Prevent Ransomware Best Practices
How to Prevent Ransomware Infections
- Train your employees not to fall for phishing attacks, and don’t give them admin rights to their workstations.
- Always keep your antivirus databases and software updated.
- Apply the latest OS patches as soon as possible.
- Block known ransomware extensions via FSRM. If ransom malware cannot create files with those extensions on your file server, it cannot encrypt your files.
- Stop ransomware via Group Policy:
- Set up Group Policy to show hidden file extensions on all workstations so users can see the double file extensions (such as filename.doc.exe) that attackers use to disguise malware.
- Configure the Application Control policy to blacklist everything and whitelist only the software you need.
- Configure the Software Restriction policy so that users can execute only authorized extensions.
- Use Group Policy to disable AutoPlay and Autorun on all workstations. Either disable file execution in e-mail attachments, or quarantine all attachments using your spam filter.
- Enable the smart screen and popup blocker features in Internet Explorer to protect users from seeing ads that lead them to malicious sites.
- Configure your firewall to whitelist only the specific ports and hosts you need.
- Minimize the risk of BYOD by creating a guest network for new or unknown equipment.
How to Limit the Damage a Ransomware Attack Can Do
- Require strong passwords in your IT environment.
- Segregate your network into different zones with unique access to each.
- Limit user access to shared drives by assigning NTFS permissions via security groups. Since ransom malware can encrypt only the files the victim has access to, a strict least-privilege model avoids the damage it can do.
How to Be Prepared to Recover from a Ransomware Virus
- Make regular backups of all your sensitive data and systems and store them offline.
- Enable File History in Windows 10 and Windows 8.1.
- Maintain a complete and current inventory of all your equipment and its network addresses so you can quickly find the source of an attack and prevent it immediately.
How to Detect Ransomware Attacks and Respond Effectively
- Monitor your file servers for the modification of massive numbers of files to different file extensions within a short period of time.
- Since ransom malware cannot encrypt all files within seconds, you may have time to trace its source. When you find the source workstation, in order to prevent ransomware spread, take it offline immediately.
- Check the name of the virus ransomware. It may be old malware that has already been cracked by the IT community.
- Beware of system notifications asking you for money to decrypt your files; some may be fake demands that have not encrypted any files.
- Be aware that even actual ransomware attacks do not encrypt all of your files.
- Don’t pay the attackers. Even if you get your data back, they will keep attacking you and forcing you to pay repeatedly. If you’ve already paid by credit card, contact your bank and block the transaction immediately.
How to Find Ransomware Removal Tools
Here is the list of ransomware removal tools that will help you in getting rid of it:
- Microsoft Enhanced Mitigation Experience Toolkit (EMET)
- Malwarebytes beta
- Kaspersky’s decryptors
- Kaspersky’s tool
- AVG’s solution
- Trend Micro Screen Unlocker
- Bit Defender’s tool
See how Netwrix Auditor can help you minimize the risk of damage from ransomware by enabling control over user permissions and Group Policy, detecting anomalous user behavior, and optimizing the data recovery process.
What is a Ransomware Virus?
Ransomware is a type of malware that blocks access to the victim's data and threatens to publish or delete it unless a ransom is paid. While some simple computer ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, which encrypts the victim's files in a way that makes them nearly impossible to recover without the decryption key. Many attacks demand ransom be paid in digital currencies such as Ukash and Bitcoin, which are difficult to trace, making prosecution of the perpetrators difficult. The first known ransom malware was deployed in 1989. By 2013, the use of such viruses had become well established around the world.
How Does Ransomware Work?
The attacker generates a key pair and places the public key in a piece of malware. When the ransomware infection is released on a computer, it generates a random symmetric key and encrypts the victim's data with it. It uses the public key in the malware to encrypt the symmetric key. Then the malware displays a message to the victim with instructions about how to pay the ransom. When the victim sends the e-payment, the attacker uses the private key from the key pair to decipher the encrypted symmetric key and sends the unencrypted symmetric key to the victim, who can use it to decipher the encrypted files. (Of course, there is no guarantee that the attackers will actually send you the decryption key.)
Ransomware attacks are typically carried out using a Trojan — the malware is disguised as a legitimate file that a user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the WannaCry worm, traveled automatically between computers without user interaction.