Over the past few years, the amount of ransomware has dramatically increased due to the ease of deployment for criminals and the huge financial gain from administrating these kind of attacks.
If you are not familiar with ransomware, it is essentially malicious software that’s designed to hold data at ransom on computers and servers. This is typically done by encrypting the valuable data. To decrypt this data, a private key is required that the criminals say they’ll only release once payment has been made, typically by Bitcoin which is very difficult to trace back to an individual.
However, there are a few steps you can take to mitigate the risks of ransomware as paying criminals is never a good idea even though it seems like the only thing to do. The below can hopefully help you mitigate the risk of ransomware and keep you safe.
1. Be vigilant with email attachments
The traditional way computers are infected with ransomware is via email attachments – typically, Microsoft Word or Excel documents that run macros (more on macros later!).
As with any email or attachment, if you’re not expecting this from somebody, especially a delivery company (UPS, Royal Mail etc.) then don’t open the attachment despite how genuine the email itself looks. These emails are specially crafted to fool users into opening the attachments by appearing to be the real thing and unfortunately, curiosity usually gets the better of people. It’s then too late!
If you do receive an email and you’re unsure, either delete this straight away without opening any attachments and clicking any links or speak to your email /IT provider and ask them to double check this for you. If this seemed to appear to be received from a known associate or company, contact them and ask if they have genuinely sent the email. Microsoft 365 users can also employ Office 365 ATP to catch and dispose of those nasty emails for you.
2. Backup, backup and… backup!
The single most effective way to recover from a ransomware attack is to restore your encrypted data from a backup. However, this requires that you have regular backups in place in the first place.
However, due to how ransomware now works, your backed up files could also be affected if they’re connected to the same computer or network where the ransomware infection is running. As such, ensure any regular backups you do have are disconnected once complete, either in the cloud or offsite.
If your infrastructure and connectivity allows, take multiple backups over the day too. This means you may have only lost a few hours work as opposed to a full day’s work.
3. Ensure your anti-virus is kept up-to-date along with an advanced firewall
Anti-virus applications are often the first line of defence, however even they can be fooled as new virus signatures are created constantly. Ensuring your anti-virus is up to date will ensure that you have the latest possible signatures in order to detect suspicious activity and applications.
Security software isn’t the only defence. A decent application aware firewall should also be configured in order to prevent the application connecting back to its command and control centre which is usually hosted on what’s known as Tor or the hidden web.
4. Disable macros in Microsoft Office applications
Microsoft Office applications have an inbuilt scripting engine which allows them to run code in order to interact with data with these applications. This can be used to build powerful data manipulation and automation within Office files, however this can also be used to run malicious code. If macros aren’t part of your daily work, consider disabling them.
5. Use software restriction policies to disable files running in AppData folders
If you’re a system administrator (if not, speak to yours!) then you can use software restriction policies to disable any unknown applications from running in certain directories.
Ransomware typically likes to run in the users AppData (including Local AppData) and blocking these from running in these locations is a good way of mitigating ransomware.
However, some genuine applications do run from these locations too, as such, software restriction policy exclusions for these applications and maintenance of these policies is required.
6. Disable Remote Desktop Protocol if not used
Some variants of ransomware are known to attack via the Remote Desktop Protocol by exploiting vulnerabilities in this as well as poor passwords.
If you have access to servers or computers via the Remote Desktop Protocol that you don’t use regularly then you should disable access to these from the internet.
If you do require access, then consider locking down access to your external IP address so only you are able to access this from your own internet connections.
If you’d like some assistance in working out whether you are protected from ransomware, do give us a call!