But what does a typical attack look like? And what security solutions should be in place to give the best possible defense? (Not exactly sure what ransomware means? Don’t fret, we’ve got you! Check out this blog we previously wrote for all you need to know about ransomware!)
This blog examines commonly used techniques to deliver ransomware, looks at why attacks are succeeding and gives nine security recommendations to help you stay secure. It also highlights the critical security technologies that every IT setup should include.
Ransomware is one of the most widespread and damaging threats that internet users face. Since the infamous CryptoLocker first appeared in 2013, we’ve seen a new era of file-encrypting ransomware variants delivered through spam messages and Exploit Kits, extorting money from home users and businesses alike.
The current wave of ransomware families can have their roots traced back to the early days of Fake AV, through “Locker” variants and finally to the file-encrypting variants that are prevalent today. Each distinct category of malware has shared a common goal – to extort money from victims through social engineering and outright intimidation. The demands for money have grown more forceful with each iteration.
And the financial consequences can be severe. The Hollywood Presbyterian Medical Center reportedly paid 40 Bitcoins ($17,000) to regain access to its files, while the Kansas Heart Hospital despite paying an undisclosed sum, was faced with a second ransom demand and not given access to all of its files.
Most organizations have at least some form of IT security in place. So why are ransomware attacks slipping through the net?
There are two main ways that a ransomware attack starts. Via an email with a malicious attachment, or by visiting a compromised (often a legitimate, mainstream) website.
Today’s criminals are crafting emails that are indistinguishable from genuine ones. Grammatically correct with no spelling mistakes, and often written in a way that is relevant to you and your business.
When opened, the zip file appears to contain an ordinary .txt file.
Another common way to get infected is by visiting a legitimate website that has been infected with an exploit kit. Even popular, mainstream websites can be temporarily compromised. Exploit kits are black market tools that hackers use to exploit known or unknown vulnerabilities (such as zero-day exploits).
You browse to the hacked website and click on an innocent-looking link, hover over an ad or in many cases just look at the page. And that’s enough to download the ransomware file onto your computer and run it, often with no visible sign until after the damage is done.
After initial exposure such as via the email and web examples, the ransomware takes further action:
Finally, the ransomware deletes itself leaving the encrypted files and ransom note behind.
Staying secure against ransomware isn’t just about having the latest security solutions. Good IT security practices, including regular training for employees are essential components of every single security setup. Make sure you’re following these nine best practices:
1. Backup regularly and keep a recent backup copy off-line and off-site There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
4. Don’t enable macros in document attachments received via email Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of infections rely on persuading you to turn macros back on, so don’t do it!
5. Be cautious about unsolicited attachments The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt leave it out.
6. Don’t give yourself more login power than you need Don’t stay logged in as an administrator any longer than is strictly necessary and avoid browsing, opening documents or other regular work activities while you have administrator rights.
7. Consider installing the Microsoft Office viewers These viewer applications let you see what documents look like without opening them in Word or Excel. In particular, the viewer software doesn’t support macros, so you can’t enable them by mistake!
8. Patch early, patch often Malware that doesn’t come in via a document often relies on security bugs in popular applications, including Microsoft Office, your browser, Flash and more. The sooner you patch, the fewer holes there are to be exploited.
9. Stay up-to-date with new security features in your business applications. For example, Office 2016 now includes a control called “Block macros from running in Office files from the internet”, which helps protect against external malicious content without stopping you using macros internally.
To stay secure against ransomware you need to have effective protection in place at every stage of an attack. Starting at the endpoint the unique CryptoGuard technology, available in Sophos Intercept X lets you stop ransomware attacks in their tracks. CryptoGuard works on your endpoints and servers, detecting and stopping ransomware from encrypting your files. It complements your existing security, blocking processes that attempt to make unauthorized modifications to your data.