attachments 
  All users should be cautious with email, especially opening attachments or clicking links. Obviously, unsolicited emails should be a red flag, but emails from known senders should also be opened with caution.
  
  Addresses can be spoofed, making an email appear to be coming from a legitimate sender when it originated from a cybercriminal and carries a malicious payload.

How Does a Ransomware Attack Work?

Ransomware can be deployed as a virus by an individual, group, or via ransomware-as-a-service. The latter is, arguably, more of a threat. Following the lead of industry, cybercriminals offer ransomware-as-a-service, which has significantly increased the scale and reach of ransomware. Ransomware-as-a-service is essentially a ransomware kit that includes the tools to attack, message, and collect ransom.

There are a number of vectors ransomware can take to access a computer. Each involves delivering a malicious payload to a system and attempting to expand from the initial point of entry to other systems using networks. The following examples of this provide insights into where to target a ransomware attack solution.

• Email phishing
  A ransomware attack commonly begins with an email. In this case, the malware is delivered through a phishing message. Manipulated to appear like they come from a known sender, phishing emails trick users into clicking a malicious link or opening an infected attachment.
  
  Since the message appears to come from a legitimate source, users’ guards are let down, and they unwittingly trigger a ransomware attack.
  
• Remote desktop protocol (RDP)
  Ransomware remote desktop protocol (RDP) is used to gain access to systems through a communications protocol. Cybercriminals use scanners to explore systems and find exposed ports—typically, port 3389 is used. Exposed ports are used as a gateway into systems. 
  
  Once they gain entry, the cybercriminals use brute-force attacks to secure the credentials that are required to log in as an administrator.
  
• Drive-by downloads
  With drive-by downloads, unsuspecting web surfers are hit with ransomware or other malware simply by being on the wrong web page at the wrong time. Ransomware is automatically downloaded from a site without the user’s knowledge or consent.
  
  Sometimes, this involves spoofing to make someone think a site is something that it is not. Other times, sites are hijacked without the owner’s knowledge and used as a bot to deliver ransomware and other malware. 

Once deployed, ransomware usually adds an extension to the encrypted files, such as:

• .aaa
  .micro
  .encrypted
  .ttt
  .xyz
  .zzz
  .locky
  .crypt
  .cryptolocker
  .vault
  .petya 

These extensions not only show that the files have been encrypted, but also identify the type of ransomware, as the extensions represent unique signatures. 
Since it is nearly impossible to unlock encrypted files without the cryptographic key, cybercriminals have leverage and make their demands. Usually, a message appears on the locked screen asking for ransom.

Depending on the attacker, this could be an ask for monetary compensation, commonly cryptocurrency with most cybercriminals, or a specific action in the case of hacktivists

Steps in a Typical Ransomware Attack

Step One in a Ransomware Attack

To get started, ransomware must gain access to a system. As noted above, there are a variety of attack vectors ranging from brute-force attacks to socially engineered infiltrations.

In some cases, the ransomware implants itself in a system, but does not activate until a later time—lying in wait until the cybercriminals find the most opportune opportunity for an attack.

Step Two in a Ransomware Attack

Once downloaded, the malicious code automatically runs and infects the system with ransomware. Once activated, it identifies the drives on an infected system and begins to encrypt the files.

The ransomware also attempts to replicate and attack other systems through any available networks. Without an effective ransomware attack solution, the malware quickly spreads across networks, wreaking havoc on organizations and disrupting operations.

Ransomware can also gain access to email contacts, allowing it to spread exponentially outside of the target’s organization. In these cases, ransomware, like other malware, can have a global impact.

Step Three in a Ransomware Attack

After encrypting the files, the ransomware creates a file or pop-up that details what has happened, ransom demands, and what will happen if the ransom is not paid in a certain amount of time.

At this point, the system is locked and totally inaccessible to the user. Often ransom and threats are escalated incrementally to encourage timely payment. 

Step Four in a Ransomware Attack

In most cases, the perpetrators promise to provide the cryptographic key when the ransom is paid. However, in some cases, payment only leads to more threats and demands, which is why experts caution against paying the ransom.

In addition, there is no guarantee that the cybercriminals have not retained copies of data to be used for sale on the dark web or for further extortion. It is also commonplace for secondary attacks on IT infrastructure to take place after an initial ransomware attack.

Best Solutions to Put in Place to Stop Ransomware Attacks

New ransomware versions and strains continue to proliferate. To defend against these, ransomware attack solutions must be maintained and carefully managed. Ransomware attack solutions include software, hardware, and policies that should be used in conjunction with overall security solutions.

• Antivirus and anti-malware
  Install reputable anti-malware software to detect and deflect known threats. In the event that ransomware infects a system, the antivirus and anti-malware can contain it. Specialized malware for ransomware (i.e., anti-ransomware software) has built-in capabilities to block an attack before the device is locked and the ransomware spreads.
  
• Backup and file management
  Backup and file management are the dynamic duo of ransomware attack solutions. In the event of an attack, these can be used to restore systems and recover data quickly. This is critical since even if the ransom is paid, there is no guarantee that the files will be fully restored.
  
  Also, having robust backup and data management systems helps with identifying root causes as part of the ransomware recovery process. 
  
• Employee training
  A low-tech ransomware attack solution, employee training punches far above its weight. Since employees are perhaps the most popular attack vector, increasing employees’ cybersecurity awareness helps them avoid mistakes that facilitate a ransomware attack.
  
  This includes teaching them to how to detect and avoid phishing, malicious links on websites, or social engineering. In addition, training encourages employees to report suspicious emails or other activities that could be an early sign of an attack.
  
• Multi-factor authentication
  This powerful ransomware attack solution uses multiple layers of verification to thwart unauthorized access. With multi-factor authentication, users are required to provide two or more independent pieces of information (e.g., password, biometrics, one-time authorization code delivered to a smartphone or hardware token) to authenticate their identity when they attempt to log in or access data.
  
• Policy of least privilege
  Policy of least privilege is an example of how processes can be used as a ransomware attack solution. This approach limits access to information to those who have a need for it. Often, access is limited to a certain time period rather than being ongoing. This is commonly referred to as restricting organizational information based on a user’s “business need to know.”
  
• Ransomware detection
  Early detection is critical for mitigating the damage that a ransomware attack can cause. Detection software plays a key role in a ransomware attack solution, alerting IT and security teams that an attack is underway. This helps them to quickly respond to stop it and commence restoration processes rapidly, which minimizes ransomware’s impact on the organization.
  
• Software updates and patch management 
  All software should be kept up to date and patches installed when they are made available. This ransomware attack solution applies to firmware, operating systems, and all application software.
    
• Strong passwords
  Using strong passwords is a proven ransomware attack solution. A strong password uses a blend of alphanumeric letters in uppercase and lowercase with symbols. Tips for making a strong password include making it long, using nonsense words, and not using personal information.

Ransomware Attack Solutions Bolster Defenses

Ransomware attack solutions should be used by all organizations in some capacity. Cybercriminals increasingly target not just large organizations, but smaller ones. This is because they expect the smaller organizations to have weaker defenses and more easily accessible vulnerabilities. In both cases, the expectation is that the targets will pay the ransom.

Despite the intensity of the threats, purpose-built ransomware attack solutions bolstered by powerful cloud backup and file management systems are reducing the risk and damage. By deploying ransomware attack solutions and effectively encouraging organization-wide engagement, attacks can be prevented.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Last Updated: 3rd August, 2022