How to Prevent Ransomware Infections: Best Practices
There is no silver bullet that will protect you against ransomware in all cases. However, following these ransomware best practices will help you to minimize the risk for being infected and limit the damage that a successful attack can do. For the basics about what ransomware is and how it works, see the background information provided at the end of this document.
Best Practices for Preventing Ransomware Infection
- Train your employees to increase their IT security awareness and not fall for phishing emails, spam emails and other social engineering attacks.
- Don’t give regular users administrative rights on their workstations.
- Keep your antivirus software, endpoint protection, digital vaccines and other security software and databases updated. Perform regular scan of your servers and workstations to spot outdated tools.
- Apply the latest patches to you operating systems and applications as soon as possible to reduce the length of time known vulnerabilities can be exploited. However, always test new updates, patches and hotfixes in a lab before applying them in production.
- Block known ransomware extensions via File Server Resource Manager. If ransom malware cannot create files with those extensions on your file server, it cannot encrypt your files.
- Configure your firewall to whitelist only the specific ports and hosts you need. For example, don’t open remote desktop ports to the internet.
- Install and properly configure intrusion detection and intrusion prevention systems to reduce attack vectors and the chances of being compromised.
- If you discover a rogue or unknown process on your servers or workstations, disconnect it immediately from network connections or disable it, and then perform a thorough investigation of the threat.
- Minimize the risk of BYOD (bring your own device) by creating a guest network for new or unknown devices.
- Enable secure passwords and account lockout policies in your on-premises and virtual environments to reduce a chance of ransomware infection after a brute force attack.
- Consider segregating your organization’s network into different zones to minimize the ability of ransomware to spread if it gets into one of your network segments.
- Limit user access to shared drives by performing proper NTFS permissions management via security groups. Since ransom malware can encrypt only the files the victim has access to, a strict least-privilege model limits the damage it can do.
- Disable smb v1; this will help prevent common ransomware like WannaCry from spreading across your whole network.
- Enable sandbox and honeypot technologies. You can quarantine ransomware through a sandbox and then check the potential impact from it. You can also be able to analyze the behaviors of this type of malware to help identify the evasion tactics it uses and shut down corresponding holes in your cybersecurity defenses.
Stop Ransomware via Group Policy
- Set up Group Policy to show hidden file extensions on all workstations so users can see the double file extensions (such as filename.doc.exe) that attackers use to disguise malicious software.
- Configure the Application Control policy to blacklist everything and whitelist only the software you need.
- Configure the Software Restriction policy so that users can execute only authorized extensions. That will block malicious software from running.
- Use Group Policy to disable AutoPlay and Autorun on all workstations. Either disable file execution in e-mail attachments, or quarantine all attachments using your spam filter.
- Enable the smart screen and popup blocker features in Internet Explorer to protect users from seeing ads that lead them to malicious sites.
Be Prepared to Recover from a Ransomware Attack
- Make regular backups of all your sensitive data and systems. Be sure to store them offline because ransomware can also encrypt backup files if it can reach them. Keeping fresh backups will help you to restore your critical files quickly.
- Enable File History in Windows 10 and Windows 8.1.
- Maintain a complete and current inventory of all your servers, workstations, access points, cybersecurity devices and other business equipment, including their network addresses, so you can quickly find the source of an attack and isolate it.
Be Ready to Detect Ransomware Attacks and Perform Effective Response
- Monitor your file servers for the modification of massive numbers of files with different file extensions within a short period of time. It does take some time for ransomware to encrypt files, but you need to quickly trace its source. When you find the source workstation, take it offline immediately in order to prevent the ransomware from spreading.
- Check the name of the ransomware. If it is old malware that has already been cracked by the IT community, you might find helpful information for recovering from it.
- Beware of system notifications asking you for money to decrypt your files; some may be fake demands that have not encrypted any files.
- Be aware that even actual ransomware attacks do not encrypt all of your files.
- Don’t pay the attackers. Even if you get your important data back, they will keep attacking you and forcing you to pay repeatedly. If you’ve already paid by credit card, contact your bank and block the transaction immediately.
Ransomware Removal Free Tools
Here is the list of ransomware removal tools that will, in concert with your antivirus software, help you with ransomware detection and removal:
- Microsoft’s Enhanced Mitigation Experience Toolkit (EMET)
- Kaspersky’s ransomware decryptors
- Kaspersky’s Anti-Ransomware Tool for Business
- AVG’s decryption solutions
- Trend Micro’s Ransomware Screen Unlocker Tool
- Avast’s ransomware decryption tools
- McAfee’s Ransomware Interceptor
For a list of additional decryption tools, see the list maintained by the No More Ransom organization.
Background: What Ransomware Is and How It Works
Ransomware is a type of malware that blocks access to the victim's data (photos, personal information, documents, backups, etc.) and threatens to publish or delete it unless a ransom is paid. While some simple computer ransomware locks the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, which makes it nearly impossible to recover the victim's files without the decryption key. Many attacks demand ransom be paid in digital currencies, such as Ukash and Bitcoin, which are difficult to trace, making prosecution of the perpetrators difficult. The first known ransomware was deployed in 1989. By 2013, the use of such viruses had become well established around the world.
The attacker generates a key pair and places the public key in a piece of malware. When the ransomware infection is released on a computer, it generates a random symmetric key and encrypts the victim's data with it. It uses the public key in the malware to encrypt the symmetric key. Then the malware displays a message to the victim with instructions about how to pay the ransom. When the victim sends the payment, the attacker uses the private key from the key pair to decipher the encrypted symmetric key and sends the unencrypted symmetric key to the victim, who can use it to decipher the encrypted data. (Of course, there is no guarantee that the attackers will actually send you the decryption key.)
Ransomware attacks are typically carried out using a Trojan — the malware is disguised as a legitimate file that a user is tricked into downloading or opening when it arrives as a malicious email attachment. However, one high-profile example, the WannaCry worm, traveled automatically between computers without end user interaction.