Ransomware - 11 Steps to Mimimise The Risk
"Ransomware" such as Locky and Crytolocker, is becoming a huge problem for organisations and home users alike, and is now THE preferred method of attack for Cyber-crooks - due to its highly & instantly profitable nature.
Below we have put together some information and advice for our customers (Corporate customers mainly, but with valuable information for home users also), which has been collated using a combination of our own experience & expertise, as well as input from industry experts and our partners.
Our "11 Steps" below will help you minimise the risk of Ransomware & other security threats.
What is Ransomware?
Ransomware is a nasty kind of malware which infects mainly Windows based computer systems.
Once a system is infected the malware usually waits for a few days before locking the screen or encrypting important data files on the local computer, across the network and on any attached USB drive or storage it can finds. Oh, and it usually deletes any backups it finds for good measure.....
A ransom demand for payment is then presented either for the key to unlock the encryption, or the computer - which usually must be paid within a very short period of time.
The original ransomware was the "AIDS" trojan back in 1989, but recent well publicised ransomware includes the likes of Crytolocker,Cryptowall, Reveton, Torrentlocker, Teslawall, Europol, Winlocker.
In March 2016, a new ransomware threat, dubbed Cerber, even speaks to infected users via the system speakers, informing them their files have been encrypted and demanding a ransom of 1.24 bitcoins (approx £400) - doubled if you don't pay within a week.
Ransomware is very nasty, a "ticking time-bomb" for your data.
Click to see some real ransomware infection screenshots:
Which operating systems are susceptible?
Mainly Windows, but recently OSX targeted ransomware dubbed "KeRanger" was discovered in the wild (March 2016).
How does a computer become infected with ransomware?
Computers are infected in the same way as other viruses & malware;
- From attachments opened in Spam emails
- From infected downloads - torrents, shareware, porn video players, pirated software
- Clicking on links in malicious websites
- Simply VISITING infected websites
- Automatically via malicious web adverts
- Exploiting Operating System / other software vulnerabilities
Minimising the risk of ransomware / malware infection?
Even the best protected organisations and savvy IT professionals are at risk of infection - the web is a very dangerous place to be - BUT there are many things you can do to reduce your threat footprint.
Educate yourself, your staff / employees, colleagues, friends, family and children about the issue of malware and staying safe online.
Sophos provide an excellent "IT Security Dos and Don'ts" training kit which includes emails, posters, online training and more - available for FREE from Sophos here.
2. THINK BEFORE YOU CLICK
Do not open ANY emails or attachments that you were not expecting and DO NOT visit / click on links on suspicious websites, links, or on pop ups which you may encounter while surfing the internet.
If you receive unsolicited email from anyone that is trying to get you to open an attachment - for example to receive money or a parcel from your Bank, UPS, DHL, or an invoice, or a fax, or a scan or a free offer - just DELETE IT.
It WILL be an attempt to get you to install malware. If you open the attachment you WILL be infected.
If you need to confirm delivery of a package, a payment, an invoice, a delivery - it is far safer to manually type in the URL (website address) into your web browser so you know you are going to a genuine website - i.e. http://hsbc.co.uk
3. Backup, backup, backup, BACKUP
Always backup your data - regularly. Think: If I got infected today would I be able to lose a months worth of data because that was the time of my last backup?
Backup your data to any location which is inaccessible to a potentially infected computer. If you use an attached USB or External drive for backup storage, disconnect it after the backup is complete else that drive could also become infected.
In the case of infection you can restore from a good copy.
4. Stay up to date with EVERYTHING
Make sure your computers are always patched, up to date and have all security fixes applied not only for the operating system, but for any other installed software - e.g. Java, Adobe, Web browsers, Web browser extensions / add-ons. No exceptions.
*NOTE* We strongly recommend removing Flash and Java completely - including the browser plugins. Over the years those two programs alone have been the subject of more massive security holes than anything else... You have been warned!
5. Anti-Virus software. Install, update and use well known anti-virus / malware / security software
Choose and install well known Anti-virus software. Once installed, make sure you visit your chosen vendors website and confirm that you are running the recommended settings, and that it is always kept up to date.
For example Sophos recommend that you keep on-access protection, adware and PUA scanning, HIPS, behaviour monitoring, web protection and live protection enabled at all times.
If available you should also enable "Tamper Protection" to stop unauthorised users (or applications) from changing settings or disabling protection. Sophos Cloud Endpoint Protection also now features a "Lockdown" mode for servers so new software cannot be installed.
Sophos also offer FREE software for home users and mobile devices (check your app store).
6. Install and use Email & Web filtering software
At the gateway (or upstream) always use a reputable email and web filtering service, UTM or application, with spam protection, RBL lookups, blacklists of known bad websites, category blocking and multiple AV scanners built in as a minimum.
Blocking known email spam & dangerous attachments at the gateway before it hits users' inboxes reduces the chances of infection massively.
For Web filtering, ensure that you are blocking all high-risk categories AND you have HTTPS scanning enabled. Some recent attacks have been sent over encrypted HTTPS channels using fake certificates, which, unchecked can bypass all perimeter security.
7. Windows - leave UAC enabled
User Account Control was intrusive when Microsoft introduced it on Windows Vista, but it’s much less intrusive on Windows 7+.
UAC helps prevent malicious software from modifying your system without permission. Like anti virus, it’s an important layer of protection.
8. Make sure you have Firewalls installed at the gateway AND on individual computers.
A properly configured, up-to-date gateway firewall / UTM with all security features such as IDS/IPS/Web & Email Filtering/Deep Packet Inspection, reverse application proxies and more is absolutely essential for all organisations.
Windows built-in firewall should also be enabled one home and work computers. Windows firewall blocks unsolicited incoming connections, protecting Windows and the other software on the computer from malware that exploits unpatched vulnerabilities in system services that listen to the network.
Worms like Blaster were/are able to spread quickly across networks without local firewalls.
9. Enable "Software Restriction Policies" across your network as a Group Policy
Using either local group policy, or Group Policy for an entire Windows domain, enforce SRP's which will block EXE's from common infection areas being able to execute. At a minimum we recommend denying EXE's being able to run from these locations;
*NOTE* You may need to make a few exceptions to this policy as certain applications must run from here - if so make an exception (see Dashlane in the screenshot below)
A sample screenshot showing group policy. Click for larger.
10. Limit Administrative Access & File & Folder Permissions
Review and limit user privileges for regular users AND Administrators - who should use a totally separate logon account with special privileges only when needed.
Also set read-only or no-access permissions on folders, files or other locations that specific users, departments or groups of users do not need access to.
For sensitive data, encrypt all files using a secure, policy driven solution such as Sophos Safeguard.
11. Install an AdBlocker & Password Manager
In recent months there have been many instances of malware being delivered automatically by web adverts served on the pages of even the most reputable websites - sites such as the BBC, New York Times, Jamie Oliver, Huffington Post, Youtube, Reuters and more have all infected visitors.
This new form of threat is called "Malvertising".
We strongly recommend you install Ad Blocking software / web browser extensions - such as AdBlock Plus or similar and Dashlane Password Manager.
What to do if you are infected.
To try to restrict the impact of the infection, turn the computer(s) off, and disconnect from the internet immediately by removing your network cable or turning off the wireless connection. Disconnect any USB storage devices.
To remove the infection, the course of action will depend entirely on what strain of malware you have been infected with. Visit Sophos' excellent page for more information.
What if I don't have backups to restore from?
If you do not have backups to restore from or are unable to get your data back after consulting an expert then paying the ransom may be your only option - but there is still no guarantee you will recover your data.