Ransomware protection -- what you may be missing

Given the success of ransomware, we need to look deeper for solutions beyond those mentioned most frequently. Here are are few of these solutions.

Unless you have been living on a remote island with no internet access, you are no doubt familiar with ransomware.

It is a simple but frightening concept -- making all of your files unavailable, and then demanding that you pay to get them back. Ransomware is definitely a growth industry, with a 30% increase in cases in Q1 of 2016 alone, according to Security Intelligence.

We should not be surprised at all by this trend, as it seems to be the nearly perfect crime. It is an easy business to start, with most of the needed tools being available inexpensively on the dark web. Their customer base, those whose files are being held hostage, is highly motivated, since their files are unusable -- and since payment is typically being made via Bitcoin, the transactions are difficult or impossible to trace.

While ransomware has hit individuals and industries indiscriminately, it can cause the most trouble in industries like healthcare, where the impact of an infected system can reach far beyond inconvenience. In recent months, the information security world has seen an increase in targeted attacks, focusing on businesses and organizations over individuals. According to Security Week, this is not surprising, given that corporations can afford to pay more, and can ill afford to have their operation shut down by an infection.

In the past few months, I have lost track of the number of articles I have read on the topic of ransomware protection. Sadly, most of the ones I read are remarkably similar, with the same top 10 or so approaches to prevention, including having a good anti-virus package, good backups, and well trained users.

These are all good and appropriate approaches, but if you are engaged like me, you have seen them over and over, causing your eyes to glaze over at some point. As the saying goes, sometimes you can't see the forest for the trees. We are so used to seeing the top 10 prevention techniques, we sometimes miss the lesser discussed approaches. These are important, because the purveyors of ransomware read the same articles with the common approaches, and can use these as a road map to improve their techniques.

One of my customers is a large healthcare institution, and one of my major focuses with them has been to take a deep look at approaches to ransomware prevention and recovery. In the process, I have found many things that organizations can do that are not often discussed in the trade press. Since we in the business world need all the help we can get at this point, these can be very important. Consider a few of these:

Test your backups

A good backup can be your ticket to recovery from a ransomware attack without having to write a big check. The problem however is that an untested backup may turn out to be useless when really needed. It possible to go for months without realizing that your backup process is failing.

The only way to make sure they are ready when you need them is to test them. This involves restoring some percentage of your files from backup on a periodic basis, and confirming that the restored files are usable and correct. While testing is a critical aspect of the backup process, it is often overlooked, even by large companies.

Use intrusion prevention

Intrusion Prevention Systems (IPS), that monitor network traffic looking for attempts to exploit vulnerabilities, can be a valuable weapon in the fight against ransomware. It often takes weeks or months for a vendor to release a patch once a new vulnerability is discovered. Even more time can elapse before the patch gets applied to all systems within an organization.

An IPS, which normally sits at the network perimeter (and increasingly, on the internal network as well), can offset some of the danger of unpatched workstations by detecting and filtering out attempts to exploit such vulnerabilities.

IPS technology can be part of a firewall, such as with the Dell Sonicwall products, or as a standalone device, like Trend Micro TippingPoint. IPS is quickly becoming a must-have technology for any business or organization.

Block attachments

Despite the improvements in ransomware technology, in most cases, these programs still depend on a user opening an attachment to an email they receive. As such, user training occupies a key spot on most ransomware prevention checklists, and one I strongly support.

The problem, however, is that even the best trained users can slip up. Companies who use phishing testing/training products such as PhishMe, typically find some percentage of users who fail the test, meaning that some will likely fall for a real phishing message as well. One surprisingly overlooked approach to ransomware is to block all but essential attachment types at the email server.

A good example of the need for attachment blocking is the recently-discovered RAA ransomware variant that is implemented entirely in JavaScript. It is usually spread using a .JS attachment to an email, which can be disguised as a Microsoft Office document. Very few companies really have a need to send or receive .JS attachments, but few attempt to block them, or other file types commonly used as attack vectors.

Use behavioral analysis

Most anti-virus programs can only block malware that has been seen before. The challenge is that hundreds of thousands of new malware variants are seen every day, according to AV-TEST. An alternative approach is to monitor system resources on a workstation, looking for common scenarios used by most malware programs. Since certain behaviors are common to ransomware programs, they can often be spotted and filtered, even though the particular variant has not been seen before. While this approach is still in its infancy, it is growing rapidly, with products such as the Barkley agent.

Bottom line -- we need all the help we can get in the war against ransomware. We all need to look beyond the trees, the common tips and recommendations we read about daily, and to the forest of new ideas and techniques that can put us ahead of the bad actors for a change.

Join the CSO newsletter!

Error: Please check your email address.

More about DellIntrusionIPSMicrosoftTestTippingPointTrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert C. Covington

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place