This spurt in Ransomware attacks can be attributed to three key reasons. The first driver is the syndication of the activity into ransom as a service with offers of revenue sharing to operatives facing the target recipients. The second driver is the development of polymorphism in ransomware generating a unique threat signature for each attack. And the third driver is the increasing sophistication within the malware, widening the scope of damages.
Remediation Strategies for Each Stage
Ransomware attacks occur in five stages – distribution, infection, communication, encryption and demand. So it is only logical that there should be prevention and remediation strategies for each of these stages.
Distribution Stage
Build a “human firewall”: Organizations need to make sure that all employees from the CEO down, understand both how ransomware works as well as the ramifications of an attack
Stop ransomware before the endpoint: The most-proactive method of protecting a network from ransomware attack (other than the human firewall) is to keep ransomware from reaching the endpoint in the first place.
Apply all current operating system and application patches: Many ransomware strategies take advantage of vulnerabilities in the operating system or in applications to infect an endpoint.
Spam filtering and web gateway filtering: Spam filtering and web gateway filtering are great ways to stop ransomware that tries to reach the endpoint through malicious IPs, URLs, and email spam
Allow only whitelisted items to execute: Use an “application control” method that offers centrally administered whitelisting to block unauthorized executables on servers, corporate desktops, and fixed-function devices, thus dramatically reducing the attack surface for most ransomware
Limit privileges for unknown processes: This can be done easily by writing rules for host intrusion prevention systems or access protection rules
Infection Stage
Don’t turn on macros unless you know what’s happening: In general, do not enable macros in documents received via email.
Make yourself “weaker” when working: Don’t give yourself more login power than you need. If you allow yourself administrator rights during normal usage, consider restricting this.
Use access protection rules on software installs: Write access control rules against targeted file extensions that deny writes by unapproved applications.
Use sandboxing for suspicious processes: If a process is flagged as suspicious (due to low age and prevalence, for example), that process should be sent to a security sandboxing appliance for further study
Block “unapproved” processes from changing files: Block these by writing rules for host intrusion prevention systems or access protection
Communication Stage
Firewall rules can block known malicious domains: Writing rules to block malicious domains is a standard capability of network firewalls
Proxy/gateway scanner signatures for known traffic: For those with proxy and gateway appliances, these technologies can be configured to scan for known ransomware control server traffic and block it.
Encryption Stage
Back-up and restore files locally: By creating a storage volume and running archival differential-based file backups to that storage volume, remediation is as easy as removing the ransomware, going back in time with the backup to a point before the ransomware affected the files, and restoring all the affected files.
Limit shared file activities: Many ransomware variants will look for access to files on storage other than the boot volume—such as file servers, additional volumes, etc.—and will encrypt everything they can find to inflict maximum damage.
Ransom Demand Stage
Restore from backup, keep a recent backup offsite and “air gapped”: Store a set of multiple, complete backups and assume an attack. An “air-gapped” backup is not connected to the computer or the network anywhere.
By adopting a planned approach involving both end users and IT administrators, and implementing integrated security solutions that protect, detect and correct, businesses in the region can avoid the unplanned downtimes and losses associated with such malware attacks.
