Ransomware Protection & Removal: How Businesses Can Best Defend Against Ransomware Attacks

by Nate Lord on Friday December 14, 2018

Source: https://digitalguardian.com/blog/ransomware-protection-attacks

--Millennium Knight adds: We are running this article again, you should protect yourself today against the cyber pirates that will ask you for money tomorrow. You should NEVER pay to get your own data back from thieves. If you find yourself in this situation, it is your own bad business practices or IT support that caused it.

The following pieces of advice were collected from many security and computer support experts across the world. If you follow these steps or have your IT support company do these for you then you should never find yourself in the situation of considering whether to pay a criminal a ransom to get your data back.

What steps should businesses take for ransomware protection? 44 security experts weigh in.

Ransomware is on the rise as cybercriminals turn to increasingly savvy and tougher-to-prevent means of monetizing cyber attacks. For businesses who become victim to ransomware attacks, the consequences can be devastating -- ransomware that lands in some shared locations within networks can literally paralyze an organization's operations. Thus, becoming savvier about preventing and defending against such attacks is vital for every business -- and not just major enterprises, but businesses of all sizes.

But ransomware is notoriously challenging to prevent altogether, leaving many companies to believe that a reactive approach is the only way to go. While knowing how to fight back if your company is attacked by ransomware is critical, taking proactive steps to minimize the odds that your organization falls victim to ransomware is equally necessary. Preventing ransomware attacks in the first place can save your business tens of thousands of dollars -- or perhaps millions -- in losses due to interrupted operations, data loss, and other consequences. To gain some insight into how today's companies are protecting themselves from and defending against ransomware attacks, we reached out to a panel of 44 security pros and business leaders and asked them to answer this question:

"How can businesses best defend against ransomware attacks?"

So how can modern organizations fend off ransomware attacks, and if your business becomes a victim to ransomware, what actions should you take to defend your company? Read on to find out what our experts reveal about what businesses should do to best defend against ransomware attacks.

"Not a week goes by now where we don’t see a barrage of ransomware related headlines..."

Where an organization, hospital, or business had to cough up a fairly large sum of money to decrypt files that became a victim of the incessant malware. Readers of these headlines will scratch their head in puzzlement as to why anyone would even pay, until of course they're faced with this scenario themselves. The first question that always comes to mind is, "How could we have prevented this?" There are multiple steps that can be taken to defend the enterprise against this species of malware and like anything in cybersecurity, a layered approach is always best.

1. Ensure antivirus is installed and up to date across all endpoints within the business. Keep in mind, AV is based on signatures so new variants may and will slip through the cracks, but this could easily be a first line of defense. Additionally, it’s best to have a multi-faceted security solution that employs additional protective technologies such as heuristics, firewalls, behavioral-based threat prevention, etc. Digital Guardian offers an ‘Advanced Threat Prevention’ module that contains a suite of protection rules against ransomware based on how it behaviorally interacts on the operating system.

2. Establish security awareness campaigns that stress the avoidance of clicking on links and attachments in email. I literally ask myself these questions when receiving an email message with a link or an attached file: 1) Do I know the sender? 2) Do I really need to open that file or go to that link? 3) Did I really order something from FedEx?? Phishing is a common entrance vector for ransomware and because most end users never think twice, it’s extremely successful.

3. Backup the data. There are a ton of options here, from backing up to cloud providers to local storage devices or even network attached drives, but each comes with a certain level of risk. It’s imperative to remove the external storage device once a backup has been taken so that if ransomware does infect the computer, it won’t be able to touch the backup.

4. GPO restrictions are an easy and affordable method for restricting not only ransomware, but malware in general from installing. GPO has the ability to provide granular control over the execution of files on an endpoint, so adding rules that block activity such as files executing from the ‘Appdata’ directory or even disabling the ability for executables to run from attachments.

5. Patching commonly exploited third party software such as Java, Flash, and Adobe will undoubtedly prevent many of these types of attacks from even being successful in the first place.

6. Restrict administrative rights on endpoints. I know this is of course a highly political and even cultural request to make, however reducing privileges will reduce the attack surface significantly. End users shouldn’t be downloading and installing games anyway, right?

Ransomware has significantly evolved over the years since it was first introduced back in 1989 as the ‘PC Cyborg’ Trojan and the user had to pay around $189 dollars to repair their computer. Fast forward 20+ years and we’ve seen a myriad of different types of specimens leveraging varying techniques in an effort for the authors or distributors to get paid. With no clear end in sight, we will continue to see these types of attacks, so tightening up the security belt and locking down our PCs is the wisest thing we could do in order to protect what matters most on these devices: the DATA!

"If a business wishes to protect itself against ransomware, it needs to focus on..."

Both technological solutions and, more importantly, its people. One of the most important defenses against ransomware is to have a robust backup strategy in place that includes off-site storage and regular testing of images and other saved data to ensure their integrity.

Other technical solutions such as always showing hidden extensions (ransomware.jpg may actually be ransomware.jpg.exe), filtering out executable files from email servers, and disabling remote desktop connections are all effective in preventing this type of blackmailing code from ever gaining a foothold on a device or network.

But your people are where your main focus should reside. Staff are far from stupid, yet they remain the weakest link in any security system due to a lack of training and awareness.

By educating them about what ransomware is, how it can infect their machines, and what they can do to stop that from happening (by not opening email attachments, being extremely wary of links in emails, etc.) you will drastically improve the most important level of defense within your organization.

"There are several things companies should be doing to combat ransomware..."

1. The best defense against ransomware is to backup all of your data each day. In fact, my rule is to have three backup copies using two different formats with one off site.

2. While everyone has heard of blacklisting, a good defense against ransomware is the use of whitelisting software that only allows specified programs to be run on the company's computers and therefore blocks malware.

3. Install security software and maintain it with the latest security updates. While this will not protect against zero day exploits, many ransomware attacks use older versions for which there are security software defenses.

4. Limit the ability of employees who do not need the authority to install software and limit the access of employees to data to only that data to which they need access.

5. Most ransomware is delivered by spear phishing. Often the spear phishing is facilitated by information gathered through social media. Have a social media policy in place that limits work-related information, such as job titles from being posted on social media. In addition, have an ongoing education program for all employees about how to recognize and avoid spear phishing.

"In the recent years, we've seen a dramatic increase in the use of ransomware being delivered alongside..."

Phishing emails. They usually send an attachment such as URGENT ACCOUNT INFO with a file extension of .PDF.zip or .PDF.rar, which slips by the unsuspecting victim and delivers the payload. This attack often encrypts the entire hard disk (some of the less damaging forms simply block your access to the computer, but do not encrypt - such as this example), or the documents and requires a bitcoin payment to unlock. Luckily, these groups actually do unlock the data, this way future victims are more likely to pay.

What can you do to minimize the chances of yourself as an individual of falling a victim to these dirty schemes? Here are a few steps you can take:

DO NOT open emails in the spam folder or emails whose recipients you do not know.

DO NOT open attachments in emails of unknown origin.

Use a reputable antivirus software - we recommend Kaspersky, which ranked the highest in our tests.

Perform a regular backup to an external medium (external hard drive or the cloud).

After backing up, disconnect your drive. Current ransomware is known to encrypt your back up drive as well.

DO NOT pay the ransom. The reason why the criminals keep utilizing this form of blackmailing attacks is that people keep paying. To try to get your data back, consult a professional in your area.

What can your company do to prevent being victimized by these types of attacks?

Humans need to be trained -- they are the weakest link. Companies should employ at minimum a bi-annual training geared towards each user group (end-users, IT staff, managers, etc.) so that everyone is aware of the latest attacks.

Employees should be tested by having an outside party conduct a social engineering test, like something from Rapid7 or LIFARS. These kinds of tests help keep the employee on their toes and more likely to avoid the attacks.

Since these attacks are on the rise, a number of new defenses have been developed. AppRiver is a great Spam and Virus email filter that can block a large number of phishing exploits before they even reach the internal servers.

"Ransomware has been through several evolutions so far and, as such, requires..."

Careful attention. While the first ransomwares were simply encrypting the local hard drive and asking for money, its latest evolutions are now encrypting network drives. They’re even leaking out the data to make the extortion case even stronger for those using simple restore solutions to overcome the encryption hurdle, by threatening to publish the company data publicly. Since email attachments are the most common way to deliver a ransomware attack inside an organization, you need to take the following important steps:

1. Filter both executable and password-protected files. Make sure your gateway mail scanner does not allow these files to go through without your inspection.

2. Filter macro-enabled files like .docm. Since macros are yet another way to execute code on the victim machine, block them!

3. Apply a patch management system, making sure that all desktop clients are fully patched. Cyber criminals are quick to exploit zero days, so stay ahead.

4. Don’t give employees admin privileges on their machines if they don’t need them.

5. Perform Data Leakage Prevention (DLP) and anomaly detection. Make sure no one is trying to leak data out of the company network. Pay close attention to suspicious outbound connections.

6. Backup. Always keep an up-to-date backup. If you got hit, make sure you don’t restore the Malware together with the data!

7. Train employees to spot phishing emails. This is the main attack vehicle, so make sure your staff is well-trained.

8. Encourage and incentivize people to report back to you when they see suspicious emails. Act immediately. Automate the process. Some people will never learn, and those new to the company may not know the process. Make sure you leverage those who do know and can spot phishing to make up for those who don’t.

"To defend against ransomware..."

There are some relatively straightforward and cost effective steps that all businesses can take. In addition, there are products and services that can provide additional mitigation.

As with all security issues, there is rarely a “silver bullet” or singular step that will fully mitigate the problem. Multiple steps are needed to be able to reasonably defend again ransomware. Some steps are designed to prevent ransomware to begin with, some steps will reduce the impact and ransomware, and some steps will allow recovery from ransomware. Below are quick-hit check-lists for each category outlining appropriate steps.

Practice ‘Least Privilege.’ The Least Privilege concept says that any given account should have the least amount of privilege required to perform appropriate tasks. Common places where this concept can be applied, but often is not, include user permissions on endpoints and user permissions on network shares. All users, including IT admin personnel, should log in using a non-privileged account, and escalate privilege as needed using a secondary account. Most of the common tasks any user performs, such as browsing the internet, checking e-mail in Outlook, or editing a document do not require the ability to stop and start services or to edit registry keys – so remove those excess privileges. The key to this concept is that malicious software most often runs using the privilege level of the currently logged in user. If that user is an admin, so is the malicious software.

Configure white listing for plugins and add-ins for your browser. Instead of allowing Flash on every site, block it on every site and whitelist only the sites you trust. In addition, install ad-blocking software. Ransomware has been spread in the past using pop-ups and ads that could have been easily blocked. In a famous case in early 2015, CryptoLocker spread using infected ads for a well-known international brand. However, keep in mind that this step will fundamentally alter your web experience.

Ensure your antivirus is installed on endpoints, that all options are enabled, that antivirus is up to date, and that tamper protection is enabled. Tamper protection will prevent malicious software from turning off the antivirus application. Antivirus will help catch malicious software before it installs, or can help prevent its spread in the event it successfully installs.

User awareness training. Ensure all users are aware of threats and how to avoid them. For example, teaching end users how to identify phishy e-mail and not to click on links in e-mail without knowing they are from a trusted source is a critical step in preventing exposure to malicious software.

Enable Unified Threat Management on edge devices such as a firewall. This can offer intrusion detection and prevention, web-site filtering where you block access to known or suspected malicious content, and another layer of antivirus.

Recovering: Here, we review steps to recover from ransomware that do not involve finding a BitCoin ATM and funding the development of more ransomware.

Least Privilege is here, again. This time, it is more to point out that nearly all recovery options rely on the least privilege concept in one way or another. If you were logged in as an admin, it may not be relevant that you created backups – the malicious software can likely alter your backups, as well.

Ensure that any OS options for automatically keeping previous versions of documents, such as Windows Shadow Copy is enabled. This step will allow you to quickly restore the previous version of any impacted file. Note that most well written ransomware applications will attempt to disable Shadow Copy, but that only admins can actually disable it. If you are logged in as an admin, ransomware will successfully disable this and alter any previous versions you may have had.

Daily backup data to an external device using a dedicated backup account. Regardless of which type of backup you use, backing up to an external device or offsite will help protect backups from being altered.

In a worst case scenario, file recovery tools may be able to assist in recovering from ransomware provided they are used immediately. Ransomware often functions by encrypting your files. In the process, they typically create a new file and delete the old file. The way hard drives allocate new files and delete old files is primarily using a File Allocation Table, which can be thought of as similar to a table of contents. Deleting a file is similar to erasing the listing out of the table of contents, and creating a new file is similar to adding a new listing to the table of contents. This is obviously a vast oversimplification, but the point is the some of the unaltered data may still exist on the hard drive. Time, however, is of the essence, and this possibility will likely go away as ransomware becomes more sophisticated and begins encrypting slack space on the drive.

Please go to https://digitalguardian.com/blog/ransomware-protection-attacks in order to continue the article, as another 36 experts give their advice too.