Ransomware attacks have been grabbing headlines recently, with the scale and frequency of such attacks only increasing. For enterprises, what are the best ways to prevent ransomware? We’ll look at this critical question and several others as we dive into ransomware attacks and the best practices in terms of how they can be prevented.
Table of Contents
- What is Ransomware?
- Four Main Types of Ransomware
- How Does Ransomware Work?
- Who is at Risk From a Ransomware Attack?
- Should You Pay Ransom?
- Best Practices to Prevent Ransomware
- How to Remove Ransomware
- Ransomware Mitigation After an Attack
- How Enterprises Can Protect Themselves Against Ransomware
- CTERA Ransomware Protection and Mitigation
- Latest Developments in Ransomware
- Conclusion
- FAQs
- Related Resources
What is Ransomware?
Ransomware is malicious software that is deployed to a computer, or a computer network, which essentially locks the user or users out of the system by encrypting files until a ransom is paid. In many cases, the cost, time, and effort required to try and decrypt the system and gain access to files once again is so prohibitive, that it’s just easier to pay the ransom.
Ransomware has been hitting the headlines lately for several reasons. First, attacks have been high-profile, targeting well-known organizations, and not shying away from critical services such as hospitals. Second, the amounts demanded by the attackers have been huge, and in many cases have been paid.
And third, ransomware is becoming more common thanks to ready-to-use ransomware kits available on the dark web, and “Ransomware-as-a-Service” (RaaS) offerings.
Four Main Types of Ransomware
There are four main types of ransomware: encryption, lockers, scareware, and doxware or leakware.
- Encryption
In these types of attacks, data within the system is encrypted, and can only be made accessible again with a decryption key held by the attackers. - Lockers
Locker-type ransomware attacks completely lock users out of their systems, rendering the entire system inaccessible. The only screen that users have access to is the ransomware demand screen with details of the amount demanded by the attackers, and how to pay the ransom (often with cryptocurrency). - Scareware
Scareware uses pressure tactics to get users to pay the ransom. Scareware can range from fake alerts that a virus has been found, to actual changes to programs on a user’s screen that makes them think that they have been compromised by ransomware. - Doxware or Leakware
This type of attack warns users that sensitive information – be it personal information, or key corporate information – will be leaked if a ransom is not paid.
Specific ransomware variants include the likes of:
- WannaCry
- BadRabbit
- Ryuk
- Cryptolocker
- Locky
- Maze
- NotPetya
- Petya
This list is far from exhaustive, and ransomware variants are constantly mutating in an attempt to breach company defenses.
How Does Ransomware Work?
First, ransomware has to be introduced into the target organization. There are a number of ways of deploying ransomware, the most common being via a phishing email. In this case, a user within the organization is sent a legitimate-looking email that may contain a malicious link or file. This could introduce a trojan horse-type attack, or even take users to a fake login page that harvests their credentials.
Other common methods of deploying ransomware include leveraging Remote Desktop Protocol (RDP) and by exploiting unpatched vulnerabilities. Once the attackers have access to the organization, they can move laterally, constantly upgrading their privileges until they are in a position to carry out their attack.
After infecting the first users, attackers can go ahead and encrypt the entire system. Then they can demand their payment in return for the decryption key. While this is the basic flow of a ransomware attack, ransomware has become highly sophisticated – scanning files and registry information, and scanning for other vulnerable devices to infect.
Who is at Risk From a Ransomware Attack?
Any organization is at risk from ransomware attacks. Initially, ransomware attackers targeted large enterprises, as this was where the highest ransoms lay. As these organizations boosted their defenses, however, attackers started going after medium and small businesses.
Today, companies of all sizes are still vulnerable to ransomware attacks. Preventing such attacks is becoming increasingly difficult, and so many companies are looking towards cyber resiliency as a strategy, particularly the ability to quickly recover after such an attack.
Should You Pay Ransom?
In general, the answer is “no.” However, there are some cases in which organizations have no choice. There are several reasons why not to pay the ransom:
- You’re giving in to – and funding – criminals.
- There is no guarantee that your data will be accessible again.
- Paying the ransom often leads to more ransomware attacks against the organization.
- There are legal implications to paying a ransom.
If you are left with no choice and have to pay the ransom (for example, where certain information released it would destroy your company) be sure to do so carefully. Best practices include hiring a ransomware negotiator and contracting an Incident Response (IR) expert.
Best Practices: How To Prevent Ransomware
There are generally recognized best practices that can be used to prevent ransomware attacks. These include:
Cyber training, including awareness and education
Keeping employees trained when it comes to cyber risks is critical. Considering that the entry point of ransomware is so often by compromising or fooling an employee, having a well-educated workforce is the first step in keeping your organization secure.
Cyber training starts with education and awareness: from the types of cyber risks that the company is likely to face, to an understanding of how ransomware works, and being able to identify the signs of a suspected ransomware attack such as a spoofed email. Cyber training should be ongoing and can be active, such as through simulated training campaigns.
Data backups
If an organization has up-to-date backups of the information that’s been encrypted, then they are more likely to be able to recover quicker from a ransomware attack. Unfortunately, many traditional backup services can take a while to fully restore data. Modern solutions that leverage a global file system, however, use caching technology to offer near-immediate disaster recovery.
Patching
Many ransomware attacks use vulnerabilities and uncovered exploits to gain access to targets’ systems. By ensuring that patching is kept up-to-date, organizations can reduce their attack surface and increase their level of protection.
User authentication
By strengthening user authentication, companies can prevent credential theft or compromised employees. Technologies such as Multi-Factor Authentication (MFA) and even biometric authentication, can mitigate many of these risks.
Proactive threat detection
Preventing attackers from gaining access to systems is key to preventing ransomware. It’s also important to identify successful attacks early, in order to stop full ransomware attacks. There are various technical tools and service providers that search for anomalous network traffic and attempt to identify and isolate any successful malicious actors that have gained access to the system.
How to Remove Ransomware
Ransomware can prove difficult to remove, as many ransomware variants are built to be persistent in terms of remaining and continuing to attempt to infect target devices. In most cases, simply removing the malicious executable is not enough to completely remove the ransomware altogether, and is not a ransomware solution. As ransomware becomes more sophisticated, the general best practice is to rather wipe the affected computers or systems completely and then restore from a backup.
Ransomware Mitigation After an Attack
Of course, the best time to address ransomware is before an attack takes place. This can be done through a combination of preventative measures, along with ransomware mitigation steps such as having comprehensive cyber insurance in place, and a leading backup solution. After an attack, it’s important to consider the following elements from a mitigation perspective:
Legal implications
Many international regulatory bodies require timeous notification of any data breaches or ransomware attacks that have occurred. Moreover, there are potential liabilities, legal actions, and other legal issues that need to be dealt with immediately.
Business continuity
You want to ensure that your business is back up and running as soon as possible after a ransomware attack. A key part of the post-attack mitigation stage is to have the right disaster recovery solution in place to ensure there is no major disruption.
Ongoing communication
The third key part of mitigation is communication, both internally and externally. It’s important to reassure, to communicate openly and honestly, and to keep people informed of the mitigation steps that have been and will be put in place.
How Enterprises Can Protect Themselves Against Ransomware
Effective protection against ransomware is made up of a number of different elements.
First, it’s about preventing any type of attacker from getting access to your system. This is achieved with a combination of human-oriented tools, such as employee training and awareness; and technological products such as endpoint protection for email, or specific anti-malware products.
The next stage is preventing any attacks from doing damage, should attackers manage to gain entry to your system. Here there are various tools available, and even services such as managed security service providers (MSSPs). Enterprises will also likely have their own Security Operations Center or SOC, that will investigate and terminate any threats.
Unfortunately, even with all these in place, attackers can get through. The number of big brand names in the headlines is a testament to this. Therefore, the most critical part of enterprises protecting themselves is through advanced data protection.
CTERA Ransomware Protection and Mitigation
CTERA provides advanced ransomware protection through its global file system. The global file system ensures that organizations can recover encrypted or “locked” data in minutes, eliminate downtime, protect sensitive information from ever being exposed to hackers, and ultimately mitigate the risk of data loss. It is the strongest, and last, line of defense when it comes to ransomware protection and mitigation.
The CTERA system couples enterprise-grade antivirus and threat protection with zero-trust architecture, building a robust security wall around an enterprise’s data. CTERA’s ransomware protection and mitigation offering includes a number of powerful features and benefits:
Instant disaster recovery
State-of-the-art caching technology means that disaster recovery is essentially immediate, even if it’s dozens of terabytes that need to be rolled back. As the rolling back is occurring, the edge filer is populated almost instantaneously with stubs that enable users to immediately regain access to the recovered files on their mapped network drives – meaning that they don’t even have to wait for all data to be restored.
Immutable snapshots
CTERA’s solution supports a snapshot retention policy, where snapshots cannot be altered or deleted within the retention period. The result is the ability to quickly recover all folders and files after an attempted ransomware attack.
Zero-trust architecture
As the only global file system to have zero-trust architecture, your data is even safer from ransomware. Edge filers never store or receive credentials for the object storage, and all storage operations are performed with single-use tokens provided by an authorization service in the CTERA Portal.
Dual antivirus scanning
This double layer of protection means that antivirus scanning happens both at the edge filer – with embedded antivirus software – and in the private cloud, via ICAP protocol, which can integrate with any antivirus solution.
Varonis DatAlert integration
A potent part of the solution is integration with Varonis DatAlert. Insider threats and ransomware attacks can be detected and stopped, and any attempted data exfiltration prevented.
Latest Developments in Ransomware
Adding any news like the latest ransomware attacks along with a paragraph on each or talk about Paypal or spam emails) There are always new headlines about devastating ransomware attacks. Here are some of the latest developments in ransomware, along with illustrative examples.
Ransoms paid: many successful ransomware attacks don’t make the news because companies do not want it known that they paid the ransom. Sometimes, however, the ransomware attackers leak the news that a ransom was paid, in order to put pressure on their next victims. In a recent case, financial data firm ION was alleged by a hacking group to have paid a large ransom.
Anyone is a target: attackers seem to have no mercy when it comes to their targets. Hospitals and other healthcare facilities have been the victims of several ransomware attacks. In a recent example, Tallahassee Memorial HealthCare (TMH) in Florida had to take its IT systems offline – and suspend non-emergency procedures – following an attack.
Ransomware attacks are getting more sophisticated: in many cases, state actors are, or are alleged to be involved. A recent case was the ransomware attack on the UK’s Royal Mail, allegedly by Russia-linked attackers (though no connection to the government has been proven).
Stay unpatched at your own risk: patching, and keeping software updated in general, is critical. For example, there are now specific warnings regarding VMware ESXi servers, where unpatched servers are being targeted by ESXiArgs ransomware.
The Best Way To Prevent Ransomware
Ransomware is here to stay. Attackers have realized that with a minimum of resources, and almost no chance of being caught, they can earn millions of dollars. To stay ahead of those protecting against ransomware, attackers have evolved their methods, creating a cat-and-mouse game and ensuring that companies have to keep up with the latest ransomware updates.
The best way to prevent ransomware, and to protect against ransomware attacks, is a combination of methods – from educating employees to deploying ransomware protection solutions. All of these solutions however do not create a watertight layer of protection, and ransomware can still hit at any time.
The most effective method of ensuring that a ransomware attack doesn’t cripple your business is by ensuring that you have advanced and effective data protection and a ransomware backup strategy in place. While ransomware attacks have continued hitting the news, organizations that are well-protected, aware of the threat, and have taken the necessary measures to mitigate the risks, are well-placed to avoid the damage that ransomware attacks can wreak.
FAQs
What are the two main defenses against ransomware?
The two main defenses against ransomware are human and technological. To prevent ransomware from entering your systems, it’s important to train employees about ransomware and increase their awareness through education and simulations, such as how to identify a phishing email. From a tech standpoint, there are a number of technological tools that can be employed to attempt to prevent a ransomware attack. While not bulletproof, these tools can make it extremely difficult for attackers to penetrate your organization.
What is the best solution for ransomware?
Assuming an attack does succeed – and as attacks get more sophisticated, more will – an effective and modern backup solution can ensure that an attack causes zero disruption, and zero data exfiltration, thus all but removing the threat that a ransomware attack could present.
What are the top 3 causes of successful ransomware attacks?
The top 3 causes of a successful ransomware attack are:
1. Phishing emails
2. Unpatched vulnerabilities
3. Remote desk protocol (RDP) exploitation
Related Resources:
Read more about how to prevent ransomware attacks with these resources: