What Is Ransomware?
While most viruses and malware try to steal your data, ransomware holds your files hostage by encrypting them and only providing the key when their ransom has been paid. Infection usually starts when someone tries to open an attachment from an email that contains malicious code.
The virus proceeds to silently encrypt everything on the local PC, and any network drives that may be mapped to it. If the ransomware is even more sophisticated it can begin to look for other avenues to move deeper into the network, such as open RDP ports, or unsecured network shares.
Ever since the early 2000’s the spread of ransomware has grown significantly. Not only do these types of attacks continue to get more expensive, but they also grow in their complexity. Some of the most dangerous ransomware can avoid the most popular antivirus software and even hide when it’s being studied in a sandbox environment.
A ransomware attack can cost the victim anywhere from a few hundred, to tens of thousands of dollars to decrypt and recover their files from the attacker. This payment is usually demanded in the form of a cryptocurrency such as Bitcoin or Monero.
In most cases recovering any encrypted files without the decryption key is impossible. That’s why it’s much easier to position your network to not get infected in the first place.
How To Prevent Ransomware Infection
Network security is best implemented in layers, and preventing ransomware is no different. The more of these security practices you have in place, the most you mitigate your risk of ransomware infection.
Patch And Update Your Devices
It’s easy to fall behind on patches and updates, but this lapse in security awareness can prove to be disastrous if not corrected. Ensure your servers, PCs, and network storage devices are patched and up to date at least once a month.
Keep an ear out for any recently discovered zero-days or emergency security patches that might need to be installed ahead of schedule. Keeping a strict patching schedule is an easy way to win half the battle when it comes to preventing ransomware. Larger organizations can benefit from automated patch deployment using several patch management tools.
Secure Your Ports And Services From Ransomware
One of the most popular attack vectors for ransomware has been vulnerable to remote desktop services. If devices on your network utilize the remote desktop protocol to gain access externally, you’ll want to ensure you’re using best practices.
Only allow remote desktop over a Virtual Private Network (VPN). In the past, it was enough to use remote desktop services with a nonstandard port and a strong password. Today, this is not enough to keep your network secure. Attackers are now using sophisticated port scanning tools to find services over non-standard ports and then running powerful brute force attacks to gain access.
Critical vulnerabilities such as BlueKeep are continuing to be discovered, leaving networks vulnerable to wormable ransomware attacks. If you must use remote desktop services, ensure that it is only accessible from inside a VPN, or from a list of whitelisted IP addresses. This will also help with your online privacy when using public networks.
Consider using nonstandard ports for specific services. While this isn’t foolproof, it does add an extra layer of obscurity that will cut down on bots that are probing networks looking for opportunities to cause trouble.
Stopping Ransomware In Your Email
Email is the number one attack vector when it comes to getting infected systems with ransomware. Oftentimes attackers will use well-crafted emails disguising their malware was an invoice, word document, or “encrypted” message.
The victim will click on the word document which usually prompts them to continue to a link to see the rest of the document. This link performs a drive-by download and begins the spread of ransomware.
There are dozens of different methods attackers could use to trick their victims into downloading and executing their ransomware. Email filtering is critical when it comes to weeding out some of the low hanging fruit.
A common way for ransomware to spread is through malicious macros embedded in word documents. Most enterprise firewalls now have preconfigured macro filtering which will not only scan a document but also analyze if it contains any malicious macros.
Denying all documents that contain macros and whitelisting only specific domains is a simple way to completely cut out an entire avenue of attack. Other products such as Vipre Email Security can detect and remove links that it finds are malicious before a user has a chance to click on it.
Other best practices such as running your email through a blacklist service, and restricting specific extensions such as .exe, .bat, and .jar, will also aid in fighting both ransomware and other viruses as well.
Another major part of email security is educating your team on best practices, and the identification of dangerous emails. We’ll touch more on education later.
Restricting Access To Prevent Ransomware
If ransomware does find itself on someone’s computer, there are a few restrictions you can put in place to help isolate and stop the execution and spread of ransomware if it does get downloaded on a PC in the network.
Ensure users do not have administrator privileges. When local users have unrestricted access to their PCs this gives the ransomware full rein to not only infect the local PC but begin probing outward and infecting other shares on the network.
Most ransomware will try to take specific actions before beginning file encryption. Locking down a user’s access to local shadow copies, software installations, and having a moderately strict UAC in place could be enough to stop the full execution of most ransomware.
Ensuring your network is segmented by security groups and subnets will also limit the scope of the damage if ransomware does manage to execute on a PC in your network.
Most ransomware takes advantage of these weak environments and doesn’t have the ability to perform privilege escalation. Having thorough local and domain restrictions in place could prevent the entire network from becoming compromised.
An often overlooked method of stopping ransomware is restricting what can run from the AppData and Temp folders. A large number of ransomware attacks leverage the AppData and Temp folders to infect a network. Under group policy you can and should restrict what types of files are allowed to run from these folders.
Blocking files likes .exe, .bat, and .js from running inside these folders can stop even the trickiest ransomware in its tracks, even if it does get past the firewall and local antivirus.
Restricting the AppData folder is a powerful move against the threat of ransomware, but does come with its inconveniences. You’ll often find yourself whitelisting legitimate applications such as LogMeIn or GoToMeeting, as there are a host of real programs that use the AppData folder.
All of these security policies can be pushed out via a login script, or group policy.
Prevent Ransomware Downtime With Backups
Even with the best network & device security practices in place, there will come a time where threats will slip through the cracks, and that might require files and programs to be recovered from a recent backup. Incremental backups should already be a core part of any business network to avoid downtime.
While solid backups won’t necessarily prevent the spread of ransomware, they will certainly give you peace of mind and act as an insurance policy if anything does go wrong. Just make sure you’re following best practices when it comes to backing up critical data on your network.
Make sure your backups are kept off-site or in cloud storage. In the event of a disaster, whether that be ransomware, an earthquake, or break-in, you’ll want copies of your files to be kept off-premises.
Having an off-premise backup solution gives you the flexibility to initiate a restore even if the entire office is down, or needs to be relocated. Off-site backups might take time to recover from depending on your internet speed, and the amount of data you have.
Off-site backups are an excellent solution especially when paired with a more readily available recovery method that is located on-site.
There are a number of online backup solutions you can choose from, here are a few of our favorites.
Keep incremental backups on hand for quick deployment. When you’re recovering from a disaster or ransomware attack you’re not just protecting your data, you’re saving the company from potential downtime.
Depending on the size of your organization, an hour of downtime could cost tens of thousands of dollars. Ransomware has crippled entire local governments that did not have a proper backup policy in place. Security software like StorageCraft’s ShadowProtect can take ‘snapshots’ of your network and recover to any point in time that you specify. Having the power to restore your network from an hour before a disaster, pays for itself on day one.
Keep your backs secured. There’s no point in investing your time and money into a backup solution if it gets compromised along with everything else during a ransomware attack. An external drive plugged into a server will get encrypted data just as fast as anything else on the network.
Backups should be performed ideally from a separate machine, isolated from all other traffic in the environment. This protects your backups but still gives you quick access to mount virtual drives on the fly.
The second component of this is ensuring your backups are encrypted and write-locked. This not only prevents accidental changes to backed up data but also stops ransomware from encrypting the backups if the isolated PC was somehow compromised.
The Best Ransomware Protection Software
With all of these security policies and recovery measures in place, you’ll still want to rely on proactive real-time security software that can monitor your network and stop ransomware in its tracks. Here’s a quick summary of our top 3 picks for ransomware protection.
- SolarWinds Security Event Manager EDITOR’S CHOICE The best holistic ransomware prevention software for businesses. Feature reporting, auditing, and customizable alert templates. It comes with a 30-day free trial.
- Malwarebytes Endpoint antivirus protection with built-in ransomware protection.
- Kaspersky Anti-Ransomware Tool Free standalone installer. Available for both home and business protection.
SolarWinds Security Event Manager (SEM) is one of the best overall security tools to prevent ransomware for medium to large-sized environments. Event Security Manager delivers enterprise-level network security at small business prices. Pricing starts at $2525 (£2019) but you can get a 30 day fully functional trial for free to make sure it’s the right fit for you.
The dashboard of Security Event Manager monitors and alerts you to a number of security-related events on your network and works proactively to keep devices on the network secure and up to date. While this program has dozens of features that make it a powerful security tool, we’ll focus primarily on its anti-ransomware properties for this article.
Community backed intelligence and threat-based detection. Security Event Manager (SEM) leverages a number of sources to always have the latest information on evolving threats and the latest evolutions of ransomware. The SEM platform is constantly updated with real-time analytics, attack vectors, and malicious command and control servers to ensure nothing slips through the cracks.
Deep dive and perform forensic analysis with detailed logging. Easily sift and sort through your network logs to customize and improve ransomware threat-based detection. Compile logs from servers, applications, and other network storage devices with customizable search functions and visualization features.
Automatically detect and stop ransomware behavior. When an account becomes compromised it can be difficult to identify that account and disable its access. With SEM’s activity monitor, you can set predefined thresholds that can either alert you or take specific action against that account. Quickly identify and stop an account when it is behaving maliciously, changing file extensions, or attempting privilege escalation inside your network.
SEM operates in a Windows environment and can be installed on Windows Server 2012-2016. SolarWinds offer a 30-day free trial for SEM.
SolarWinds Security Event Manager has hundreds of out-of-the-box correlation rules which can alert you to suspicious behaviors in real-time. You can also set up new rules with thanks to the normalization of log data. The dashboard gives you a command center for identifying potential network vulnerabilities.
Start 30-day Free Trial: solarwinds.com/security-event-manager
OS: Windows 10 and later, Windows Server 2012 and later, Cloud-based: Hypervisor, AWS and MS Azure
Malwarebytes (MBAM) first found its way to market by providing quality consumer-grade malware protection for individual workstations. Fast forward a few years and Malwarebytes is now bringing that same level of quality ransomware protection to the business environment with its business-grade anti-malware program. While Malwarebytes offers an umbrella of network protection services, we’ll just focus on its ransomware defense capabilities.
In the early days of Malwarebytes ransomware prevention software was available as a beta standalone product. This technology is now a core feature built directly into Malwarebytes Premium which is available on Android, Windows, and Apple platforms. Malwarebytes Premium starts at $39.99 (£31.99) a year per device for consumers and $119.97 (£95.96) a year for 3 devices for small businesses. You can get a full breakdown of their business pricing here. Overall it’s an excellent internet security package.
Real-time ransomware prevention. MBAM monitors each endpoint live to detect ransomware activity. This includes recognizing remote code execution, malicious changes to the registry, and rouge encryption on the machine.
Ransomware detection and machine learning. Threat profiles built from machine learning help to proactively identify and stop ransomware before it can spread. This technology keeps you ahead of ransomware variants that traditionally avoid known malware fingerprinting.
Ransomware recovery options. Malwarebytes utilizes it’s Ransomware Rollback Technology to create a local cache of your systems and data files. This cache is protected and can be reactivated in the event ransomware does get through.
Kaspersky’s Anti Ransomware Tool (KART) has recently been revamped and made free to anyone who would like to try it. Their premium solutions offer both home and business users automatic patch management, software support, and 20+ other threat detection technologies. KART is currently priced at $39.00 (£31.99) for 3 home devices and $53.99 (£43.19) for 3 devices in a business environment. Kasperksy’s anti-ransomware tool is compatible with Windows OS environments.
Blocking encryption at the source. Much like the other security tools, KART can detect and block both local remote executions of ransomware. It can detect when files encryption is being attempted and stop that process from finishing.
Works in conjunction with other tools. KART has the unique ability to run along with other antivirus software. While most antivirus tools will fight each other and cause problems, KART can seemingly run side-by-side other existing security endpoints.
Detects more than just ransomware. In addition to ransomware attacks, KART can detect illicit crypto-mining, adware infections, and risk-ware objects on endpoint PCs. They offer a free download for home use.
See also: The Best Ransomware Protection Tools
It’s clear that the ransomware threat is here to stay, and is only getting more advanced as time goes on. The good news is that there are now more software tools and device security measures you can deploy right now to help keep your network safe.
All of the tools mentioned above are available as free trials, so try out a few and see which ransomware protection is right for you.
Have you experienced a ransomware attack before? Were you able to recover? Let a comment about your experience in the comment section below.
Protect Your Network Against Ransomware FAQ
How to prevent a WannaCry ransomware attack?
The first step to take in order to prevent WannaCry attacks is to upgrade your version of Windows or Windows Server. WannaCry doesn’t attack Windows 8, Windows 10, Windows Server 2008, Windows Server 2012, or Windows Server 2016. Make regular backups of your system so that everything can be restored as soon as an attack occurs.
Does encrypting your hard drive prevent ransomware?
No. Encrypting your hard drive is a valid security measure against data theft. However, encrypted data can be encrypted again. When your own encryption is underneath the ransomware encryption your data is rendered just as inaccessible as it would be if you hadn’t encrypted it.
Can ransomware spread through a network?
Yes. The traditional entry point of ransomware is through email attachments. However, the replication modules of a virus suite can explore and exploit known vulnerabilities to reach other devices that are accessible to the infected computer over the network.