What Is Ransomware?
This article is part of our series of articles about how to prevent ransomware attacks.
In this article
Ransomware is a type of malware that stops users from accessing their personal files or system, and demands ransom payment to regain access. The earliest types of ransomware were created in the late 1980s, when payments were made through snail mail.
Currently, ransomware developers demand that payment be made via credit card or cryptocurrency, and attackers target all types of organizations, businesses, and individuals. Certain ransomware creators sell their services to other attackers, an operating model known as Ransomware-as-as-Service (RaaS).
How Ransomware Works
Most types of ransomware perform three main steps – infection, encryption, and ransomware demands.
Step 1: Infection
There is a wide range in which ransomware can gain access to systems, devices, or networks. The majority of ransomware variants have multiple infection vectors. Here are several commonly preferred methods:
- Phishing emails – a form of social engineering attack that involves sending malicious emails that trick recipients into downloading an attachment containing a built-in downloader functionality or clicking on a link to a site hosting malicious downloads. If the recipient is successfully tricked, the ransomware is downloaded and executed on the computer.
- Remote desktop protocol (RDP) attacks – once threat actors steal or correctly guess the login credentials of authorized users, they can use the information to authenticate and gain remote access to a computer within an enterprise network. The actors exploit this access to directly download ransomware and execute it on the machine.
- Direct system infection – for example, the WannaCry ransomware exploited the EternalBlue vulnerability in order to directly infect systems.
Step 2: Encryption
After gaining access to a system, the ransomware starts encrypting files. This typically involves accessing files, using an attacker-controlled key to encrypt files, and then replacing the original files with encrypted versions.
To ensure system stability, the majority of ransomware variants carefully select files for encryption. Additionally, some variants delete backup copies as well as shadow copies of files, to ensure that recovery attempts without a decryption key are more difficult.
Step 3: Ransom demand
After the chosen files are encrypted, the ransomware makes a ransom demand. Each ransomware variant may implement this step in various ways. Many variants display a background modified into a ransom note or place text files containing a ransom note in each encrypted directory.
Ransom notes usually demand a certain amount of cryptocurrency in exchange for access to the files. Once the ransom is paid, the ransomware operator either provides a copy of the private key (which is used to protect a symmetric encryption key) or a copy of the symmetric encryption key, as well as a decryptor. Victims can then enter the information into the decryptor program, which reverses the encryption and restores access to the files.
15 Ways to Prevent Ransomware Infection
Here are several key methods that can help you prevent ransomware infection.
1. Develop Ransomware Plans and Policies
An incident response (IR) plan can help guide your IT and security teams during a ransomware event. Your IR plan should include roles and communications that should be shared during an event, as well as a list of contacts (like partners or vendors) that must be notified.
You can also include a “suspicious email” company-wide policy, which lets employees know what to do when they receive a suspicious email. You can define specific technical steps or simply let employees know that they must forward these emails to the IT or security team.
2. Use a Firewall
The main role of a firewall is to monitor incoming and outgoing network traffic. Using pre-defined rules and threat information, the firewall looks for signs of known malicious payloads and then blocks potential risks. It is considered the first software-based line of defense against various threats, including ransomware.
3. Maintain Backups
According to an advisory from the Center for Internet Security (MS-ISAC), data backup is the most effective method of recovery from a ransomware attack. However, backup processes should be thoughtfully planned. All backup files must be appropriately protected.
Additionally, you should store backup copies offline or out-of-band, to ensure these copies cannot be targeted by threat actors. You can also use cloud services when mitigating a ransomware infection, because they often retain previous versions of files. This enables you to roll back to certain unencrypted versions of your data. To ensure your process works properly, you should routinely test backups.
4. Harden Endpoints
You should factor in security considerations when configuring your systems. By properly configuring systems, you can help reduce the threat surface as well as close security gaps left by default configurations. You can use the CIS Benchmarks, which offer industry-leading configuration standards. Another option is to implement endpoint security solutions, such as zero trust solutions, some of which may be built into your operating system, or offered by third-party providers.
5. Segment Your Network
Once ransomware breaches the system, it may need to move laterally through the network before it can reach the targeted data. Network segmentation can help prevent intruders from moving unhindered between systems and devices.
When segmenting your network, you need to make sure each subsystem has its own individual security controls, a separate firewall and gateway, and strict and unique access policies. This ensures that if attackers compromise a segment, the threat is isolated and the rest of the network remains secure.
6. Cultivate Staff Awareness
A security awareness training can help stop ransomware in its tracks. Once employees are capable of spotting and avoiding malicious emails, the entire workforce takes part in protecting the organization. A security awareness program can help employees learn what they should look for in an email before they actually download an attachment or click on a link.
7. Run Security Tests Regularly
Security tests can help organizations regularly validate the health of their systems and networks. A vulnerability assessment, for example, can help find weaknesses that may lead to breaches.
Security tests can identify a range of issues, including system misconfigurations, flaws in account privileges, weak passwords and problems in authentication mechanisms. It is also important to run penetration tests that perform ransomware simulations to see how systems and teams respond to the threat.
8. Frequently Update Systems
All applications, operating systems, and software must be regularly updated. By applying the newest updates, you can help close security gaps that threat actors are constantly looking to exploit. Whenever possible, you should turn on auto-updates, which ensures you can automatically update the most recent security patches.
Latest versions of Windows have built in ransomware protection – read our guide to Windows 10 ransomware protection (coming soon)
9. Whitelist Applications
Whitelisting and backlisting methods that help control what activity and behaviors are allowed or denied. A whitelist allows activities and a blacklist denies them. This method can be useful in preventing employees from installing certain software on company machines, restricting installation only to known software. This can prevent the installation of ransomware.
10. Set Up a Sandbox
A sandbox is an isolated environment that can execute files and run programs without affecting the network or host device. Sandboxes are often used in testing scenarios, but can also be useful in containing and testing potentially malicious software. By using sandboxes for malware detection, you add another layer of protection against various threats, including ransomware. However, sandboxes tend to be quite slow and less effective when it comes to detection.
11. Implement Password Security
Threat actors look for weak passwords or default passwords to exploit when targeting systems and devices. When organizations use weak or default passwords, they leave their digital assets open to brute force attacks. To prevent this, organizations should use strong passwords and implement multi-factor authentication.
12. Use Ad Blockers or Browser Security Solutions
Malicious marketing is often used to trick users into downloading and installing ransomware. You can avoid this threat by installing ad blockers on all employee devices and browsers. You can use extensions and plug-ins that automatically block pop-up ads, or browser security solutions to limit malicious websites. This can significantly limit the attack surface.
13. Disable Script Execution
Prevent this vulnerability by disabling Windows Script Host and remove the devices’ ability to execute scripts.
14. Deploy Advanced Email Security
Despite the availability of many email security solutions on the market, many still lack the advanced security functionally to prevent malware and ransomware attacks.
Traditional sandboxing technology, has become outdated and not up to par to meet the challenges posed by sophisticated hackers, who employ several levels of attacks with multiple evasion techniques.
Most email security solutions are slow and unable to scale up to support required performance needs, thus security professionals are forced to choose between delaying all email traffic to scanning less than 100% of emails, and only remediating threats after delivery. This imposes a huge risk on the security of their organizations.
15. Deploy a CASB
A cloud access security broker (CASB) can help protect against ransomware. You can deploy CASB solutions on-premises or in the cloud. Once deployed, the CASB acts as an intermediary between cloud data and users. It can help secure data flows between clouds and on-prem data centers, monitor cloud activity, ensure compliance and enforce security policies.
Prevent Ransomware with Perception Point
Perception Point delivers one platform that prevents ransomware, APTs and zero-days from reaching your end users.
Advanced email security is an integrated cloud email security solution (ICES) that can replace SEGs. The solution cloud-native SaaS solution protects your organization against all threats using 7 layers of advanced threat detection layers to prevent malicious files, URLs, and social-engineering based techniques.
Advanced Browser Security adds enterprise-grade security to your organizations native browsers. The managed solution fuses browser protection technology with multi-layer advanced threat prevention engines which delivers the unprecedented ability to detect and remediate all malicious threats from the web, including phishing, ransomware, malware, APTs, and more. Multi-layered static and dynamic detection capabilities instantly detect and block access to malicious/phishing websites and prevent malicious file downloads of ransomware, malware, and APTs.
Advanced Threat Protection for Cloud Collaboration, File Sharing and Storage Applications, such as Microsoft 365 applications (OneDrive, SharePoint, Teams), Google Drive Box, AWS S3 buckets, Zendesk, Salesforce, and any of the other hundreds of apps out there, protects your organization with near real-time dynamic scanning. It does not tamper with files and does not impede on productivity.
An all-included managed Incident Response service is available for all customers 24/7 with no added charge. Perception Point’s team of cybersecurity experts will manage incidents, provide analysis and reporting, and optimize detection on-the-fly. The service drastically minimizes the need for internal IT or SOC team resources, reducing the time required to react and mitigate web-borne attacks by up to 75%.
Interested in learning more? Contact us for a demo.