Ransomware is malicious software that criminals use to encrypt files and hold valuable data for ransom. In recent weeks, the Sirius security team has seen pandemic outbreaks of ransomware across the country. And once infected, organizations are forced to restore data from backup with some data loss or pay the ransom. Unfortunately, ransomware likely needs no explanation – you or someone you know has probably experienced it – and it is now even available as a service to criminal organizations.
In an effort to assist and provide value to our clients, the Sirius team has assembled a list of helpful tips to prevent your organization from being affected by ransomware:
Backups: The only options for recovering data after a ransomware infection are to restore it from backup files, or to pay the ransom. However, paying the ransom is no guarantee that the malware will be eradicated, or that it won’t return. Further, it is not possible to decrypt without the keys, and it is extremely unlikely to recover the keys via law enforcement action including the FBI.
Disaster Recovery: Organizations must have effective and tested disaster recovery plans with verified off-line backups. Our team has seen several new variants in the wild that target and destroy an organization’s backup infrastructure – including Commvault, TSM and most others.
Have a Plan: Having a plan to detect, respond and contain an incident saves valuable time during an incident. Consider investing in endpoint detection and response tools, as well as log correlation to spot ransomware quickly, help you understand where it is coming from, and assist in containment.
Zero-Day Detection Capabilities: Signature based technologies are not effective in detecting a majority of malware today due to the ease in which a given piece of malware can be camouflaged or “packed” to slip past traditional AV.
- Ensure your network and endpoint protection have the ability to detect and defend against obfuscated malware or zero-day attacks.
- Consider implementing network devices that can block by file type and provide application control to the endpoint device.
End User Education: Users are often the weakest link in security infrastructure. We all must educate our end users to be very suspicious of risky messages and services. User education programs provide key training and encourage cautious behaviors. Providing incentives to users for identifying real phishing or malicious emails may be also be helpful.
True-up User Access Permissions: Reduce data attack surface exposed to ransomware by strictly governing what users have access to. Administrators should never use their admin accounts for day-to-day business such as email, because mapped drives are an easy and fast vector for the malware to encrypt file server data. Several excellent tools are available to help organizations quickly detect anomalous user file access and change behavior.
Vulnerability and Patch Management: Regularly conduct internal and external vulnerability scans, then mitigate. Vulnerability and patch management isn’t fun for anyone, but it is the foundation of a good security program for all threats – including ransomware.
Block Unnecessary File Types: Tune your mail protection to block unnecessary file types. Block all unnecessary file types over email including “.exe” if possible.
Show Full File Extensions: Ransomware often arrives as .pdf.exe. Enabling visibility of full file extensions makes suspicious files easier to spot.
Alert on Anomalous User Behavior: By setting up notifications to alert you about an abnormal user or system behavior, organizations may detect an outbreak early – when it’s easier to contain. Understanding abnormal system or user behavior – particularly file encryption – can tip you off to ransomware and allow you to thwart the attack. User behavior analytics is a powerful tool for many threats including ransomware.
Consider Deploying a Honeypot: Deploying a honeypot may slow a ransomware or other attack, and can help provide early detection. Ransomware delivers a “help me” file to “assist” the users in paying the ransom. Organizations may allow it to be written and send an email alert to the helpdesk, security team, and server admins that includes the file location and the user account used to write it.
It is also important to remember that in regards to security, no two organizations are exactly alike. Sirius has a dedicated team of security experts that can discuss and develop a customized plan that is specific to your company.