Dukkaun Online
Expert Talk
Every month, one of Dukkaun Online domain experts shares their knowledge insights and experiences on a topical matter.
This month, our Chief Security Evangelist, Peter Theobald, speaks about Ransomware Protection.
RANSOMWARE PROTECTION
Ransomware is a type of malware (think "virus") that infects your computer. Once infected, it encrypts whatever data it can find on your system - typically Word, Excel, Powerpoint, PDFs, etc with a random encryption key. It then puts up a note on your system, asking for payment of a "ransom" to provide the key to decrypt your data. Basically, without the key, you can't access your data any more.
The main entry point for ransomware into an organisation is email. Typically, a user gets a "phishing" email - an email that has some very interesting offer or one that threatens certain dire consequences (such as losing access to your account) - unless the link in the email is clicked on, or the attachment downoladed and opened. Once the user does that, the ransomware program executes and infects the computer.
Other routes are browsing, where the user could click on a link on a rogue or compromised Website.
Ransomware can also enter the system via the endpoint (say a USB stick with an infected doc or program).
Another common way is, from another infected system in the organisation. Once one system is infected with a ransomware, it can easily spread to many other systems on the network.
This is not recommended.
Paying the ransom is no guarantee that you will get the decryption key, or that it would work. You may have paid the money but still not got access to your data.
Besides encouraging criminals, paying ransomware also opens you to repeat attacks.
Unfortunately, in most cases, the answer is NO.
Once the data has been encrypted, the chances of getting it back (without access to the decryption key) are extremely remote.
The only exception is for some known ransomwares, where the decryption keys are posted on the net.
If you are hit by ransomware, the first step would be to identify the strain that you have been attacked with and search online for decryption keys for that strain. if you are lucky, you may get one that works.
Otherwise, the only option is to restore from backups. As mentioned earlier, paying the ransom is not recommended.
While there is no single "silver bullet" to protect you against all ransomware attacks, a defence-in-depth strategy will minimise the risk of your organisation getting impacted by ransomware.
This strategy would have multiple elements, such as
- Implementing Application Control
- Restricting use of Macros in MS-office
- Monitoring Admin Access and limiting privileges
- Patch/Harden the OS, Applications
- Multi-factor Authentication
- Regular backups
This is not recommended.
Paying the ransom is no guarantee that you will get the decryption key, or that it would work. You may have paid the money but still not got access to your data.
Besides encouraging criminals, paying ransomware also opens you to repeat attacks.
An email protection software is the most effective first step to protect your org from a ransomware attack.
70-80% of these attacks happen via email - so blocking this route gives you an easy win against ransomware. Whats more it is easy to implement and does not involve any disruption to the organisation or user working.
Other products that can be useful are micro-segmentation and East-West traffic inspection at your data centre. The objective is to protect your crown jewels from being compromised by lateral movements.
Products to protect your endpoint, and browsing activities can also be considered to complete the protection package.
Dukkaun Online has got long experience in helping organisations protect themselves against all kinds of malware including ransomware. We have trained and skilled engineers who can help assess your environment and recommend the best strategy to mitigate your risk of being compromised by ransomware. Contact us on the link below for a free, no-obligation consultation with our technical expert.