What Is Ransomware?
While most viruses and malware try to steal your data, ransomware holds your files hostage by encrypting them and only providing the key when their ransom has been paid. Infection usually starts when someone tries to open an attachment from an email that contains malicious code.
The virus proceeds to silently encrypt everything on the local PC, and any network drives that may be mapped to it. If the ransomware is even more sophisticated it can begin to look for other avenues to move deeper into the network, such as open RDP ports, or unsecured network shares.
Ever since the early 2000’s the spread of ransomware has grown significantly. Not only do these types of attacks continue to get more expensive, but they also grow in their complexity. Some of the most dangerous ransomware can avoid the most popular antivirus software and even hide when it’s being studied in a sandbox environment.
A ransomware attack can cost the victim anywhere from a few hundred, to tens of thousands of dollars to decrypt and recover their files from the attacker. This payment is usually demanded in the form of a cryptocurrency such as Bitcoin or Monero.
In most cases recovering any encrypted files without the decryption key is impossible. That’s why it’s much easier to position your network to not get infected in the first place.
How To Prevent Ransomware Infection
Network security is best implemented in layers, and preventing ransomware is no different. The more of these security practices you have in place, the most you mitigate your risk of ransomware infection.
Patch And Update Your Devices
It’s easy to fall behind on patches and updates, but this lapse in security awareness can prove to be disastrous if not corrected. Ensure your servers, PCs, and network storage devices are patched and up to date at least once a month.
Keep an ear out for any recently discovered zero-days or emergency security patches that might need to be installed ahead of schedule. Keeping a strict patching schedule is an easy way to win half the battle when it comes to preventing ransomware. Larger organizations can benefit from automated patch deployment using several patch management tools.
Secure Your Ports And Services From Ransomware
One of the most popular attack vectors for ransomware has been vulnerable to remote desktop services. If devices on your network utilize the remote desktop protocol to gain access externally, you’ll want to ensure you’re using best practices.
Only allow remote desktop over a Virtual Private Network (VPN). In the past, it was enough to use remote desktop services with a nonstandard port and a strong password. Today, this is not enough to keep your network secure. Attackers are now using sophisticated port scanning tools to find services over non-standard ports and then running powerful brute force attacks to gain access.
Critical vulnerabilities such as BlueKeep are continuing to be discovered, leaving networks vulnerable to wormable ransomware attacks. If you must use remote desktop services, ensure that it is only accessible from inside a VPN, or from a list of whitelisted IP addresses. This will also help with your online privacy when using public networks.
Consider using nonstandard ports for specific services. While this isn’t foolproof, it does add an extra layer of obscurity that will cut down on bots that are probing networks looking for opportunities to cause trouble.
Stopping Ransomware In Your Email
Email is the number one attack vector when it comes to getting infected systems with ransomware. Oftentimes attackers will use well-crafted emails disguising their malware was an invoice, word document, or “encrypted” message.
The victim will click on the word document which usually prompts them to continue to a link to see the rest of the document. This link performs a drive-by download and begins the spread of ransomware.
There are dozens of different methods attackers could use to trick their victims into downloading and executing their ransomware. Email filtering is critical when it comes to weeding out some of the low hanging fruit.
A common way for ransomware to spread is through malicious macros embedded in word documents. Most enterprise firewalls now have preconfigured macro filtering which will not only scan a document but also analyze if it contains any malicious macros.
Denying all documents that contain macros and whitelisting only specific domains is a simple way to completely cut out an entire avenue of attack. Other products such as Vipre Email Security can detect and remove links that it finds are malicious before a user has a chance to click on it.
Other best practices such as running your email through a blacklist service, and restricting specific extensions such as .exe, .bat, and .jar, will also aid in fighting both ransomware and other viruses as well.
Another major part of email security is educating your team on best practices, and the identification of dangerous emails. We’ll touch more on education later.
Restricting Access To Prevent Ransomware
If ransomware does find itself on someone’s computer, there are a few restrictions you can put in place to help isolate and stop the execution and spread of ransomware if it does get downloaded on a PC in the network.
Ensure users do not have administrator privileges. When local users have unrestricted access to their PCs this gives the ransomware full rein to not only infect the local PC but begin probing outward and infecting other shares on the network.
Most ransomware will try to take specific actions before beginning file encryption. Locking down a user’s access to local shadow copies, software installations, and having a moderately strict UAC in place could be enough to stop the full execution of most ransomware.
Ensuring your network is segmented by security groups and subnets will also limit the scope of the damage if ransomware does manage to execute on a PC in your network.
Most ransomware takes advantage of these weak environments and doesn’t have the ability to perform privilege escalation. Having thorough local and domain restrictions in place could prevent the entire network from becoming compromised.
An often overlooked method of stopping ransomware is restricting what can run from the AppData and Temp folders. A large number of ransomware attacks leverage the AppData and Temp folders to infect a network. Under group policy you can and should restrict what types of files are allowed to run from these folders.
Blocking files likes .exe, .bat, and .js from running inside these folders can stop even the trickiest ransomware in its tracks, even if it does get past the firewall and local antivirus.
Restricting the AppData folder is a powerful move against the threat of ransomware, but does come with its inconveniences. You’ll often find yourself whitelisting legitimate applications such as LogMeIn or GoToMeeting, as there are a host of real programs that use the AppData folder.
All of these security policies can be pushed out via a login script, or group policy.
Prevent Ransomware Downtime With Backups
Even with the best network & device security practices in place, there will come a time where threats will slip through the cracks, and that might require files and programs to be recovered from a recent backup. Incremental backups should already be a core part of any business network to avoid downtime.
While solid backups won’t necessarily prevent the spread of ransomware, they will certainly give you peace of mind and act as an insurance policy if anything does go wrong. Just make sure you’re following best practices when it comes to backing up critical data on your network.
Make sure your backups are kept off-site or in cloud storage. In the event of a disaster, whether that be ransomware, an earthquake, or break-in, you’ll want copies of your files to be kept off-premises.
Having an off-premise backup solution gives you the flexibility to initiate a restore even if the entire office is down, or needs to be relocated. Off-site backups might take time to recover from depending on your internet speed, and the amount of data you have.
Off-site backups are an excellent solution especially when paired with a more readily available recovery method that is located on-site.
There are a number of online backup solutions you can choose from, here are a few of our favorites.
Keep incremental backups on hand for quick deployment. When you’re recovering from a disaster or ransomware attack you’re not just protecting your data, you’re saving the company from potential downtime.
Depending on the size of your organization, an hour of downtime could cost tens of thousands of dollars. Ransomware has crippled entire local governments that did not have a proper backup policy in place. Security software like StorageCraft’s ShadowProtect can take ‘snapshots’ of your network and recover to any point in time that you specify. Having the power to restore your network from an hour before a disaster, pays for itself on day one.
Keep your backs secured. There’s no point in investing your time and money into a backup solution if it gets compromised along with everything else during a ransomware attack. An external drive plugged into a server will get encrypted data just as fast as anything else on the network.
Backups should be performed ideally from a separate machine, isolated from all other traffic in the environment. This protects your backups but still gives you quick access to mount virtual drives on the fly.
The second component of this is ensuring your backups are encrypted and write-locked. This not only prevents accidental changes to backed up data but also stops ransomware from encrypting the backups if the isolated PC was somehow compromised.
The Best Ransomware Protection Software
What should you look for in a ransomware protection tool?
We reviewed the market for ransomware protection systems and analyzed tools based on the following criteria:
- Constant system security monitoring
- File protection
- Alerts that spot unusual activity surrounding file encryption
- A system that implements automated remediation to shut down encryption activity
- Protection for vital system files
- A free trial or a demo that provides an opportunity for a cost-free assessment
- Value for money from a package that provides security monitoring at a reasonable price
With these selection criteria in mind, we identified some useful systems that you should consider in order to protect your system against ransomware.
With all of these security policies and recovery measures in place, you’ll still want to rely on proactive real-time security software that can monitor your network and stop ransomware in its tracks. Here’s a quick summary of our top 3 picks for ransomware protection.
- SolarWinds Security Event Manager EDITOR’S CHOICE The best holistic ransomware prevention software for businesses. Feature reporting, auditing, and customizable alert templates. It comes with a 30-day free trial.
- CrowdStrike Falcon Prevent (FREE TRIAL) This device-based next-generation anti-virus protects from a range of malware types, including ransomware. Available for Windows, macOS, and Linux. Start a 15-day free trial.
- Malwarebytes Endpoint antivirus protection with built-in ransomware protection.
- Kaspersky Anti-Ransomware Tool Free standalone installer. Available for both home and business protection.
SolarWinds Security Event Manager (SEM) is one of the best overall security tools to prevent ransomware for medium to large-sized environments. Event Security Manager delivers enterprise-level network security at small business prices. Pricing starts at $2525 (£2019) but you can get a 30 day fully functional trial for free to make sure it’s the right fit for you.
The dashboard of Security Event Manager monitors and alerts you to a number of security-related events on your network and works proactively to keep devices on the network secure and up to date. While this program has dozens of features that make it a powerful security tool, we’ll focus primarily on its anti-ransomware properties for this article.
- File integrity monitoring
- System security monitoring through log analysis
- Threat detection
- Automated response
- Compliance reporting
Community backed intelligence and threat-based detection. Security Event Manager (SEM) leverages a number of sources to always have the latest information on evolving threats and the latest evolutions of ransomware. The SEM platform is constantly updated with real-time analytics, attack vectors, and malicious command and control servers to ensure nothing slips through the cracks.
Deep dive and perform forensic analysis with detailed logging. Easily sift and sort through your network logs to customize and improve ransomware threat-based detection. Compile logs from servers, applications, and other network storage devices with customizable search functions and visualization features.
Automatically detect and stop ransomware behavior. When an account becomes compromised it can be difficult to identify that account and disable its access. With SEM’s activity monitor, you can set predefined thresholds that can either alert you or take specific action against that account. Quickly identify and stop an account when it is behaving maliciously, changing file extensions, or attempting privilege escalation inside your network.
- Is easy to deploy – features numerous done-for-you templates, dashboards, and monitors
- Provides automated ransomware protection with artificial intelligence
- Over 700 pre-configured alerts, correlation rules, and detection templates provide instant insights upon install
- Threat response rules are easy to build and use intelligent reporting to reduce false positives
- Built-in reporting and dashboard features help you track issues and document performance over time
- Feature dense – requires time to fully explore all features
SEM operates in a Windows environment and can be installed on Windows Server 2012-2016. SolarWinds offer a 30-day free trial for SEM.
SolarWinds Security Event Manager has hundreds of out-of-the-box correlation rules which can alert you to suspicious behaviors in real-time. You can also set up new rules with thanks to the normalization of log data. The dashboard gives you a command center for identifying potential network vulnerabilities.
Start 30-day Free Trial: solarwinds.com/security-event-manager
OS: Windows 10 and later, Windows Server 2012 and later, Cloud-based: Hypervisor, AWS and MS Azure
CrowdStrike Falcon Prevent is a next-generation anti-virus system that installs on endpoints. The package is available for Windows, macOS, and Linux. The Falcon brand is a family of cybersecurity products that work in combination with Falcon Prevent. The Falcon Prevent system is the base product in the range and it acts as an endpoint agent for other Falcon systems, which are all cloud based.
The Falcon Prevent system is able to detect a range of malware, including ransomware. The detection system in the tool is anomaly based. This means that the package establishes a baseline of normal activity per user on the device and then looks for activity that doesn’t fit into that pattern. This anomalous behavior is then flagged for further investigation.
- Can spot fileless and malware-free attacks
- Looks for unusual activities
- Updated by the Falcon platform
- Continues working if the device is offline
Ransomware detection. The system gets Indicators of Attack (IoAs) from the Falcon platform and this guides threat detection. The tool will establish a baseline of normal activity and then look for different activity. Those unusual events are compared to IoAs.
Ransomware blocking. Unexpected downloads are blocked by isolating the file and drawing the user’s attention to the new file. Quarantine files can be released manually.
Ransomware response. If suspicious activity is identified, Prevent will kill its processes.
Ransomware remediation. The Prevent system cleans up after a confirmed attack by removing all files related to the blocked malware.
- Fast response, thanks to threat intelligence
- Flexible approach with anomaly detection that can block zero-day attacks
- Also identifies intruder activity
- Can link together suites of malware for detection and remediation
- Only acts once ransomware is already installed and triggered
You can start with a 15-day free trial.
Malwarebytes (MBAM) first found its way to market by providing quality consumer-grade malware protection for individual workstations. Fast forward a few years and Malwarebytes is now bringing that same level of quality ransomware protection to the business environment with its business-grade anti-malware program. While Malwarebytes offers an umbrella of network protection services, we’ll just focus on its ransomware defense capabilities.
In the early days of Malwarebytes ransomware prevention software was available as a beta standalone product. This technology is now a core feature built directly into Malwarebytes Premium which is available on Android, Windows, and Apple platforms. Malwarebytes Premium starts at $39.99 (£31.99) a year per device for consumers and $119.97 (£95.96) a year for 3 devices for small businesses. You can get a full breakdown of their business pricing here. Overall it’s an excellent internet security package.
- Protects Windows, macOS, iOS, and Android
- Constant endpoint security monitoring
- AI-based threat detection
- Creates restore points for system rollback
Real-time ransomware prevention. MBAM monitors each endpoint live to detect ransomware activity. This includes recognizing remote code execution, malicious changes to the registry, and rouge encryption on the machine.
Ransomware detection and machine learning. Threat profiles built from machine learning help to proactively identify and stop ransomware before it can spread. This technology keeps you ahead of ransomware variants that traditionally avoid known malware fingerprinting.
Ransomware recovery options. Malwarebytes utilizes it’s Ransomware Rollback Technology to create a local cache of your systems and data files. This cache is protected and can be reactivated in the event ransomware does get through.
- Provides high-level insights of threats and asset heath from devices across the entire network
- Identifies both malicious processes and behavior
- Offers botnet protection as well as protection from browser-based threats
- Offers a free version
- Would like to see a longer trial of the full product for testing
Kaspersky’s Anti Ransomware Tool (KART) has recently been revamped and made free to anyone who would like to try it. Their premium solutions offer both home and business users automatic patch management, software support, and 20+ other threat detection technologies. KART is currently priced at $39.00 (£31.99) for 3 home devices and $53.99 (£43.19) for 3 devices in a business environment. Kasperksy’s anti-ransomware tool is compatible with Windows OS environments.
- Offered in free and paid versions
- Runs on Windows
- Blocks unauthorized encryption
Blocking encryption at the source. Much like the other security tools, KART can detect and block both local remote executions of ransomware. It can detect when files encryption is being attempted and stop that process from finishing.
Works in conjunction with other tools. KART has the unique ability to run along with other antivirus software. While most antivirus tools will fight each other and cause problems, KART can seemingly run side-by-side other existing security endpoints.
Detects more than just ransomware. In addition to ransomware attacks, KART can detect illicit crypto-mining, adware infections, and risk-ware objects on endpoint PCs.
- Completely free
- Simple installation – little configuration needed
- Great for small businesses and home user
- Not the best option for enterprise networks
They offer a free download for home use.
See also: The Best Ransomware Protection Tools
It’s clear that the ransomware threat is here to stay, and is only getting more advanced as time goes on. The good news is that there are now more software tools and device security measures you can deploy right now to help keep your network safe.
All of the tools mentioned above are available as free trials, so try out a few and see which ransomware protection is right for you.
Have you experienced a ransomware attack before? Were you able to recover? Let a comment about your experience in the comment section below.
Protect Your Network Against Ransomware FAQ
How to prevent a WannaCry ransomware attack?
The first step to take in order to prevent WannaCry attacks is to upgrade your version of Windows or Windows Server. WannaCry doesn’t attack Windows 8, Windows 10, Windows Server 2008, Windows Server 2012, or Windows Server 2016. Make regular backups of your system so that everything can be restored as soon as an attack occurs.
Does encrypting your hard drive prevent ransomware?
No. Encrypting your hard drive is a valid security measure against data theft. However, encrypted data can be encrypted again. When your own encryption is underneath the ransomware encryption your data is rendered just as inaccessible as it would be if you hadn’t encrypted it.
Can ransomware spread through a network?
Yes. The traditional entry point of ransomware is through email attachments. However, the replication modules of a virus suite can explore and exploit known vulnerabilities to reach other devices that are accessible to the infected computer over the network.