How To Prevent and Manage a Ransomware Attack

June 6, 2019

A new organization will fall victim to ransomware every 14 seconds in 2019, and every 11 seconds by 2021 (Cybersecurity Ventures). Ransomware is constantly evolving and as long as adversaries can keep up with the latest defense tactics, the result is always the same. When infected by ransomware, users get a message informing them, “Your files have been encrypted”, followed by instructions on how to pay a ransom for the decryption key.

Ransomware is one of the most common vectors that hackers use since it’s a relatively low-cost method and organizations are likely to pay to decrypt their files to keep their business up and running. However, this may only serve to further embolden hackers and it should always be a last resort. Fewer than a third of organizations who pay the ransom receive all of their money back (Courant).

While ransomware can affect files and data on a local computer, if a privileged user with wide access to your organization’s data is targeted (for example, via a targeted phishing email), the results can be devastating.

How Do You Become Infected with Ransomware in the First Place?

There are a few methods that adversaries use to infect computers, such as:

• Fraudulent links in phishing emails and social media posts
• Drive-by downloads, in which users unknowingly visit a compromised website and ransomware is downloaded on their computers without their knowledge
• Exploiting security holes in unpatched software applications

Dealing with an Active Infection  

• Disrupt any active infections by removing the infected machine from the network until it can be re-imaged or cleaned.  Unplug the network cable or turn the machine off.
• You can pay the ransom.  It sometimes works, but this isn’t recommended by Herjavec Group or any law enforcement. Decrypting large infections, especially on network volumes, may be slower than restoring from backups.
• Restore data from back-ups and re-image the infected computers. Re-image the computer from known-good images, to eliminate not only the ransomware but any other malware that may have been downloaded at the same time.
• In some cases, Windows will keep “volume shadow” copies of important files so a program like Shadow Explorer may be able to recover some data.  However, some newer variants of ransomware, like Cryptowall0, encrypt the files in the volume shadows as well.
• If you suspect that the malware came via email, it may be useful to try to find the source email and delete it from all mailboxes to prevent reinfections.
• Have an Incident Response team on retainer so they can step in and take control during an active infection.

Preventing Further Ransomware Infections

It is entirely feasible to prevent an active infection at all stages.  While many of these actions may keep most ransomware from successfully infecting computers, defense in depth is a best practice in cybersecurity, and organizations should implement as many defensive techniques as possible, such as: 

• Deploy advanced web and email gateway protection. 
• Use web content filtering appliances or firewall features to block categories such as adware, known bad domains (blacklists for C2 servers), and unknown/unclassified domains.  There may be a minor business impact, so caution must be exercised, but generally, these are tolerable restrictions. 
• Implement advanced endpoint protection that examines traffic for behaviors, rather than file-matching. 
• Deploy a Microsoft Group Policy to restrict software’s ability to run from %appdata% and “temp” folders.  These are generally used by malware because all users have the ability to write to these locations predictably, and that permission cannot be restricted without affecting system function.  However, there are few-to-none reasons why software should install or have to run from these directories. If the malware can’t run, it can’t do any harm.
• Restrict web browsing and email use by privileged users such as administrators. Have separate accounts for administration and day-to-day computing.
• Minimize the permissions to network file shares. Give the ability to write/modify files only to the users that require it, and only to the necessary locations.
• Implement a policy that no corporate information should be stored on local hard drives, USB drives, or other local storage. Files stored on the network are normally backed up and can be restored with minimal disruption to the business.
• Educate the people using your computers on how to recognize spam and phishing emails.
• Prepare for the worst, and have an Incident Response plan ready. If your organization doesn’t have one currently, we suggest using this 10 Point IR Plan and modifying it to fit your organization’s needs.

Connect with us to discuss ransomware protection and book a service briefing with Herjavec Group.