2017 was called the year of ransomware, but ransomware is showing no signs of slowing down. Ransomware is expected to be an even greater threat to companies and their data this year. Ransomware is malicious code that encrypts valuable data on the computers it infects. Ransomware has been designed to encrypt common work product such as Microsoft Office files and PDFs, as well as important personal files such as family photos. Most ransomware encrypts hundreds of different file types, and some can encrypt databases or application files for critical systems such as ERP or medical record systems.
- A proper backup mechanism should be maintained and made mandatory for all users. This should be taken at regular intervals. Also, backups should be stored at a different location and should be isolated from the production network, so that any infection within the working network could be prevented from spreading to the backup. Summer Technology uses and recommends Datto backup appliances for maximum protection onsite and in the cloud with minimum downtime.
- Enable Shadowcopy on all servers.
- Use live, active anti-virus which are regularly updated.
- Patch updates regularly. Update all software including operating systems, network devices, applications, mobile phones and other software’s.
- Applications are to be designed to run with privilege based access features. It is recommended to provide Minimal Privilege that is required to conduct their activities.
- Access controls to resources are to be designed in a way that no third party other than the actual could read or write files and resources.
- Regularly test the recovery function of backup/restore procedure and also test the data integrity of backups.
- Data synchronization is to be done. So, the current stage of any application online in any other device or browser is maintained.
- Conduct simulated ransomware preparedness test.
- Always keep macros disabled.
- Limit end user access to mapped drives.
- Usage of pirated software from unauthorized websites should be avoided.
- Don’t download anything from unknown sources.
- Don’t enable remote services. The organizations with RDP, VPN, proxies and servers are to be provided with better IT Security standards.
- Prevent files from executing malicious JavaScript by disabling automatic Javascript execution function via windows script host.
• Open the registry Editor to do this type Regedit in the windows search engine.
• In the left pane, you can see some folders segregated according to the function, select the following path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings.
• Once it is done a new pop up will come, select new and then DWORD(32 bit).
• This will now create a new entry, name it as Enabled. Once done double-click it so a new pop-up opens.
• In the pop-up make sure you have the value as 0 and the base setting is set to Hexadecimal.
- Don’t enable AutoPlay option.
- Don’t enable file sharing.
- Show hidden file extension.
- Disable Windows PowerShell, which is a task automation framework.
- Enable pop-up blocker on all browsers to prevent URL redirection attacks where the page or website would contain malicious crafted contents.
- Use separate browser for surfing and critical works like bank transactions.
- Increase browser security by installing add-ons like Web of Trust, BitDefenderTrafficlight, Ad block Plus or Scriptsafe.
- Block known-malicious IP addresses.
- Standard security baseline configurations should be done for all Firewalls.
- Employ content scanning and spam filtering on your mail servers.
- Attachments from unexpected recipients can be strictly avoided.
- Never ever click on emails from unknown sender. The common technique used by the cyber crooks for successful infection is through sending massive campaigns of spam emails, these emails are designed in a way that it lure’s the victim and make them click on the link provided. It is always better to avoid suspicious mails. Be cautious in clicking any hyperlink, check whether the mails are from legitimate source. Phishing emails may masquerade as notifications from a delivery service, an e-commerce resource, a law enforcement agency, or a banking institution. Other common types of targeted phishing emails are billing, shipping and invoice-related messages.
- Filter malicious .EXE files or deny the files with two extension at the mail gateway itself.
- Implement effective security awareness training to educate users.
Ransomware Incident Response
- Disconnect system from the network and turn off any wireless functionality.
- Determine the scope of infection – shared drives/folders, external hard drives, storage devices.
- Determine what type of ransomware.
- Check for decryptor tool.
- Restore files from backups.
- If everything else fail (no backup, no shadow copies, no plan b), negotiate or pay the ransom
- Protect future attack by going through the full check list and putting most of it in effect.