Guest post: How to protect against ransomware in 2017

Written By: Ontrack

Date Published: 28 February 2017 00:00:00 EST

Guest post: How to protect against ransomware in 2017

Since 2010, more and more targeted cyberattacks have been reported, especially those that contain blackmailing ransomware viruses. The spread of the ‘Locky’ virus via email in February 2016 was a particular example of an unprecedented surge in these types of attacks.

In April 2016, the German Federal Office for Information Security (BSI) conducted a survey across 592 companies. They found that 32% had been affected by ransomware and in 82% of these cases; email was the gateway to the successful attack. In 21 cases it resulted in the loss of important data, which subsequently could not be restored.

Over the course of 2016 more strains of ransomware were observed, which were noted to be just as dangerous as Locky and were also able to spread across connected devices in a similar fashion.

On the other hand, the number of spam mails has shown a slight decline since the beginning of 2015. Whilst spam mails in your inbox can be annoying, it’s important to remember that just a single successfully delivered ransomware email represents a major security risk, ultimately threatening the existence of a company. In the BSI study, 4 companies indicated that the ransomware attack endangered their operations so badly that they were close to going out of business.

What makes ransomware so dangerous?

Compared to traditional spam and malware samples, ransomware is characterised by a much more sophisticated architecture. The control of the attack waves is so granular that individual waves only last a few hours before the control component changes the structure of the code and attacks new addresses from other bot networks. Ransomware and the latest malware are therefore constantly changing in their appearance; hash values differ, or domains are registered only after an email has been sent so they cannot be checked. However, what is common to all attacks is that the malicious code is usually loaded via script code in attachments or via links contained in the email. Through smart social engineering or curious email content, users can then be tempted to click on the link or open the attachment.

This is why intelligent email management is of particular importance in today’s world. To prevent seeing a screen like the one below in your own company, you should be taking specific protective measures accordingly.

Don’t ignore email security

Many service providers place great hopes in so-called ‘sandbox technologies’, which creates a very high computing requirement and in the end can affect the cost of cloud services to the end user. This can also cause delays in sending/receiving emails, which is not acceptable in today’s modern, connected business world. To avoid these disadvantages, compromises have to be made and the ‘suspicious threshold’ filter has to be raised so that fewer attachments have to be tested. Since sandbox technologies cannot fully execute the code due to data dependencies, the technology results in a high false-positive rate when the detection threshold is set too low or too sensitive.

In addition, most new malware variants now recognise when they are being run in a sandboxed environment (e.g. certain components of the operating system are not visible, time manipulations are carried out or the hooks of the sandbox are simply badly camouflaged), which ultimately means the results of a sandbox are always subject to a certain probability.

Effective protection with intelligent methods

If malicious code is mostly hidden in attachments, can one simply ban the delivery of attachments? With this radical measure, the problem would naturally be eradicated. In real life though, we all know it is not enforceable to simply block all attachments, since many business-relevant information must be exchanged (Word or Excel files, etc.), making it not an option. It is necessary to decide whether an installation is to be made with intelligent criteria, like depending on the senders ‘confidence’ (the function of the recipient, the content of the message, and much more).

Alternatively, a suspicious attachment can be ‘parked’ in a queue to be freed by the administrator and released automatically, manually or time-delayed after being re-checked. Preview features, which help to display the content to the recipient, without the need to deliver the original file, can greatly aid this process.

Standards for checking the sender reputation, such as SPF, DKIM, and DMARC, allows you to determine whether an email from the domain has actually been sent by a server of this domain, and is thus another very effective filter to recognise and reject messages.

Encrypt your emails… or cyber criminals will do it for you

You can increase security by electronically signing and encrypting the bulk of business-related email transactions. If employees in businesses are accustomed to getting invoices or other important documents sent to you by email as encrypted attachments, they will automatically be more cautious about opening or forwarding attachments from unsigned or non-encrypted sources. Powerful email security gateways can now automatically manage the required personal certificates and public keys.

Every ransomware needs an accomplice

Even if the email security in companies and the protection of ransomware can be significantly increased as described above, 100% security will not be achieved if other attack measures are chosen or new vulnerabilities are exploited by criminals.

Therefore, any technical upgrade must always be accompanied by education and information to end users. For this to remain effective, it must be repeated on a regular basis and in conjunction with illustrative examples (media reports, case studies, etc.). This reduces the likelihood that an attacker will be able to find uneducated users in the company who may unknowingly open an attachment and activate the malicious code.

Even though effective recovery procedures are now available for data encrypted by ransomware, they are extremely complex and also involve the risk that no recovery is possible for a new variant. Therefore, the protection of the incidence gateway email is of central importance today. Many email security gateways from well-known international manufacturers are now able to detect and block some ransomware infected emails. However, it has been shown that they do not provide effective protection against new emerging ransomware attacks. Some products on the market have a clear advantage, as they can fully prevent malicious code from getting into the mailbox of end users.

How do you protect your emails from ransomware attacks? Do you provide users with training on this topic? Let us know by commenting below, or tweet @DrDataRecovery


Ransomware Recovery


KLDiscovery Ontrack Limited, Nexus, 25 Farringdon Street, London, EC4A 4AB, United Kingdom (see all locations)