Ransomware is an ever-evolving danger. From new delivery techniques, propagation methods, and tools like ransomware-as-a-service, organizations need to be more vigilant than ever in taking the proper steps to defend themselves. Read those best practices on how to protect from ransomware and learn how to set them up in your organization.
>90% of ransomware is delivered via email.
Let’s Take a Look at 2017 So Far…
Before we get into prevention, let’s take a quick look at some of the worst attacks this year. 2017 has been a devastating year for ransomware. Every month there seem to be new breaches and attacks making worldwide headlines. Let’s review a few of the most destructive attacks that have occurred so far.
According to the ISTR, ransomware detections increased 36% in 2016.
- Tax Season Scams: Tax season brought a variety of new scams into the cyber sphere. From business email compromise scams asking for W-2s, banking Trojans, ransomware refund scams and more, these tax-related tactics were all used to trick victims into giving up confidential information so hackers could file and claim fraudulent tax returns. Initial attack vector? Email.
- Word OLE Exploit: The Word OLE Exploit took advantage of Windows Object Linking and Embedding (OLE) features to connect victims to remote malicious servers to download additional pernicious payloads without the user even knowing. Delivered as an attachment by email.
- New Locky Delivery Methods: One of the most popular types of ransomware used over the last year, Locky was being delivered by email through otherwise clean PDFs that would request other documents to be opened. What did they request? Word documents infested with macros that would immediately start downloading the Locky payload, of course. Bad guys are devious.
- The First Wide-Spread Mac Malware: Usually ransomware and malware focus on Windows operating systems since that is what a majority of computer users have. For the first time, three different Mac malware strains came into light during the beginning of 2017 to email Mac users’ malicious invites to the malware party.
- WannaCry and Jaff: On May 11, two devastating attacks shocked the globe forcing many IT (and real-world) operations to come to a halt. The result of the Shadow Brokers NSA Eternal Blue leak, these two types of malware infected over 200k machines in 99 countries in just a few hours. Wannacry doesn't seem to have been primarily spread by email but Jaff followed the usual playbook and traveled via phishing emails.
- Petya: Following WannaCry and Jaff, Petya also halted worldwide business operations at the end of June and was spread by phishing emails. Further research shows that this was actually a targeted attack on the Ukraine that just got out of hand, but it still made major impacts around Europe.
Ransomware Best Practices: Training, Software, and More
It is clear that 2017 has been a good year for cybercriminals around the globe. They have more types of ransomware than ever before and are consistently coming up with new methods to get it passed email security features. So what can you do in your organization, how to protect from ransomware?
According to an Osterman Research Study that was conducted in August 2016:
34% of surveyed organizations had experienced an email phishing attack that was successful in infiltrating their network
31% of surveyed organizations had one or more endpoints encrypted due to a successful ransomware attack
Software
What's the best way to protect your organization? Use advanced threat protection that secures your systems against both known and unknown threats. With the speed at which malware is evolving, organizations need to have solutions in place that can adapt to these changes and stop polymorphic and metamorphic ransomware from infiltrating their organization.
A comprehensive software solution is your best defense against ransomware.
Training
To further support the efforts of your email and IT security systems, employees must be trained to look out for the signs of these email threats. Since most malware and ransomware gets delivered via phishing or spear phishing emails, your employees should be trained to look out for signs of phishing to protect your organization. Employees should look out for:
- Emails insisting that action must be taken immediately
- Email that seem too good to be true (they are!)
- Emails asking for login credentials, or other sensitive information
- Emails with misspellings or strange grammar (especially if they are claiming to come from a large well-known organization)
- Unfamiliar greetings from “known” senders
- Inconsistent email addresses from “known” senders
- Unusual attachments or links (especially in emails coming from file sharing services or if users hover over a hyperlink that goes to an unknown location)
By teaching your employees to spot these signs of phishing, they are less likely to click the malicious attachments or links that instigate the ransomware download process.
Backups and Permissions
Although software and employee training are the best places to begin enforcing ransomware best practices in your organization, there are some additional behind-the-scenes steps you can take for further protection.
- Keep a backup and regularly verify your systems: This may be something you already do. But it is crucial that this backup is maintained on a separate system. Ransomware often encrypts what is on the accessible drive, but more advanced versions have started encrypting system restore points and shadow copies. This leaves organizations with no secure backup of their information. These backups should be verified regularly to ensure they are capturing all the information you would need to restore systems in case of attack.
- Maintain your software: Updates often include bug fixes and security patches, so it is important that you keep software current to ensure you can defend against the latest threats.
- Restrict code execution: Some types of malware are designed to execute from data and temporary folders, but if the victim’s systems don’t have the proper permissions to execute those files than the ransomware propagation is quickly prevented.
- Limit administrative and system access: Similar to restricting code execution, some types of malware are designed to use sysadmin accounts to do really evil stuff. Decreasing or limiting the number of sysadmin accounts can prevent ransomware from being able to spread through the network or make other background technical changes that could go unnoticed.
Advanced threat detection and training are the best places to start implementing ransomware best practices.
Someone accidentally opened a malicious file on your network, now what?
Plan A is to prevent this from happening with proactive security measures. Here’s Plan B:
- Snapshot the system memory (this information can be critical to investigations and to figure out decryption methods).
- Shut down the network to avoid propagation.
- Identify the possible attack vector by going back and reviewing emails or web browsing history that may have allowed the ransomware to get into your network.
- Block network access to identified command and control centers (many types of ransomware can no longer function if these servers are blocked).
- Optional: notify authorities (this can sometimes cause more problems in terms of getting data back or the ransom demand increasing but the authorities can be helpful in assisting with a full investigation).
Advanced Ransomware Protection from Vade
Looking for the best in ransomware protection?
Invest in an advanced email threat detection system.
Vade provides predictive email security utilizing data from a global customer base of more than 400 million email boxes. Our 24/7 global threat centers protect customers against ransomware, phishing, spear phishing, and other email-borne threats.
On a daily basis, Vade scans 70,000,000 email attachments and 2,600,000 million unique URLs.
We discover over 120,000 types of malware and 150,000 phishing URLs every day.
Vade machine learning system has had a 100% catch rate to-date on every variant of Locky, Petya, Jaff, and CrytptoLocker identified so far. That’s true zero-day protection.
Vade solution is easily deployed in the cloud, with native plugins for Office 365 and Google’s G-Suite.
Want to learn more about the Vade solution? Contact us regarding any questions or download the Gartner Newsletter Fighting Email Threats with Predictive Defense – Featuring Best Practices from Gartner