Ransomware Prevention Best Practices
There is no way to prevent ransomware attacks and no silver bullet for defending against them. However, following these ransomware best practices will help you minimize the risk of ransomware infections and limit the damage that a successful attack could do.
For the basics about what ransomware is and how it works, see the background information at the end of this document.
Best Practices for Preventing Ransomware Infections
- Increase IT security awareness by educating employees:
- Teach users how not to become a victim of phishing attacks: Train them to be suspicious of emails from unknown senders and not to click on links to websites or open email attachments.
- Develop a response plan for users to follow in the event of a possible infection.
- Don’t give regular users administrative rights on their workstations. If someone truly needs elevated access, create a separate user account with the required privileges.
- Keep your antivirus software, endpoint protection and other protection solutions and databases up to date. Ensure that you regularly inventory your software to spot outdated tools.
- Apply the latest patches to your operating systems and applications as soon as possible to reduce the window during which new vulnerabilities can be exploited. However, always test new software updates in a lab before applying them in production.
- Block known ransomware extensions using File Server Resource Manager.
- Configure your firewall to whitelist only the specific ports and hosts you need. For example, make sure you didn’t leave RDP don’t open remote desktop ports to the internet.
- Install and properly configure intrusion detection and intrusion prevention systems to reduce the chances of system compromise.
- Block removable drives since they can contain malware, or at least disable autorun and enforce antivirus scanning for new media.
- Enable a secure password policy and account lockout policy to reduce the chance of a ransomware infection after a brute-force attack.
- Consider segregating your organization’s network into different zones to minimize the ability of ransomware to spread.
- Keep your permissions structure clean and maintain a strict least-privilege model. Since ransomware can access only the files the victim account has access to, this strategy will limit the amount of data that can be encrypted.
- Disable the network communication protocol SMB v1; this will help prevent common ransomware strains like WannaCry from spreading across your whole network.
- Include sandbox and honeypot approaches to your security program:
- Honeypot is set up to look like a legitimate network and can lure attackers into thinking thet have found a valuable target. This layer of security is capable of alerting admins of lateral movement or files being accessed on the network.
- If you have already discovered a rogue or unknown process on a server or workstation, immediately disconnect that machine from the network or disable it, and then perform a thorough investigation of the threat.
- Quarantine suspicious software on a separate device or network and then check the potential impact from it.
- If you suffer an attack, analyze the behavior of the malware to remediate the corresponding gaps in your defenses and prevent future infections.
- Minimize the risk of bring your own device (BYOD) by creating a guest network for new or unknown devices.
Best Practices for using Group Policy to Stop Ransomware
- Set up Group Policy to show file extensions on all workstations so users can see the double file extensions (such as filename.doc.exe) often used to disguise malicious software.
- Configure the Application Control policy to blacklist everything and whitelist only the software you need.
- Configure the Software Restriction policy so that users can execute only authorized extensions; this will help prevent users from opening attachments with malicious scripts and executables.
- Use Group Policy to disable AutoPlay and Autorun on all workstations. Either disable file execution in e-mail attachments or quarantine all attachments using your spam filter.
- Use Group Policy to enable the smart screen and popup blocker features in end users' browsers to prevent them from seeing ads that could lead them to malicious sites.
Best Practices for Detecting and Responding to Ransomware Attacks
- Monitor your file servers for the modification of massive numbers of files with different file extensions within a short period of time and quickly take the source workstation offline.
- Maintain a complete and up-to-date inventory of all your servers, workstations, access points, cybersecurity devices and other business equipment, including their network addresses, so you can quickly find the source of an attack and isolate it.
- Consider implementing a data loss prevention (DLP) solution to protect your on-premises and cloud data.
- Beware of system notifications asking you for money to decrypt your files; some may be fake demands that have not encrypted any files.
- Be aware that successful ransomware attacks do not encrypt all your files.
- Don’t pay the attackers. Even if you get your data back, they might keep attacking you and forcing you to pay repeatedly.
Best Practices for Ensuring You Can Recover from a Ransomware Attack
- Make regular backups of all your sensitive data, systems and core settings. Be sure to keep several backup iterations and store them separately (offline or in the cloud) because ransomware can encrypt backup files. Fresh backups will help you to restore your critical files quickly.
- Enable File History in Windows 10 and Windows 8.1.
- Check the name of the ransomware. If it is old malware that has already been cracked by the IT community, you might find helpful information for recovering from it.
- Look into specialized anti-ransomware decryption solutions that can restore your data, including the list of free tools maintained by the No More Ransom organization.
Background: What Ransomware Is and How It Works
Ransomware is a type of malware that blocks access to the victim's IT assets (workstations, photos, documents, backups, etc.) and sometimes threatens to publish or delete it unless a ransom is paid, usually in a digital currency that is difficult to trace in order to minimize the risk of prosecution. The first known ransomware was deployed in 1989. Today, ransomware protection is a top cybersecurity priority for organizations across the world.
Simple ransomware locks the system in a way that is not difficult to reverse. However, more advanced malware uses a technique called cryptoviral extortion, which makes it nearly impossible to recover the victim's files without the decryption key. The attacker generates a key pair and places the public key in a piece of malware. When the ransomware is released on a computer, it generates a random symmetric key and encrypts the victim's data with it. It uses the public key in the malware to encrypt the symmetric key. Then the malware displays a message with instructions about how to pay the ransom. When the victim sends the payment, the attacker uses the private key from the key pair to decipher the encrypted symmetric key and sends the unencrypted symmetric key to the victim, who can use it to decipher the encrypted data. (Of course, there is no guarantee that the attackers will actually send you the decryption key.)
Ransomware attacks are typically carried out using a Trojan — the malware is disguised as a legitimate file that a user is tricked into downloading or opening when it arrives as a malicious email attachment. However, one high-profile example, the WannaCry worm, traveled automatically between computers without any user interaction.