Guide:
How to Avoid Falling Victim to Ransomware
Ransomware is here to stay. Second only to C2 (command and control) attacks, ransomware is the most frequent malware attack. Because the vast majority of ransomware is delivered by email, we need to stop clicking phishing links. How on earth do we do that?
Well, you can’t. Users are human and phishing attacks prey upon that fact. These attacks are not only becoming more proficient, but they emulate normal tone and are very targeted. We must tackle ransomware in a different way - unless we can work out how to avoid acting human while we are at work.
Employee cyber awareness training works. It has been proven to lower the likelihood of employees clicking on malicious links or attachments, but this must be complemented by other measures that protect inboxes from ransomware and other malware.
What Is Ransomware?
Despite ransomware attacks being in the news almost every day, many people are still blissfully unaware of the threat.
Ransomware is a form of malware that encrypts all your data so that you can no longer access it, and that’s when the ransom message kicks in. If you fail to pay the ransom with Bitcoin sent to the address displayed where the data should be, then you can’t use your data again. Further, it is rarely “just that” as an after effect. This attack symptom screens what has really happened in most/many cases, your data has been exfiltrated (stolen) as well.
Anatomy Of a Ransomware Attack
When you are attacked by ransomware it is called a ‘multi-stage attack’. Despite it being packed in different ways, the basics are always the same in that all ransomware attempts to infiltrate your IT infrastructure, encrypt as much of your data as it can, and then display a message extorting you for the ransom payment. Let's break this down step by step.
Step One - Infection
The ransomware first needs access. More often than not, this begins with a phishing email with a malicious attachment. The email is crafted to get the user to click on the attachment. When they do, the ransomware infects the machine. Once it gets onto the machine it then tries to encrypt all local data and spread rapidly via the network.
Step Two - Key Exchange
The ransomware then ‘calls home’ to the attackers to tell them that it has successfully infected the machine and to download the cryptographic keys it needs to encrypt the data.
Step Three - Data Encryption & Exfiltration
Once it has its cryptographic key, it begins to encrypt files, starting with the local disk before looking for shared network drives containing data that it can also attack. Attackers may also exfiltrate the data before encrypting the disk for additional ransom demands or to sell on the blackmarket.
Step Four - The Extortion Begins
Most ransomware is designed to display a message once it has finished encrypting data. The message contains a ransom note informing the user that their data has been encrypted and that the user must pay to decrypt it.
If your organization works with sensitive data and the attackers realize this, they may also attempt to extort you by threatening to release your data publicly.
Step Five - Data Recovery
Assuming one pays the ransom, the attackers will then send the decryption key and instructions to decrypt the data. They usually always do this, because if word gets around that they do not help recover data after an attack, victims are less likely to pay.
Professional ransomware attackers operate like a business, providing ‘customer support’ to their victims. If you are lucky, your ransomware will be a strain that NoMoreRansom has listed on their website. The NoMoreRansom project provides decryption tools so that you can decrypt your data without paying the ransom.
The only other way to recover data without paying is from backups. This method, of course, assumes that you regularly back up your data and the backups can be restored.
How Can You Avoid Falling Victim to Ransomware?
The cybersecurity warriors team at Digital Hands has put together some solid tips that you can use to avoid falling victim to ransomware. Further, we help develop a viable defense in the form of a service (with underlying technology) to defend against these attacks. Here are some of the things we advise you do to stay safe:
Stop Clicking Strange Links & Attachments
Stop clicking any link or attachment in an email unless it is verified that the source can be trusted. Train employees to be suspicious of links and attachments in emails by enrolling them in a training program. The US Cybersecurity & Infrastructure Security Agency (CISA) has some excellent free training materials.
Invest In Email & Endpoint Protection Software
Eventually, most humans are going to click something they shouldn’t, so it's best to invest in email and endpoint protection software. Also consider investing in browser isolation software to physically isolate any links or attachments that employees click on, safely isolating them from their local machine and your IT infrastructure.
You can also invest in security software that scans your user’s emails for malware and ransomware (known strains) and keeps their firewall up to date. Show users an alert when an email comes from someone outside of their network so they know to be extra cautious.
Backup Data
The best way to recover from a ransomware attack is to keep backups of all data and making sure that those backups are reliable and can be easily restored when needed.
If attacked, just reimage your hard drives and restore the data. This takes planning and practice. Remember that backups are the last line of defense against ransomware and ensure that your backup process has integrity.
Be Skeptical
As humans, we want to be able to trust each other - that’s hardwired into us by evolution. It’s one of the reasons why our species has thrived on this planet. But that basic level of trust we give each other is what attackers prey on. It’s what they use to trick us into giving them information they shouldn’t have. The key takeaway is that you must always be skeptical of links and attachments in emails. The default position should be ‘verify, then trust’.
Watch our ondemand roundtable hosted by industry, legal and insurance experts about the steps you need to take from a legal standpoint during a ransomware attack!