Ransomware Protection

Very few companies can afford a loss of multi-millions, let alone months or even weeks of downtime.

Once your computer systems have been attacked, it’s too late for protection.

You need to empower your organization with ways to protect against ransomware today before you become a victim of one of the worst IT security threats in recent history.

To help you prevent data loss and safeguard your company, Double Technologies will review some of the most persistent ransomware threats you should be aware of, and then go over some powerful methods of protecting against them.

But first, let’s make sure you understand what ransomware is and how it can gain control of your computer systems.

What is Ransomware and How Does it Occur?
The definition of ransomware is wrapped up in the name itself:

It’s malware that holds a person’s or company’s data hostage until they pay a ransom to gain access to it.

You can become infected in all the usual ways:

  1. A malicious link in an email message.

  2. Infected websites.

  3. Fake apps.

  4. Malicious ads, or Malvertising.


Once your machine is infected, ransomware can encrypt all forms of files, from documents to pictures to videos.

It can encrypt your data (with or without a key), lock you out of your operating system, and spread to other PC’s on the network.

To get your data back, the hackers usually request payment in Bitcoin because it’s harder to trace and follow this form of money.

Another ransomware finger print is you’ll be given a short time-limit to pay the ransom or risk losing your data forever.

The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity. 

8 Ways Double Technologies can protect you against Ransomware:

1) Backup Everything, Every day


If you backup all your data, every day, then when an attacker asks for a ransom of $10,000 you can rest easy knowing all that data they just locked down or destroyed is safe on another server that they can’t touch.

However, you have to know how to backup your data correctly.

Ransomware attackers can infiltrate a backup system by going through your desktop first and worming their way into your network.

Which means you have to backup your data into the cloud – or, on a local storage device that is offline and not directly connected to your network.

If you backup your data to an external hard drive, only connect the hard drive when backing up your data, then immediately disconnect it.

2) Email Security

  1. ​Malware Scanning

  2. Phishing and Whaling Protection

  3. Geo Blocking known malicious countries

  4. Safelinking/Sandboxing urls to scan for threats.

  5. Marking external emails with disclaimers so end users know to proceed cautiously.

  6. DMARC/DKIM letting you know emails are coming from the correct source.

  7. Email Security Training

3) Antivirus and Firewall configurations giving you:

 

  1. Firewall that contains IDS and IPS.

  2. Firewall that has layer 7 capability for assisting in geo blocking and other interesting traffic filtering.

  3. Firewall that has Content Filtering

  4. Antivirus that has machine learning, behavior monitoring, ransomware protection, real time scan, and smart scan.  This needs to be from a reputable source. We would like to see an AV that has a firewall

4) Invest in Security Awareness Training


Ultimately, hackers rely on the “human element” more than any other factor to gain access to your information.

Your employees aren’t stupid, but they probably don’t think as seriously about IT security as you do.

Investing in security awareness training will help create a culture of vigilant employees working to identify and avoid malicious links, phishing emails, and dangerous behavior online.

5) Apply Security Patches to All of Your Applications


All cyberattacks and hacking attempts try to exploit vulnerabilities within your third-party plug-ins and apps.

Patching your applications helps to prevent hackers from entering your machines through holes in your installed software.

Java, Flash, Adobe, etc. all need to be consistently updated and/or patched to make them impenetrable.

6) Whitelist Computer Applications


While blacklisting is the practice of preventing the installation of one specific piece of software, whitelisting is the practice of allowing a specific set of programs and websites – blocking the installation or visitation of everything else.

You first scan a machine and identify all the legitimate apps, then configure it to block the installation of any additional apps.

Online, you could install an ad-blocker and a script-blocker to avoid ads and java and flash applications, whitelisting only the sites you deem appropriate and safe.

7) Network Segmentation and Strong Permissions

In an ideal version of network segmentation, each subnetwork would be completely divided, existing in completely different security and IP zones, and only connecting at very limited points, on very limited ports, through clear points of monitoring. However, based on my experience in the real world, even the best-intentioned networks have succumbed to time, user requests, limited capacities and, ultimately, the intention to just make things work. That is why you have us (Double Technologies).

8) Develop a Disaster Recovery Plan


A disaster recovery plan (DRP) can help you spring into action during a whole host of different emergencies, from hackers to hailstorms.

To help you better protect yourself, let’s understand your enemy by looking at some common forms of ransomware: 

 


Here are 10 well-known, dangerous, and active ransomware threats you need to guard against:

1) CryptoLocker is a Trojan horse malware that was used between September 2013 and Late May 2014 to gain access to and encrypt files on a system. Cybercriminals would use social engineering tactics to get employees to download the ransomware onto their computers and infect a network. Once downloaded, CryptoLocker would display a ransom message offering to decrypt the data if a cash or Bitcoin payment was made by the stated deadline. While the CryptoLocker ransomware has since been taken down, it is believed that its operators extorted around three million dollars from unsuspecting organizations.


2) Locky was released in 2016 and is spread primarily through emails containing an infected Microsoft Word document. When a user opens the document, they will see unintelligible data and the phrase "Enable macro if data encoding is incorrect." If they enable macros then the ransomware will be downloaded and begin encrypting files. After the encryption is complete, victims receive a message on how to pay the ransom and get their files back.


3) Petya is a ransomware family that was first discovered in 2016. It targets Windows-based systems, infecting the master boot record to deliver a payload and encrypt hard drive files. Upon its download, Petya encrypts the Master File Table of the NTFS file system and then displays a message with ransom payment instructions.

 

4) Ryuk is enterprise-focused ransomware designed and executed by the cybercrime group WIZARD SPIDER. Unlike traditional ransomware attack vectors, Ryuk leverages spear-phishing tactics to target high-ranking individuals within an organization. Once infected, organizations will receive a note named RyukReadMe.txt with details on ransom demands and where to send the payment. Since 2018, WIZARD SPIDER has made around $3.7 million in Bitcoin payments from this ransomware.


5) WannaCry is a unique ransomware case because once it infects a system, it is able to duplicate itself without changing files or affecting the boot sector of a computer. Due to its duplicative nature, WannaCry was responsible for a worldwide cyberattack in May 2017, infecting over 230,000 computers in less than a day.

    WannaCry targets computers that are running outdated versions of Microsoft Windows, exploiting the EternalBlue vulnerability. Much of its success can be attributed to poor patching hygiene, highlighting the importance of regular patching.

 


6) The Cerber ransomware highlights the growing complexity of ransomware threats, as it is being distributed using the Ransomware-as-a-Service model. Cerber is easily accessible as anyone can use it as long as they share forty percent of profits with the distributors.

Cerber is primarily distributed using phishing tactics, and once downloaded begins to encrypt files while running in the background to avoid detection. Once the encryption is complete the users will find ransom notes with instructions for payment.

 

7) First discovered in January 2018, GandCrab targets vulnerabilities within the Microsoft Windows operating system. Similar to Cerber, GandCrab is run as a Ransomware-as-a-Service with users agreeing to split profits with the distributors. As with other ransomware attacks, GandCrab uses social engineering tactics to gain access. Once it has been downloaded, it will begin encrypting files for ransom.

 

8) Sometimes referred to as the “Police Trojan'', Reveton uses social engineering to trick users into thinking they have committed a crime. Victims will receive a message claiming their computer has been locked by a law enforcement agency and that must pay a fine in order to regain access.

 


9) Unlike most ransomware variants, SamSam uses remote desktop protocol exploits as well as brute-force tactics to steal credentials. SamSam only targets JBoss servers so if you use JBoss, make sure to keep up to date with their patch releases.

What makes SamSam particularly dangerous is the fact that it assumes administrator rights before downloading the malware onto a system. This means that victims do not have to download a file to be compromised, making it extremely difficult to track.

 

10) Unlike the ransomware discussed above, SimpleLocker targets mobile devices running on the Android operating system. It is delivered using a Trojan downloader which has made it difficult to counter.

While this is the first identified Android ransomware, it will not be the last. To avoid infecting your device, make sure you only download apps from established stores such as the Google Play Store or the App Store.