Home / Blog / Ransomware: preventative measures (II)

Ransomware: preventative measures (II)

Posted on 09/30/2021, by INCIBE
Ransomware: preventative measures (II)

In the first part of the series of posts dedicated to ransomware, titled: ‘Ransomware: preventative measures (I)', introduced the concept of ransomware, talked about the possible motivations of its authors, mentioned its evolution over time and detailed preventative measures based on system and operating system hardening.

This new article will attempt to analyse other preventative measures to minimize the chances of infection or mitigate the consequences of a ransomware attack in detail, again grouping them in blocks.

Managing backups

Backing up computers is a highly recommended measure and to manage backups it is helpful to consider aspects such as:

  • This will depend on the criticality of data and the frequency with which it is modified. A weekly backup is usually appropriate in the majority of cases.
  • Number of copies. It is recommended that the ‘3-2-1’ rule be applied, which consists of having at least three data backups, storing two of the copies on different platforms: for example on a hard drive and in the cloud. The third backup should be located in different place to the other two. In this way, if something happens such as a fire or theft, not all the copies will be affected.
  • Network access. It is recommended that the backups be inaccessible via the Internet, that is, that they are not serviced by it. If this is not possible, as with cloud backups, it is recommended that the other two backups are not internet accessible.

This measure addresses the new capabilities of ransomware attacks to enumerate and traverse all drives on the infected computer, including attached external or USB drives, meaning that programs such as OneDrive and Dropbox are also affected as they work with local drives on the computer.

  • Periodic review. With the aim of ensuring that all backups and backup systems are functioning correctly and can be restored, they should be tested every once in a while, using a recovery procedure.

Finally, if you wish study aspects such as what information to include in a backup or backup protection in more detail, we recommend you consult INCIBE’s Guide to approaching backups

Network protection

Using a VPN for remote connections

Use of a VPN (Virtual Private Networking) allows access to online services from any location using communication encapsulation without exposing them to the Internet where they can be compromised by malware.

There are free alternatives to set up a VPN, among them OpenVPN, which can be mounted on any Linux device or on Hyper-V and ESXi virtualisation services.

Restricting use of predetermined ports

An effective way to prevent direct attacks on known vulnerabilities is to modify the default configuration of services, for example by port numbers. Some well-known ports are port 80 for http service or port 1433 for Microsoft SQL Server.

Connection filtering

A perimeter network level filter provided by a modern firewall would prevent access to malicious or unnecessary pages by rating malicious IP addresses and domains in categories, such as online banking, social networking, and malicious sites, among others.

Network segmentation

A segmented network, according to the principle of least privilege would limit the spread of a ransomware infection within it, thus reducing the impact of the attack. For this method, it is important to have a decent number of network divisions for an effective segmentation, among which there should be:

  • Adequate firewall filters that limit connections that are unnecessary and susceptible to being used by ransomware (like samba and remote desktop) should be implemented.
  • An IDS (Intrusion Detection System), which also contributes to perimeter control.

Encouraging education and awareness in users.

Encouraging user education in social engineering can help prevent ransomware attacks. Users are the target of these attacks, so if they are aware of the threat and its possible forms of attack, then the likelihood of them for example, executing a malicious file downloaded from an email attachment or after opening a pop-up browser tab would reduce.

Using specific and quality software against ransomware

Using trusted tools

Given the current existence of multiple malicious applications, which can be distributed through pirated or disreputable software, it is advisable, whenever possible, to use software that has:

  • A digital signature. This verifies that the software has not been modified by a third party and is the original version as created by the developer.
  • Information on the developer and the software, such as pre-release security audits, quality checks and a data protection policy.

The use of pirated software is not advisable, as there will be no verification that it meets the above-mentioned criteria and its use could also constitute a criminal offence.

The same goes for browser extensions, which are largely published by independent developers. For these, it is recommended only to use those which come from trusted sources and are downloaded from official sources such as Chrome web store or Mozilla add-ons.

Using antivirus software

Having updated and correctly configured antivirus software helps to protect the computer not only from ransomware attacks, but also other types of threats.

Use of restrictive group policies

For this, the use of external software such as Cryptolocker Prevention Kit is recommended, as it allows the use and creation of group policies through rules, and prevents the use of files through potentially vulnerable folders, such as AppData, LocalData, and others.

Another option is CryptoPrevent, a simpler piece of software found in different versions of Windows without a group policy editor. It allows the configuration of group policies in the registry to disable files with different extensions (.com, .exe, .pif) and also the creation of an allow list of verified applications as well as more advanced filters, thus being able to repel a large number of ransomware attacks.

Implementation of specific anti-ransomware solutions

As a solution, a piece of software called Anti Ransom stands out. It is capable of detecting if files are being modified and halt the process, as well as verifying the key which allows encrypted files to be decrypted.

This software has simple and intuitive functions, notifications for when the modification of a sensitive directory is detected indicating how it is being changed, and a process memory dump function for searching for the encryption key. If it verifies that it is a ransomware, it blocks the file modification process.

Conclusion

Spain is 10th in the list of 26 countries with the most companies affected by ransomware in 2020, according to the Sophos annual report, so it is essential to confront this threat by correctly adopting preventative measures.

Prevention can be based on different aspects, such as having EPP (Endpoint Protection Platform) and EDR (Endpoint Detection and Response) protections; installing antivirus protection in email and a sandbox for the analysis of samples not previously identified by their signature, as well as having protections at application level (layer 7) in the network's perimeter firewall.

One of the most significant potential vectors of entry in an organisation is human error, which is why educating users and making them aware of the issue is an important measure that must not be forgotten.

Finally, as a more specific measure, good backup management is also essential, as it could drastically reduce the time it takes for an organisation to recover from an attack, thus improving its resilience.