[BreachExchange] Painless Protection Against Ransomware Attacks

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jul 21 14:28:20 EDT 2017


http://www.technology.org/2017/07/20/painless-protection-against-ransomware-
attacks/

Online criminals extort money from unsuspecting individuals by encrypting
data on their computers and demanding a fee to unlock it. What started as a
consumer problem is now affecting businesses and government agencies. There
is an increasing demand for measures to be in place to not only reduce the
damage caused by ransomware but also to block such attacks. As a result,
organizations and government entities are assiduously working to stem the
tide.

Security experts say that attempting to recover data encrypted by
ransomware is an effort in futility that yields little or no results.
Without access to the decryption keys or a backup copy of the data,
recovering your files is almost impossible. Therefore, the best way to
protect your data is to prevent such attacks.

As the name implies, the aim of these attacks is extortion. The easiest way
to retrieve your data is to pay the required ransom. Apart from this, there
are other available measures you can use.

Authenticate all inbound emails

Individuals and organizations are relying on emails as the official means
of communication. Of course, the benefits of emails cannot be
over-emphasized, but emails are now used to distribute ransomware. The
attackers cleverly construct and send phishing emails in the name of
someone the victim knows. These emails have malicious attachments such that
when the unsuspecting victim opens them, the ransomware is downloaded on
his system.

One way to protect your data from such attacks is to validate the origin of
such emails before downloading the attachments or forwarding them to the
recipient.

We observe the laissez-faire attitude of corporations regarding inbound
email authentication. The few who implement it, have weak policies. It is
not enough to quarantine emails or send them to the junk folder when they
fail the authentication tests.

Organizations can implement sender identity technologies to protect
themselves against business email compromise, and other threats such emails
pose. These technologies validate the IP address and the server domain of
the email. Examples of such technologies include Domain Message
Authentication Reporting and Conformance, Sender Policy Framework, and also
DomainKeys Identified Mail.

Take care of your email servers

Authenticating the origin of emails is a step in the right direction.
However, you must not stop there. The attackers can still use legitimate
but compromised email servers to send ransomware and other malware. In
addition to inbound email authentication, you should protect your email
servers by scanning all incoming, outgoing and stored emails. All threats
that slipped through your defense mechanism and got into your network
through internal emails or compromised systems can be detected while
scanning. There are many tools available at your disposal.

Use ads blocking

Another way for attackers to penetrate your systems is through
malvertising. Delivering rogue ads, attackers use victims’ browsing habits,
location, device features, demographic information. Tailor-made attacks are
more dangerous and yield more results than random mass attacks because the
attackers target victims that can pay up when they fall prey.

To mitigate the risk of such attacks, you should block ads from being
delivered on user systems or deny users access to certain websites. If you
want to give your employees unrestricted access to the Internet, you should
implement a separate network for this.

Monitor file activity

The danger of many ransomware families is its ability to move through your
environment. When an individual computer is attacked, the corporation is
not safe as the virus can spread further. This is because many ransomware
tools can encrypt the hard drive of a system and also any shared files.

Ransomware is known to rapidly overwrite many files on your network. It is
advised to monitor file activity. Constantly monitoring access to files
provides distinctive observable patterns that can be used to detect
ransomware. Organizations can contain the damage caused by ransomware if
detected early by placing the infected machine on quarantine mode and
ensuring it does not connect to other file servers.

Be ready for an attack

What happens if you neither backup your files nor have preventive measures
in place before the attack? The extortionists are aware that at this point
you are desperately in need of the data and they take advantage of your
despair to milk you dry.

You have to pay the ransom within the specified deadline. If you fail to
pay up at the expiration of such deadlines, hackers threaten to delete the
decryption key.

Through careful research and experience, cyber criminals know what
organizations can afford. Their time-limit is too short to try to unlock
the data or restore it from backups and so evade sending the ransom sum.

It is therefore important to always be prepared for a ransomware attack.
Take inventory of all your critical data, know their location and evaluate
the impact of its loss. Create your own ransomware response plan.

When you are ready for an attack, it is easier to deal with those merciless
attackers, instead of being taken unawares.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170721/41249f12/attachment.html>


More information about the BreachExchange mailing list