Online criminals extort money from unsuspecting individuals by encrypting data on their computers and demanding a fee to unlock it. What started as a consumer problem is now affecting businesses and government agencies. There is an increasing demand for measures to be in place to not only reduce the damage caused by ransomware but also to block such attacks. As a result, organizations and government entities are assiduously working to stem the tide.
Security experts say that attempting to recover data encrypted by ransomware is an effort in futility that yields little or no results. Without access to the decryption keys or a backup copy of the data, recovering your files is almost impossible. Therefore, the best way to protect your data is to prevent such attacks.
As the name implies, the aim of these attacks is extortion. The easiest way to retrieve your data is to pay the required ransom. Apart from this, there are other available measures you can use.
Authenticate all inbound emails
Individuals and organizations are relying on emails as the official means of communication. Of course, the benefits of emails cannot be over-emphasized, but emails are now used to distribute ransomware. The attackers cleverly construct and send phishing emails in the name of someone the victim knows. These emails have malicious attachments such that when the unsuspecting victim opens them, the ransomware is downloaded on his system.
One way to protect your data from such attacks is to validate the origin of such emails before downloading the attachments or forwarding them to the recipient.
We observe the laissez-faire attitude of corporations regarding inbound email authentication. The few who implement it, have weak policies. It is not enough to quarantine emails or send them to the junk folder when they fail the authentication tests.
Organizations can implement sender identity technologies to protect themselves against business email compromise, and other threats such emails pose. These technologies validate the IP address and the server domain of the email. Examples of such technologies include Domain Message Authentication Reporting and Conformance, Sender Policy Framework, and also DomainKeys Identified Mail.
Take care of your email servers
Authenticating the origin of emails is a step in the right direction. However, you must not stop there. The attackers can still use legitimate but compromised email servers to send ransomware and other malware. In addition to inbound email authentication, you should protect your email servers by scanning all incoming, outgoing and stored emails. All threats that slipped through your defense mechanism and got into your network through internal emails or compromised systems can be detected while scanning. There are many tools available at your disposal.
Use ads blocking
Another way for attackers to penetrate your systems is through malvertising. Delivering rogue ads, attackers use victims’ browsing habits, location, device features, demographic information. Tailor-made attacks are more dangerous and yield more results than random mass attacks because the attackers target victims that can pay up when they fall prey.
To mitigate the risk of such attacks, you should block ads from being delivered on user systems or deny users access to certain websites. If you want to give your employees unrestricted access to the Internet, you should implement a separate network for this.
Monitor file activity
The danger of many ransomware families is its ability to move through your environment. When an individual computer is attacked, the corporation is not safe as the virus can spread further. This is because many ransomware tools can encrypt the hard drive of a system and also any shared files.
Ransomware is known to rapidly overwrite many files on your network. It is advised to monitor file activity. Constantly monitoring access to files provides distinctive observable patterns that can be used to detect ransomware. Organizations can contain the damage caused by ransomware if detected early by placing the infected machine on quarantine mode and ensuring it does not connect to other file servers.
Be ready for an attack
What happens if you neither backup your files nor have preventive measures in place before the attack? The extortionists are aware that at this point you are desperately in need of the data and they take advantage of your despair to milk you dry.
You have to pay the ransom within the specified deadline. If you fail to pay up at the expiration of such deadlines, hackers threaten to delete the decryption key.
Through careful research and experience, cyber criminals know what organizations can afford. Their time-limit is too short to try to unlock the data or restore it from backups and so evade sending the ransom sum.
It is therefore important to always be prepared for a ransomware attack. Take inventory of all your critical data, know their location and evaluate the impact of its loss. Create your own ransomware response plan.
When you are ready for an attack, it is easier to deal with those merciless attackers, instead of being taken unawares.
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking.