RANSOMWARE: How to defend yourself from Ransomware: prevention and best practices
In our previous article we described the most recent and most sophisticated attack techniques used by Ransomware, which today represent the biggest and most frequent threat for companies all around the world.
As we explained, ransomware attacks account for 67% of all malware attacks in 2020 and it is expected that in 2021, all around the world, a ransomware attack targeting companies will take place every 11 seconds.
Measures of “cyber hygiene”
This type of attack is enjoying great success because it proved to be extremely profitable for the perpetrators. And, since it is carried out remotely, the risk of being discovered is, for cybercriminals, currently very low.
Nevertheless, ransomware attacks do not show any special ways of hitting their targets: as we explained in the above-mentioned article, the ways in which a ransomware attack can penetrate into our computers are essentially the same as with many other types of attacks.
Therefore, the protection and prevention measures that we should adopt in order to avoid being the subject of a ransomware attack are the same as the ones we use to defend ourselves from any other type of cyberattack.
In most of the cases, we can talk about “cyber hygiene”, meaning actions that should become part of our daily practice. Also because these little gestures may protect us not only from ransomware attacks but from any type of attack.
Protecting yourself from ransomware: prevention
A lot of the preventive protection measures that we will hereafter suggest might appear even elementary and obvious.
But we shall not underestimate them: in most of the cases, ransomware can penetrate into our IT systems exploiting human errors, sometimes even trivial ones.
The most widespread attack technique, since unluckily it works and is easy to realise for the cyber criminal, is still as of today represented by phishing emails: this technique, which exploits social engineering, is used in over 50% of ransomware attacks.
Let’s then focus on how to protect from ransomware attacks.
» Never get carried away with “compulsive clicking”: in general, it is always better to dedicate some seconds to examining the email we received since most of the times phishing emails have something strange and unusual. Therefore, we could notice them if only we had enough patience to observe the email before acting in a way that could be dangerous.
» Never open attachments of uncertain origin. If we are dubious, when we receive a suspected email, it is advisable to ask the sender if that email was authentic!
» Pay attention also to emails coming from known addresses (they could have been hacked using a falsifying technique called “spoofing”).
» Enable the option “Show the filename extension” in the Windows settings: the most dangerous files have the following extensions: .exe, .zip, .js, .jar, .scr, etc. If this option is not enabled, we won’t be able to see the actual file extension and could be more easily deceived.
» Disable the option of autorun for USB devices and other movable devices and, more in general, avoid to insert these objects in our laptop if we are uncertain about their origin. This attack mode is known as “Baiting”: it entails using a bait targeting someone who has the possibility to access a given IT system (like a Trojan). An external memory device, like a USB key or a hard disk, that contains malware which will self-activate as soon as the item is connected to the computer, is on purpose left unguarded in a common place (like the company hall, canteen or parking lot). Human curiosity will do the rest. In most cases it is human curiosity that makes this bait work: the person will insert the unknown device in his/her laptop. As we discussed in another article, it was exactly through a USB key that attackers were able to activate the centrifuges in a nuclear power plant in Iran and make them explode! It is the well-known Stuxnet attack to the Iranian Natanz power plant of 2010.
Today, this threat has become real, this is why some companies have passed very restrictive policies and disabled the USB ports on laptops given to employees. In this way, the USB port can be used to connect the mouse or charge your phone but it won’t be able to send and receive data. In other, more frequent cases this level of restriction is not reached since it is difficult to make users understand and accept it. Nevertheless, it is always useful to train the users on how to be careful when using movable devices and make them aware of the risks that they are facing.
» Disable the execution of macros by Office programmes (Word, Excel, PowerPoint). Office attachments that include malicious macros represent today one of the most widespread attack techniques. Enabling the macro will allow it to automatically activate and hence start the process of infection through ransomware.
» Always pay attention before clicking on banners or pop-up windows in unsafe websites. As we already explained, ransomware can hit us not only through phishing but also by visiting websites that have been infected, with a technique known as “drive-by download”.
» Always update operating systems and browsers. In general, it is good to always update straight away the security patches offered by the producers of the softwares we have installed. An updated browser is safer and it represents by itself a protection layer, especially from “drive-by download” attacks, also known as “watering hole”, which can take place when you navigate in compromised websites.
» Make sure that the plugins you are using (Java, etc.) are always updated. These plugins are known to represent a preferred point of access for most cyber attacks. Keeping them constantly updated reduced the vulnerabilities that affect them (although it does not eliminate them completely).
» Use – when possible – accounts that do not enjoy administrator rights: if an administrator account is violated, the attacker will be able to enjoy the same privileges as the administrator and to carry out more actions resulting in higher damages. Viceversa, a non-administrator user has limited privileges and the same limits will apply to the attacker. This is the basic “principle of least privilege”, which every company should adopt systematically with its users.
» Since phishing emails represent the most frequent attack technique, it is important to install effective and updated antispam systems, which implement SPF protocols (Sender Policy Framework), DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance). They won’t be able to block all phishing emails, but the best systems can reach an efficiency, nevertheless, over 95%.
» Pay attention to the use of the Remote Desktop Protocol (RDP): it represents an exposed port on the network, which – if not necessary – will be closed. If instead we have to use it (especially in these moments where smart working is so frequent) we will have to protect this access with strong passwords and possibly with double authentication 2FA).
» Install Antimalware (antivirus) and keep them up to date. We must, however, be aware that “traditional” antivirus, that is, those defined as “signature based” (based on signatures) guarantee a fairly limited protection (not exceeding 50 60%), because they can be easily circumvented by polymorphic viruses, that is modified.
» Instead, implement “User Behavior Analytics” (UBA) solutions on the corporate network (web traffic anomaly analysis) with IDS (Intrusion Detection System), IPS (Intrusion Prevention System) and EDR (Endpoint Detection & Response) systems. These tools are today the most advanced protection against ransomware. It is known, in fact, that these malware present a series of typical behaviors (access/write to system folders, connection to external servers for downloading encryption files, etc.). The UBA analyze therefore the behavior of every computer of the company and are in a position to understanding if are taking place events “anomalous” (such as above-average data traffic, access to IP addresses classified as malevolent, and access and write to system folders that should not be used). At the detection of abnormal and suspicious events, they can isolate the offending computer and block (at least circumscribe) the attack.
» Implement the use of Sandbox. Sandbox, that literally refers to the sand box for kids, in IT vocabulary identifies a test environment, isolated from the main system. It is used to develop and test applications and to execute operations that represent a potential danger to the system’s integrity.
These instruments are usually available in the UBA systems discussed above and permit to analyse and run in an isolated environment, the sandbox, suspicious files before opening them in the main system, where they could cause damages.
» Adopt accurate Backup procedures of your data. This is a fundamental security measure, even a vital one: if, despite everything, a ransomware manages to hit us, the only way to save ourselves is if we have saved our data somewhere else. And it is important to back up your data often and completely. When the backup is not available you are left with the only option of paying the ransom.
And finally, we should never forget that the weakest point in security is represented by the human factor.
It is therefore fundamental to train and inform users so that they won’t fall prey to phishing attempts, the most used technique in these attacks. In practice, human factors and user awareness are all too often underestimated.
In conclusion:
In every cyber attack there is at least one human error: in most of the attack techniques, ransomwares cannot act unless an action on our side allows it to!
The simple antivirus systems aren’t sufficient anymore and cannot grant full defence (because of the mentioned phenomenon of polymorphism).
Never underestimate the human factor: it is important to train employees at all levels. Unluckily, the errors or negligence of just one person can compromise the data of the entire company.
To sum it up: the first and best protection is always the user.
The author
Giorgio Sbaraglia (https://www.giorgiosbaraglia.it), engineer, is a consultant and trainer on the topics of cyber security and privacy.
He holds training courses about these topics for numerous important Italian companies, including the 24Ore Business School (read here).
He is a member of the Scientific Committee CLUSIT (Italian Association for Cyber Security) and an Innovation Manager certified by RINA
He is the scientific coordinator of the Master “Cybersecurity and Data Protection” of the 24Ore Business school.
He has DPO (Data Protection Officer) positions in companies and Professional Associations.
He is the author of the following books:
“GDPR kit di sopravvivenza” – “GDPR survival kit” (Edited by goWare),
“Cybersecurity kit di sopravvivenza. Il web è un luogo pericoloso. Dobbiamo difenderci!” – “Cybersecurity survival kit. The web is a dangerous place. We must defend ourselves!” (Edited by goWare),
“iPhone. Come usarlo al meglio. Scopriamo insieme tutte le funzioni e le app migliori” – “iPhone. How to use it to its full potential. Let’s discover together all the functions and best apps” (Edited by goWare).
He collaborates with CYBERSECURITY360 a specialised online magazine of the group Digital360 focusing on Cybersecurity.
He writes also for ICT Security Magazine, Agenda Digitale, and the magazine CLASS.
You can activate the FlashStart® Cloud protection on any sort of Router and Firewall to secure desktop and mobile devices and IoT devices on local networks.
> For more information click here
> For a free trial click here
> To request a quote click here
