Best Practices for Preventing and Responding to Ransomware Attacks

Reading time: 7 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

Ransomware is a growing threat to any organizations  that rely on systems and data; in other words, just about any organization in the world.

It’s a method used by hackers to hold data hostage while demanding a ransom for it. Cyber criminals can block victims from accessing their data and can threaten to harm the victim by destroying the data, releasing it to business competitors, stealing financial information etc. Ransomware is a form of malware that can be easily contracted as a virus.

Fortunately there are steps organizations can take to protect themselves. In a recent post, “Ransomware: Best Practices for Prevention and Response,” Alexander Volynkin, a senior research scientist in the CERT Division of Carnegie Mellon University’s Software Engineering Institute, advises how to prevent and respond to these attacks. Volynkin notes that as ransomware technologies continue to evolve, organizations should take specific precautions to protect against attacks.

The first and most critical safety measure is to regularly back up data and store it on a secondary system. Hackers have the ability to encrypt Windows system restore points and shadow copies, which are typically used to restore data online. Backups preferably should be stored offline and offsite in a system that is not connected to the main network. Backups should be made whenever important data is modified, and it should be periodically verified that the data can be accessed from the secondary system.

To prevent a ransomware attack from occurring, organizations should ensure that employees  are trained to recognize a potential attack. Suspicious emails, downloads, and Web sites are typical sources of ransomware and should be treated with caution. Hackers have become more skilled at social engineering and can hide viruses in more legitimate-looking sources than ever before.

To restrict ransomware from executing once it is in the system, organizations should deploy access controls to block important data from being encrypted, Volynkin said

Ransomware might attempt to use a system administrator account to gain access to data. As a defense against this, the number of user accounts should be decreased and all default system administrator accounts should be terminated.

Companies should also use security and anti-malware software and regularly update these products to detect ransomware before it can cause damage. Anti-malware products should be able to notice ransomware at the file and process level; however, this is not a guarantee.

To reduce the chance of an email that contains malware being opened, inboxes should be filtered for spam or emails from suspicious sources, Volynkin said. Attachments should be blocked from emails by an email security appliance. Ransomware often comes in the form of an executable file such as .exe or .js or can be disguised as other files such as .zip, when they are really one of the former two. Ransomware can also be found in Microsoft Office files that contain macros.

Organizations should remove local administrative rights from the system. This blocks the ransomware from gaining the power to change system files, directories, and system registry and storage. This also blocks access to critical system resources and files.

Limiting write access to a small number of directories makes it more difficult for ransomware to encrypt data, Volynkin said. This can be achieved by restricting user write capabilities, preventing execution from user directories, whitelisting applications, and limiting access to network storage or shares.

Once a system has been infected with ransomware, it is difficult to prevent the virus from spreading through the network. An infected machine should immediately be disconnected from the network by unplugging wired connections, turning off Wi-Fi or Bluetooth, and stopping automated backups to local or external storage.

In addition, firewalls that implement whitelisting or robust blacklisting are useful for blocking ransomware from spreading and preventing it from connecting to command-and-control servers. Firewalls should limit or completely block remote desktop protocol and other remote management services.

Since it’s impossible to prevent every single type of ransomware attack, it’s important to know how to respond to an attack. If an organization thinks  there is ransomware in one of its systems, it should take the following steps, according to the post: 

  • Before shutting down the system, try to capture a snapshot of the system memory. This will make it easier to track down the hacker and possibly save information that could help in decrypting data. Shut down the system as quickly as possible to prevent the ransomware from spreading and damaging the data even further. 
  • To keep ransomware from encrypting data, block network access to any identified command-and-control servers.
  • Finally, notify the authorities to receive assistance in the investigation. This does, however, increase the risk that data may never be recovered. Since ransom payments tend to increase over time, law enforcement might delay the process and add to the cost of retrieving the data from the attacker.

As ransomware becomes more powerful, it is more important than ever to employ security tactics like these to prevent your organization from being affected.


continuous sec