How to Prevent Ransomware Attacks 2020
How to Prevent Ransomware Attacks:
When we talk about the most sophisticated cyber crimes ransom-ware attacks inevitably comes to our mind. These attacks have paralyzed organizations, forcing many of them to brink of bankruptcy. Ransom-ware attacks are most frowned upon by most organizations, and it’s very important to take plausible steps to prevent being it’s victims.
“Ransom malware, or ransom-ware, is a type of malware that prevents users from accessing their own system or personal files. The attackers demand ransom, generally in form of money in order to regain access to files”. The earliest variants of ransom-ware evolved in late 1980s, and payment were demanded via Snail mail. Today, hackers demand ransom through Bitcoins or other Alt-coins.
In this write up, we shall discuss about best practices for protection against such attacks.
Best Practices for Protection against Ransom-ware Attacks:
- Perform backup of system(s) on regular basis. To prevent the data loss/ impact due to ransom-ware attacks, take regular backup of data on a separate physical medium. Also ensure, that Operating System applications and security solution has been updated with the latest patches. As per reports, 70% of data breaches could have been avoided by installing patches and upgrades in real time basis.
- Attachments in unsolicited emails even if they came from person in the contact list should not be opened. Also, pay close attention to the web address which may appear to be identical to legitimate websites. These phishing websites are often used to target top executives, CEOs. Once you have been re-directed to fake website in control of fraudsters, they can harvest your account credentials or make you download malwares onto your devices.
- Disable macros in Microsoft Office products - it prevents spread of infection in your network or to your contacts. Do not use unfamiliar and un-trusted USB storage devices.
- Download the applications from trusted sites only. For example, Google Play store or App store. Never download app from third party, as they may be laden with malwares, leading to compromise of your device.
- Do not provide too much personal information on various open social media platforms. By social engineering, attackers can profile you to answer your security questions, or use the information obtained using OSINT means, to gain your trust. And then, convince to perform an action not in your best interests.
At organization level:
- Establish Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC) and Domain Keys Identified Mail (DKIM) for the organisation domain for email validation to prevent spam and detecting spoofing.
- Restrict the execution of power shell / WSCRIPT and ensure latest version of power shell with enhanced logging.
- Regularly monitor the various security logs. Regularly check the contents of the backup files of databases for any unauthorized encryption.
- Strictly enforce application white-listing Software Restriction Policies (SRP) to block execution of binaries from conventional malware paths such as %TEMP%, %APPDATA%, %PROGRAMDATA% etc in all end points.
- Block the attachments of file types exe, bat, reg, cer, pst, cmd, hlp, pif, tmp, url, vb, vbe, scr, com, dil, dat, hta, js, wsf.
- Provide regular cyber security awareness to personnel and regularly test them with phishing assessments by simulating real world phishing emails.
- Ensure Operating System, applications and security solutions have been updated with the latest patches.
- Disable remote desktop connections.
- Deploy web and email filters and scan for known bad domains sources and addresses in the network regularly.
- A regular comprehensive VAPT and cyber security audit of all ICT assets be carried out.
Periodic security assessment may be done at all these layers to ensure that all important IT assets are adequately protected. Below are some of the important security measures.
- Limited access to data centre facility: Minimal access should be provided to authorized personnel and entrance/ exit logging should be recorded and monitored.
- Access management: Recorded and restricted access be provided to each personnel based on their role and responsibilities. Alerting mechanism should be setup for any un-authorized access in future.
- DDOS protection: Proper hardware should be setup to mitigate Distributed Denial of Service (DOoS) and Slow Loris attacks.
- Firewall Protection: Traffic passing to the internet or from the internet must have specific TCP/ UDP ports and traffic must also be SSL inspected.
- Firewall Logs Monitoring: Log monitoring plays an important role in risk assessment. Analyzing firewall traffic logs is vital to understand network usage and to provide real time information to administration so that remediation action is taken on time for any suspicious activity.
- Endpoint security: This encompasses a 360 degree security on an endpoint, so any compromise is contained within the device and doesn’t spread further.
- Active Directory (LDAP): This ensures that all end users and their devices are connected, managed and monitored via a centrally managed solution.
- Email Security: Need to educate end user about threats originating from unverified and unsolicited emails and to report these to their competent authorities. Email signatures with contact details are one step towards this goal.
- Latest Browser: Latest browsers like Chrome, Chromium, Opera, Safari and Firefox work on a sandbox model working on least privilege ensuring application running on the browser do not leak into the system.
- Operating Systems/ Applications: End users must use genuine Operating System and applications so that they have latest security patches. Strictly avoid usage of pirated and cracked software.
- Website Protection: Ensure only the required ports are open on the firewall to/ from the website.
- WSUS: Setup WSUS to ensure timely update/ patches to connected Operating Systems to ensure vulnerable systems are up to date.
- Admin account: Users should not login via privilege account to prevent unauthorized code execution.
- $ Sharing: Hidden $ sharing should be disabled to prevent spread of malware and viruses.
- Antivirus Security: Users must have full featured and updated anti-virus running which must be capable of detecting malware, worms, Trojan etc.
- Use Strong passwords: Don't use a word or phrase of special importance to you like birthday or family member name etc. These information can be discovered by someone by simple social engineering. The password should be at least 13 characters long, and be mix of uppercase and lowercase letter, numbers and special characters.
- Virtual Private Network (VPN): If traveling, alert your IT department beforehand, especially if you're going to use public Wi-Fi. Make sure you use a trustworthy Virtual Private Network (VPN) when accessing public Wi-Fi.
- Security Audit: Security audit is required for applications and websites before putting in the production environment.
- Encryption: Disk level security should be maintained for data at rest. All the servers and desktops should have encryption enabled at OS level.
- SSL and TLS 1.2: Data in motion should also be encrypted with SSL certificates and minimum TLS 1.2 should be used for encryption.
- Back up important data to an external hard drive: Attackers can gain leverage over their victims by encrypting valuable files and making them inaccessible. If the victim has backup copies, the cyber-criminal loses some advantage. Backup files also allow victims to restore their files once the infection has been cleaned up. Ensure that backups are protected or stored offline so that attackers can't access them.
- Use cloud services: This can help mitigate a ransom-ware infection, since many cloud services retain previous versions of files, allowing you to "roll back" to unencrypted form.
- Hardening of Server: It is required to boost server protection using viable, effective means. We recommended use of CIS benchmarks.
Ransom-ware attacks – What to Do?
Step 1: Disconnect and physically isolate the compromised system from the network to minimize it’s spread to other devices. Turn off wireless connections, if any.
Step 2: Run the scan using the updated anti-virus or security software. Use specific ransom-ware decryption tool if same is provided by anti-virus solution.
Step 3: After cleaning the system, restore the data. Also, change all the user credentials from the secure system.
Additionally, perform the following task:
Step 1: Report the ransom-ware attack to the local Police station or local/ state cyber cell. You may also report it online on the National Cyber Crime Reporting Portal – https://cybercrime.gov.in
Step 2: Preserve the evidences, to secure conviction in the court of law by taking the screenshots of the ransom notice through an external device. Take a sample of the ransom-ware encrypted file and preserve the logs of firewall, anti-virus, e-mail etc.