For businesses the risks of data loss are huge and the consequences severe. Cyber attackers are using increasingly sophisticated means which makes recovering files and devices more complicated and in the very worst cases, impossible.
It is cheaper to focus on prevention than to pay for the consequences. Don’t put data at risk, take the necessary steps to protect it.
The single best measure to defeat ransomware before it even starts its malicious activity, is to have it regularly backed up.
Malware will also encrypt files on drives that are mapped and have been assigned a drive letter, and sometimes even on drives that are unmapped. Regularly backing up is essential, using an offsite, offline device for storing the back up files.
Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently access company devices and their systems. Patch and update company software and devices as often as possible. Enable automatic updates if you can.
One of the most common infection vectors is social engineering – methods that are based on fooling users and trying to convince them to run executable files.
Most malware comes through email. When fraudulent emails correspond with a degree of trust, then the malware is more likely to work.
By claiming to be a tracking notification email from a delivery company, an email from their bank, or an internal company message, the attackers try and dupe employees to achieve their malicious goals.
Training should be given to reiterate the importance of not opening any unknown or suspicious email attachments.
Ransomware frequently arrives in an email attachment with the extension “.PDF.EXE.”
Re-enabling the display of the full file extension makes spotting suspicious files easier.
Data encryption is your defence in the event of theft. In today’s world, business is often done off site but data is most at risk when it travels beyond the corporate network.
If your gateway mail scanner has the ability to filter files by extension, you may wish to block emails sent with “EXE” file attachments. Or those with attachments that have two file extensions ending with an executable (*.*.exe” files, in filter speak).
We also recommend filtering files with the following extensions:
*.BAT, *.CMD, *.SCR and *.JS
A notable behaviour of a large proportion of ransomware variants is that they run their executable from the AppData or LocalAppData folder. You can create rules within Windows or with intrusion prevention software to disallow this behaviour.
Bear in mind that any company device infected by ransomware might also cause encryption of all files in shared folders to which it has write permission.
For this reason, employees should consider which valuable and sensitive files they store on shared disks. Their data in these locations might get encrypted by malware, even though their computer wasn’t directly infected.
Ransomware often accesses target machines using Remote Desktop Protocol (RDP), a Windows utility that allows others to access desktops remotely. Cybercriminals have also been known to log in via an RDP session and disable the security software. It is best practice to disable RDP unless you need it in your work environment.
Malware authors frequently send out new variants of their malicious code, trying to avoid detection. It’s important to have multiple layers of protection. Even after it burrows into a system, most malware relies on remote instructions to perform serious mischief. If you encounter a ransomware variant that is so new that it gets past anti-malware software, it may still be caught when it attempts to connect with its Command and Control server to receive instructions for encrypting files.
If system restore is enabled on the infected Windows machine, it might be possible to take the system back to a known-clean state and restore some of the encrypted files from “shadow” files.
This is because some of the newer ransomware has the ability to delete the “shadow” files from System Restore. Such malware will start deleting “shadow” files whenever the executable file is run, and you might not even know that this is happening, since executable files can run without the operator knowing.
Using an account with system administrator privileges is always a security risk, because then malware is allowed to run with elevated rights and may infect the system easily. Be sure that users always use a limited user account for regular daily tasks and the system administrator account only when it is absolutely necessary. Do not disable User Access Control.
Fifteen Group provide a range of IT Security Solutions in partnership with ESET.
Be Smarter through Technology.
