The recent wave of global ransomware attacks hasnt completely ended yet. Not only are we witnessing more attacks on businesses but the distribution method and attack vectors are also getting sophisticated. Kaspersky reports that a company is hit with ransomware every 40 seconds.
If your company had an infection in 2017, it was more likely to be ransomware than anything else. According to research from Malwarebytes, roughly 60% of malware payloads were ransomware, with the rest being a mix of ad fraud and other malware. Its never been more crucial to protect your company against such cyber threats.
7 preventive steps to keep ransomware at bay
- Protect all your endpoints with an effective antivirus program and ensure that it is regularly updated. It is also recommended to have a multi-layer security framework in place including firewalls and behavior-based detection techniques.
- Always backup your data either on an external device, on the cloud, or on network attached drives. As a best practice, use a combination of more than one option.
- Disable processes running from local app data/app data folders by creating specific rules. To enable a legitimate or known software to run from these folders use appropriate rule checks.
- Update the operating system and software used across the organization with the latest patches including the latest security updates.
- Limit the users administrative rights. Restricting user permission and having lesser privileges will decrease the attack surface significantly.
- Restrict executable files via email. Some gateway mail servers have the option to filter files by their extensions. You can block emails containing .exe as an attachment. Legitimate executable files can be exchanged using other.
- Most importantly, ensure security awareness throughout the enterprise. People remain the weakest link in any security framework due to lack of training and consciousness. Ransomware heavily relies on people not taking precautions when handling suspicious links or files. Educate them about what ransomware is, how it can impact their machines, and what they can do to prevent the same, to enhance the most essential level of defense within your organization.
Recovering from a ransomware attack
What if your company faces an attack? How do you respond in such a scenario?
- Isolate all infected machines by disconnecting them from the network. Keep in mind many ransomware variants are able to spread through shared network drives, so ensure to temporarily lock those down and check your file servers too.
- Check how far it has spread. Most ransomware variants change the encrypted file names, often changing all the extensions to something that corresponds with the ransomware name (ex: .zepto or .locky). They also often create README.txt and README.html files with ransom instructions. Looking for these markers can give you an idea as to the extent of the infection and how far its spread.
- Next, identify what triggered the attack by finding out what the user was doing shortly before the ransom screen popped up. Ask users to retrace their steps: Did they open any new file? Click on any attachments or links in an email? Did they visit any website they dont normally visit?
- Once you determine the cause of the infection, share an alert with other users letting them know what to look out for (for instance, phishing emails).
- Now the most important question remains How do you get your files back? Unfortunately, in most cases, once files are encrypted theres no way of unlocking them without the decryption key. However, malware researchers are sometimes able to exploit flaws in ransomware encryption methods and develop decryption tools. If no decryption tool is available then your only other option is to restore your files from backup. Having a backup system is part of any good disaster recovery plan.
Ransomware has significantly evolved over the years, and with no clear end in sight, we will continue to see such attacks, so tighten up your companys security belt and focus on preventive measures to protect what matters most: the data!
Has your organization been attacked by ransomware? Contact us for help at firstname.lastname@example.org.