Ransomware is on the rise. According to Symantec, there was 35% increase in ransomware attacks in 2015 and this figure is set to rise again in 2016. In the past, ransomware was primarily aimed at Windows-based machines, targeting personal and office computers: now, however, those who develop the software have begun to make versions that can ransom Linux, Android and iOS systems too, meaning that Linux based systems and mobile devices can also be held to ransom. It’s never been more important to take ransomware defence more seriously and in this article, we’ll show you how to defend yourself against it.
What is ransomware?
Ransomware is a form of exploitation where a user is forced to pay a ransom to regain the use of their computer or system. Computers and servers are infected by two methods: the drive-by method is where a user visits an infected website or clicks on a link in a phishing email, and the vulnerability exploit method where the software scans your machine for vulnerabilities and, if these exist, will execute the malicious code that begins the ransomware process.
Once installed, the malware prevents the user from having access to their machine, either by locking the user out or, as has become the most popular method, encrypting the contents of the hard drive. The user is then forced to either pay the ransom to regain access or to have the encryption removed. With encryption, sometimes the user is only given access to a backup which they need to restore themselves. There are also some instances reported where the restored data is found to be corrupted.
How do ransomware attacks take place?
Ransomware attacks are not normally targeted at specific individuals or businesses; instead, the cybercriminals are operating on the belief that if you throw a big enough net into the sea you’ll catch a fish eventually.
Their main form of drive-by attack is to send out millions of spam emails in the hope that a few unsuspecting individuals will click on the malicious links contained within them. In addition, they also set up websites containing malicious code and do their utmost to get traffic to visit them again, spam email plays a part in this.
With vulnerability exploits, the biggest problems, at present, are caused by vulnerabilities in Adobe Flash and Microsoft Silverlight. While Microsoft has worked hard to patch Silverlight’s vulnerabilities, issues with Flash continue and this has led to it being cut out of the loop by many web services. Google, for example, no longer uses it on Chrome and will stop displaying Flash advertising next year.
Both these methods of attack work because businesses and individuals do not manage the risk of ransomware effectively and this is mainly due to poor staff training, weak software security and slack patch management.
Defending yourself from ransomware
Defend against vulnerabilities in Flash and IE
To reduce your chance of being infected by ransomware, you need to prevent your exposure to their channels of attack. For example, you can help prevent infection from ransomware that uses Adobe Flash vulnerabilities by restricting access to it. Making sure your company’s computers uninstall IE or MS Edge and replace it with Chrome will certainly reduce the chance of infection via that route. If you do want to continue using Flash, you should set it to click to play and install browser ad-blockers to protect against malicious advertising attacks.
Patching should also be a vital part of your risk management. You need to ensure that you are using the latest updates to your operating system, whether that’s Windows, Mac or Linux, as well as any applications you are using, especially Adobe Flash and Microsoft Silverlight. For those who find this difficult to achieve on their servers, upgrading to managed hosting with your web host can be the easiest way to ensure this takes place.
Regular backups stored offline
Equally as important in protecting your system from ransomware is the need for backups. As your entire system can be encrypted, these should include application and data backups. Ideally, they should be stored offline so that you can still get access to them if you are ransomed. You should also backup shared files too. As these can often be targets of ransomware attacks.
Change setting to show hidden file extensions
By enabling the ability to see hidden file extensions, it makes it much easier to identify malicious files in emails, attachments and web links. For example, the ransomware program Cryptolocker is often hidden in a file with the extension .PDF.EXE. It’s only when you see the .EXE part that you can tell that you have an executable program.
Filter executable files in email
Even better than relying on spotting .EXE files in emails is to utilise a mail scanner that will automatically block them or quarantine them especially files with a suspicious double file extension ending in .EXE (e.g. invoice.docx.exe). Again, the surest way to achieve this is to make sure your service provider offers highly secure email hosting.
Disable files which run from AppData folders
If you don’t need to run software from the App Data area, you should consider disabling this function on your computers or servers. This is because some forms of ransomware use the App Data or Local App Data folders to launch themselves.
Disabling can be done via Windows on individual machines or if you have a managed service with your web host, you can ask them to configure their intrusion protection software to achieve this.
Disable Remote Desktop Protocol
Remote Desktop Protocol enables remote users to access your computer. It is often used legitimately within organisations so that if a user is having a problem with their computer the IT staff can fix the issue without having to leave their own office.
However, if exploited, it means unauthorised users can also gain control of your computer and can install software without you knowing. This method has been used to install ransomware on computers, so if you don’t need it, disable it. You can always turn it on and off temporarily if you need to give legitimate access over the short term.
The single biggest cause of ransomware infection is human behaviour. People are easily tricked into believing a website is genuine or that the file or link in an email is from a trustable source. At the same time, many do not recognise the signs of an attack or know what to do when one happens.
As we can never guarantee 100% that our mail scanners, firewalls, intrusion detection and other filters will block every threat, it is essential that your business has a robust policy on staff training and internet / email use to reduce the risk even more.
Ransomware is a major problem; it can take your business offline, corrupt your data and cost you a great deal of money. From reading this article, you should now have a much clearer understanding of what ransomware is, the routes it uses to infect computers, servers and phones and what steps you need to take to reduce the risk of infection.