Avoid Ransomware Attacks by Removing Attack Vectors

Posted on by Rook Security

ransomewareTo date, there are around about 54 different versions of ransomware, and each one has multiple variants. Every day there is a new ransomware victim, and unlike other malware that has come before, ransomware isn’t looking to steal your information or gain unauthorized access. It just wants your money.

Should I pay? Can my files be decrypted? How did this happen? These questions get asked a lot when a user or company gets infected with ransomware. I’ll share an introduction to ransomware that will answer these questions, followed by ways companies can avoid future ransomware attacks by ridding themselves of certain attack vectors.

Should I pay?

If it is business critical and you can’t afford to take any down time, then you might want to consider it. That is the problem with most ransomware—the attackers rely on hitting mission critical devices on your network so you have to pay.

Can my files be decrypted?

Most of the time the answer is no. Each type of ransomware uses an encryption algorithm that would take months—if not years—to decrypt. For most businesses, that just isn’t acceptable. But there is a silver lining. There are some older versions of ransomware malware that have fatal flaws in them in which they store the decryption key in memory or on the hard drive.

How does this happen?

Most ransomware that exists right now either relies on the user to click a malicious link or download a malware program that, in turn, downloads the ransomware. But recently, many of the ransomware malware out there—namely TeslaCrypt—use malvertising (which involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages) and use a javascript program to download the ransomware onto a computer. This means that if you visit a site where an ad runs a javascript program in the background, it can also download and run the ransomware without your knowledge. 

How can I prevent this from happening again?

What many don’t understand is that most ransomware attacks out there can be prevented very easily. While it is never a sure thing, cutting down on the following attack vectors can prevent your company losing big money: 

  • Avoid mapping network drives whenever possible, and ensure network shares are hidden if they are required. WNetOpenEnum() will not enumerate hidden shares. This can be achieved by simply appending a ‘$’ to the network share name.
  • Be vigilant and aggressive in blocking file extensions via email. While blocking *.js, *.wsf, or scanning the contents of *.zip files may be in place as basic filtering functions, there remain further avenues to explore. Consider screening and filtering *.zip files outright if there is no business requirement to allow them. Also, consider abolishing *.doc and *.rtf document extensions in favor of *.docx, which cannot contain macros.
  • Install ad-blockers and script-blockers as standard loadout for all workstations. Drive-by malware is increasing exponentially and is extremely prominent in today’s technology ecosystem. Blocker solutions help to cut off this vector of infection.
  • Make sure to keep backups of all critical assets (Domain Servers, File Shares, etc.) to ensure restoration capabilities should the aforementioned measures not prove adequate in preventing a future ransomware incident.

Finally, be sure to provide basic end-user awareness training regarding typical phishing e-mail campaigns and the “do’s and don’ts” of general web-surfing and corporate email. Ransomware, along with most other malware solutions, rely heavily on the average end-user’s lack of technical knowledge to facilitate their infiltration and execution. Arming personnel with critical knowledge, as well as implementing corporate policy governing web-surfing and email procedures may reduce the chances of a phishing scam or drive-by download being successful.

Daniel Ford is a Security Engineer and Forensic Analyst at Rook Security, a global IT security solutions provider.

Rook Security

, Rook Security

Hackers & Threats

security awareness anti-malware ransomware

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community