With Ransomware attacks becoming increasingly frequent, we thought of putting together a list of technologies that can help organizations protect themselves against ransomware attacks. Please note that even though this blog discusses technology measures, this does NOT mean people & process are secondary. There’s no single technology that can protect against ransomware, and for effective defense a combination of technologies along with right processes and skilled security professionals is a must.
Some of the well known RansomWare are CryptoLocker, Cyrptowall, Teslacrypt, Torrentlocker and CTB locker. Frequently attackers release new variants of Ransomware by tweaking and subtly changing lines of codes in most popular ones to avoid detection. According to various research works, India ranks 3rd in the Asia and 9th worldwide among the countries affected by Malware attacks. The most affected being Banking and Pharmaceuticals sectors. A research team at Malwarebytes has identified LeChiffre, whose name means "encryption" in French, which caused millions of dollars of damages after infecting several banks and pharmaceuticals company. According to The Economic times, some companies have paid ransoms in millions of dollars after such attacks.
Here’s the Technology Stack for Ransomware Protection:
Technologies for Ransomware Prevention
Security Awareness & Training – One of the most effective ways to secure any organization. Continuous security training & simulations can help reduce the risk significantly.
Vulnerability Assessment & Patch Management – Continuous VA & Patch Management is a very effective measure. Remember if people had patched their Windows after Microsoft released the patch for EternalBlue, they’d be protected against WannaCry.
Email Security Gateways – Email being one of the most common channels used to spread malware, requires a strong focus. Organizations can also consider dedicated email ATP technologies from major security vendors.
Web Security Gateways – Prevent drive by attacks and infections from visiting infected websites
Anti-Virus (AV) / Endpoint Protection Platforms (Next Gen AV if you like): Platforms based on machine learning will serve the purpose better than traditional ones. There are even dedicated Ant-Ransomware solutions out there.
Application Whitelisting – There are dedicated solutions out there for this, as well as AV solutions and OSes with this capability.
Port Control – Restrict USB access by using solutions like Group Policies
- Backup – A multitude of backup solutions exists, choose the one that suits your need so that you can quickly restore in case of an infection. Make sure that the backup is not infected. If taking cloud / network backup, do not map it as a network drive
- Network Sandboxing – Helps analyze malicious files / payloads if they bypass the perimeter controls or can augment perimeter security controls
- Network Segmentation / Micro-segmentation – A number of solution exists and infection in one segment will not spread to others if properly implemented
Ad-Blocker – you probably already have this, check out the browser store in case you don’t have this.
Browser / Application Virtualization – Will prevent machine infections from malicious websites as the Application (Browser) is running in a virtual instance
Technologies for Ransomware Detection – i.e. Before you Seen the Demand for Bitcoins
Endpoint Detection & Response – Detect infections which have evaded your AV and other security controls
Honeypots & Deception Tech – Strategically placed decoys or honeypots (files, devices etc.) across the IT infrastructure can help detect ransomware before it causes any significant damage
File Integrity / Activity Monitoring (FIM) – Monitoring file integrity on devices can generate early warning signals to act on
Threat Intelligence (TI) – TI feeds fed into SIEM, IPS/IDS, Perimeter Security and other solutions can help provide both prevention and early detection of threats
SIEM – The one solution to rule them all, enough said
HIPS / IPS / IDS with Exploit Kit Detection – Some may have FIM capabilities built in
UBA / NBA – Behavioral analytics at network / endpoint level can provide early signals of possible infections
And of course, a number of APT Security / ATP / ATA Solutions.
Here are some of the tips that you can put to use to prevent yourself from getting into such situations:
1. Back up your important data at regular intervals
This is the most logical preventive measure that your organization can adopt to thwart any such attacks. Make sure that your Backup solution is up and running as it should. Keep in mind that the back-up should be kept in a separate external drive. If you are using automated backup solution then make sure that your backup drives are connected only during the backup process and are disconnected from the network once the process is complete.
2. Develop robust vulnerability management and Patch management Program
Vulnerable applications, software's are some of the attack vectors for the attackers. Remember to keep your operating systems, browsers, plug-ins used by your browsers, java and other software's are up to date with the latest patches installed. The best way to accomplish this is by developing robust vulnerability management and patch management program, use of automated vulnerability detection tools and patch management solutions and making sure that the all the patches are installed in a timely manner can ensure you of better protection against such attacks
3. Fine tune your systems and security solutions to a more secure configuration
Fine tuning your security solutions and systems can give you a great deal of protection against RansomWare attacks. Tweak your anti-spam solution to filter out mails with executable attachments, tweak your IPS and firewall to block any malicious traffic, disable remote access services on systems if not required, deactivate auto-play for devices, disable unused network adapters (Wi-Fi, Bluetooth etc.), Do not map network drives & cloud storage folders to your local system only if not necessary, configuresystems to show hidden file extensions, block unauthorized USB access, uninstall application that you don't use etc.
4. Use a good Endpoint security solution to detect any malicious code
A good advance Anti-malware software can help you identify malicious code and possible malware attacks. keep your security software up-to-date with the latest version and malware database. It is also a good idea to run windows firewall or any other host firewall software on your system to detect any unauthorized attempt to connect to internet by any malicious code.
5. Educate your employees & colleagues
Educate your employees of the safe Internet browsing practices such as not to double click any suspicious links, not to run any suspicious program on their system and not to install any unverified browser plug-ins. Employees should also be educated about social engineered attacks, verifying mail attachments before downloading or opening it etc.