Proactive Measures to Safeguard against the Ransomware Menace

Ransomware is a sophisticated malware that infects computing devices and holds the data hostage intending to extort money from its victims. Ransomware uses encryption techniques that render the victim’s data unusable.

Ransomware attacks have evolved with time, and the encryption techniques to harm victims have also become sophisticated, which are often challenging to break. The evolving tactics and the advancement of ransomware attacks lead to data loss if the attacker’s demands are not fulfilled. Lately, ransomware attackers have resorted to double extortion techniques by encrypting the important files on the system, stealing sensitive data, and threatening to publish it online if their demands are not catered to.

Phishing emails and drive-by-download are the most common delivery mechanisms. Advanced ransomware attacks utilize lateral movement techniques to spread in the network and may take seconds to infect the whole network causing productivity and potential financial losses to the organization. And, hence it becomes crucial for users and organizations to proactively shield themselves from ransomware. The age-old quote “Precaution is better than cure” becomes applicable here to keep ourselves safe in this ever-changing digital world.

Measures to stay safe from Ransomware attacks

Security Awareness

Security awareness training can help users to identify threats posed by phishing emails, fraudulent/untrusted websites, and social-engineering techniques. If implemented in the right spirit, this awareness and the resultant mindful actions can save us from the dangers of ransomware’s impact.

Backup

Regular backups can help users/organizations to restore important files and data in case of a ransomware attack. Back up your important data regularly and keep the data secure by either storing it offline or keeping it disconnected from the network to prevent them from getting affected. If your computer gets infected, your files can be restored from the offline backup once the malware has been removed.

OS and Software Patching

Ransomware can exploit software vulnerabilities to spread laterally. Hence, it’s important to take measures to safeguard against any vulnerabilities that might impact us.

• Keep your Operating System and other software updated by applying the latest patches. Software updates frequently include patches for newly discovered security vulnerabilities that attackers could exploit.
• Apply patches and updates for software like Microsoft Office, Java, Adobe Reader, Flash, and all Internet browsers like Internet Explorer, Chrome, Firefox, Opera, etc., including browser plugins and any other applications that are installed on your machine.
• Do not download unverified, cracked, or pirated software, as it can be used to install malware on your computer.
• Avoid downloading software from untrusted P2P or torrent sites. In most cases, they are malicious.

Be aware of Phishing Attacks

Do not click on any links or download attachments from unexpected sources and the emails you receive from unverified or unknown accounts. Most phishing emails carry a sense of urgency. They are crafted to trick you into taking action, like clicking on a link or downloading an attached file.

Network Segmentation

Since ransomware can spread laterally in the network, it’s crucial to limit the spread. Network segmentation divides the network into multiple smaller networks and helps by isolating the infected machine and preventing ransomware from spreading to the other systems.

Additionally, you can keep your network secure by:

• Keeping strong and unique passwords for login accounts and network shares.
• Disabling unnecessary admin shares or providing access permission to shared data strictly as per the requirement & for a limited duration.
• Audit RDP access & disable it if not required, or else set appropriate rules to allow only specific & intended systems.
• Configure the firewall to:

1.  Deny access to all important ports (for example, RDP port 3389).
2. Allow access to only those external IPs/sites which are confirmed as safe & required for legitimate purposes.
3. Use a VPN to access the network instead of exposing RDP to the Internet.
4. Implement Two Factor Authentication (2FA) or Multi-Factor Authentication (MFA) wherever possible.
5. Set lockout policy which hinders guessing of credentials.
6. Create a separate network folder for each user when managing access to shared network folders.
7. Don’t keep shared software in executable form.

Implementing Strict Access and Privilege Policies

Only the users/systems who are authenticated should get the required level of access to the system and network. This will help to detect and prevent ransomware spread.

The following practices can help manage the users on your devices and their privileges: –

• Avoid browsing, opening documents, or other activities while logged in as an administrator.
• Turn off the services that are not in use, such as Bluetooth, file sharing, etc.
•  Maintain Access Control for users by limiting their access to their specified tasks and actions to reduce the impact of data loss if that user gets infected.
• Disabling the Macros by default for an older version of Microsoft Office.
•  Regularly audit “Local / Domain Users” and remove/disable the unwanted user accounts.
• Set a strong password to user & email accounts. Strong passwords include letters in UPPER CASE, lowercase, numbers & special characters. However, a bad example would be common passwords like P@ssw0rd, Admin@123#, etc.
• Set password expiration & account lockout policies (in case an incorrect password is entered several times).
• Don’t assign Administrator privileges to users unless absolutely required.

Install a Trusted & Reputed Cyber Security Solution

Ensure that all your devices are protected by a trusted and reputed cybersecurity solution like Quick Heal. Ensure that your product is updated with the latest updates at all times.

How does Quick Heal provide complete protection?

Quick Heal products are designed to provide multi-layered security that is powered by GoDeep.AI technology. The advanced technology helps counter the risk posed by known-bad as well as unknown & new attacks.

1. First Line of Defense (blocking known-bad content): Firewall, IPS, Web Protection & Email Protection.

• Firewall: It helps restrict unwanted traffic coming through unwanted ports & applications.
• Web Protection: Helps restrict communication to known bad (malicious) URLs and websites.
• Email Protection: Helps identify malicious email attachments before users download or open them.
• HIPS: Intrusion detection and prevention systems help in blocking/limiting network-based attacks that exploit network layer vulnerabilities in OS & applications.
  i) For example, the infamous WannaCry Ransomware exploits a vulnerability in Windows SMB protocol, and IPS Layer can detect such attacks.
  ii) Attacks like Denial of Service, Cross Site Scripting, SQL Injection, Deserialization, etc., can be mitigated only through IPS.

2. Second Line of Defense (blocking known-bad content): Realtime-Protection, On-disk file-based detections.

• This helps in cases where the malicious files arrive on an endpoint through the internet or other means like removable USB drives etc.
• The use of heuristics & machine learning augments the potency of this layer of protection.

3. Third Line of Defense (blocking the unknown – based on malicious behavior or attributes)

• Heuristic Detections based on malware attributes (like file name, path, file attributes, digital certificate, etc.). This helps in identifying unknown, zero-day malware proactively.
• Cloud-based and machine-learning-based detections
• Behavior-based detection: Anti-Ransomware and behavior-based detection systems.

In a nutshell, maintaining good cyber hygiene is essential to stay protected against the ever-increasing risk posed by ransomware. Following the above-listed practices would help you stay protected.

Quick Heal Security Labs