10 tips to avoid a ransomware attack

04 February 2020 by Tilly Holland

DST-IMG_Ransomware-Case-Study_Feb-2021

The last few years have seen ransomware attacks steal the headlines. Organisations from all over the world have found themselves the subject of cybercriminals, leaving them open to sensitive data breaches. With no businesses safe, organisations need bigger budgets and a comprehensive understanding of ransomware attacks and how to prevent them. 

woman sat working at laptop

 

Cybercriminals continue to come up with new and innovative ways to target and infect enterprises. Spear phishing tactics continue to be a popular choice by many threat actors. Still, the researchers at McAfee said, “an increasing number of attacks are gaining access to a company that has open and exposed remote access points, such as remote desktop protocol (RDP) and virtual network computing (VNC).” Hackers are often able to access these credentials as enterprises often leave RDP client ports open to the internet – it easy to scan blocks of IP addresses for open RDP ports. Attackers will then attempt to brute-force the remote desktop login/password. Hackers can also obtain RDP credentials through underground markets and password leaks.

Types of new ransomware 

Anatova

A discovery for 2019 was the ransomware Anatova. This new ransomware family disguises itself as the icon of a game or application to trick the user into downloading it. An extremely advanced form of malware, it adapts quickly and uses evasion and spreading techniques to prevent its discovery. Due to its modular design, it can embed additional functionalities allowing it to thwart anti-ransomware methods. Fortunately, the McAfee Advanced Threat Research team discovered this new ransomware family in early 2019 before it became a significant threat.

Dharma

A variant of CrySiS, Dharma ransomware has been around since 2018, but cybercriminals continue to release new variants, which are impossible to decrypt.

GandCrab

A malicious ransomware that uses AES encryption and drops a file called ‘GandCrab.exe’ onto the system. GandCrab targets consumers and businesses with PCs running Microsoft Windows. On May 31st, 2019, the cybercriminals behind GandCrab sent an announcement saying they were stopping all further GandCrab ransomware attacks claiming they had made over $2 billion in ransom payments and they were taking a “well-earnt retirement.”

Emotet

Emotet was originally a malware that targeted banks – it would sneak onto your computer and steal sensitive and private information. First, on the scene in 2014, Emotet has gone through a variety of versions, evolving into a ransomware that can evade detection even by some anti-malware products. Since its inception, Emotet has stolen banking logins, financial data, and Bitcoin wallets from individuals, companies and government entities across Europe and the USA.

Using worm-like capabilities to spread to other computers, hackers usually introduce Emotet by spam emails – made to look legitimate and with the use of tempting language to trick the victim into clicking on the link.

Emotet is one of the most costly and destructive malware – according to the Department of Homeland Security, the cost of the average Emotet attack is upwards of $1 million to clean up.

Ryuk

Ryuk specifically targets large organisations for a high-financial return. According to CrowdStrike, between August 2018 and January 2019, Ryuk netted over 705.80 bitcoins across 52 transactions totalling a value of $3,701,893.98. It first turned heads with its attack on Tribune Publishing’s operations over the Christmas period of 2018. At first, the company thought the attack was just a server outage, but it was soon clear it was the Ryuk ransomware.

Another term for ransomware such as Ryuk that targets large enterprises for high ROI is ‘big game hunting.’ These large-scale attacks involve detailed customisation of campaigns to best suit the individual targets, increasing the effectiveness of the attacks. ‘Big game hunting’ therefore requires much more work from the hacker; it is also a normally launched in phases. For example, phase one might be a phishing attack with an aim to infect an enterprises network with malware to map the system and identify crucial assets to target. Phases two and three will then be a series of extortion and ransom attacks/demands.

How to prevent ransomware

There are many things to consider when fighting ransomware. With so many different types of malware around these days, you should keep in mind the following three main tips and execute accordingly.

1. Email security is king

According to McAfee, spam email continues to be one of the main entries of ransomware viruses, especially in the case of targeted attacks. Therefore securing this main source of vulnerability is essential to everybody who runs a network or connects to the Internet.

Most individuals trigger a ransomware attack by opening, what looks like, a normal email that holds the virus in a document, photo, video or other type of file. Most hackers today don’t need much knowledge to insert a piece of malware into a file; there are numerous articles and YouTube tutorials with step-by-step instruction on how to do it.

With this in mind, you should always avoid opening an email from an unknown sender. If you receive an email from an unknown source, inform your company data security advisor or IT team immediately.

Remember: keeping your company’s IT systems and data secure is always the right decision.

2. Make your network and IT environment secure

Ransomware infecting a single computer is undoubtedly a serious problem. But, when it spreads all over the network, it can become not only a nightmare for the IT department but endanger the whole business.

Companies who have not already done so should consider implementing a data security software, which checks all incoming emails before the intended recipient receives them. Such a solution will dramatically reduce the risk that a virus spreads inside a company network. Additionally, IT administrators and management should consider implementing network security software, which automatically monitors the network and its files for threats. The solution will also alert administrators if a ransomware attack is trying to encrypt vast quantities of files over the network.

Last but not least: Always update your software and operating systems with the latest patches, as and when they are available. As pointed out so often, hackers are only successful with their attacks when the victim has gaps in their data security policies.

3. Make your employees smart

Even experienced computer users get into a panic when they realise they are facing a ransomware attack. It is therefore important that every employee in a company knows exactly what to do if a ransomware attack occurs, even high-level execs and IT Directors.

A ransomware attack should not only be part of a business continuity plan for higher management or IT experts but precise tips on what to do, when hit, should be visible and understood in every office. These can be simple, but effective, for example:

  • Disconnect from the internet and internal network
  • Try to shut down the device properly or immediately call IT security/IT administration

IT security and administration staff alike should continuously educate themselves on the latest developments in cybersecurity and hacking. Reading the most recent blog news, keeping up to date about new developments in this scene and loopholes in networks or software solutions should, therefore, be a necessity for these employees.

4. Ensure your Operating System (OS) is up to date

Keeping your OS up-to-date ensures that hackers can’t access your system through vulnerabilities that may occur due to outdated software.

5. Download up-to-date security programmes

Ensuring your computer has the latest anti-malware software will protect you against potential threats. There are lots of anti-malware software's on the market, so if your computer doesn’t come packaged with it, make sure you scout the market for a highly rated version. 

6. Make sure all your devices have password protection

Having a password on your device is the easiest way of protecting it. It may sound like a simple tip, but it’s surprising how many people don’t have them set up! When you are setting up passwords on your devices, make sure they are complex and don’t use the same one for multiple devices. If you struggle to remember your passwords, use a password manager. The option of setting up two-step authentication is also an option.

7. Beware of phishing emails

Yes, these are still a thing! Long gone are the days when a Princess needs saving from a foreign country; hackers have got much smarter than that! If you receive an email you are unsure about, check the email address is really from the person its claimed to be from, e.g. if it says it’s from Apple and the email address is XXX@789.com it isn’t!

8. Ensure you have an up to date backup

Protecting yourself also means having a backup of your data; meaning that if you are hit by malware, you will be able to rebuild your system quickly and hassle-free. Make sure that your backup system is not connected to your network (or only is for the time when it’s needed), this will stop any chance of your backup being affected by malware as well.

9. Consider using Tape as a backup system

Tapes provide the most security for your data in terms of storage. Once your backup onto a Tape, the Tape is removed and no longer connected to the network, ensuring that it can never be affected by a malware attack.

10. IT policies in place for businesses

Develop IT policies that limit infections on other network resources. Companies should put safeguards in place, so if one device becomes infected with ransomware, it does not permeate throughout the network.

What should you do if you’re hit by ransomware?

  1. Remain calm. Rash decisions could cause further data loss. For example, if you discover a ransomware infection and suddenly cut power to a server, versus powering it down properly, you could lose data in addition to the infected data.
  2. Check your most-recent set of backups. If they are in-tact and up-to-date, the data recovery becomes easier to restore them to a different system.
  3. Never pay the ransom because attackers may not unlock your data. We mentioned this earlier on: there are many cases of ransomware victims paying the ransom demanded and not receiving their data back in return. Rather than running this risk, companies should work with data recovery experts who may be able to regain access to data by reverse engineering the malware.
  4. Contact a specialist for advice and to explore recovery options. Do not try to decrypt the data by yourself. Some computer specialists may have the capabilities to recover lost data, but it is risky – if something goes wrong, you could destroy your data forever.

 

Data recovery from ransomware

From the perspective of a data recovery specialist, every ransomware case is different. There is not only a big difference in how ransomware variants encrypt the data and spread through the network but also how they target different areas of data storage systems.

Some systems and data structures are more challenging and need more time to recover than others. As each case is different, it makes sense to contact a specialist and ask if they have seen your type of ransomware strain before. They will be able to advise you on whether it is worth sending in to attempt data recovery work and if they have been successful with similar cases already.

The attacks over the last few years show that ransomware continues to be a serious threat to both private individuals and companies. It, therefore, pays to revisit your data security, network policies, user training and backup procedures.

From a backup perspective, we recommend you store backups of your business-critical data on external storage devices that you do not connect to your network e.g. tapes. You should regularly test your backups for accuracy and functionality.

If your backups are not working or they are hit by ransomware, it is best to contact a professional ransomware data recovery service provider who can attempt to recover your information from the problematic backup media or work around the ransomware itself to get to the data.