Malware, Ransomware

Want to prevent ransomware attacks? Prepare.

The threat is huge. The response? Not so much. Or at least the response isn't on par with the threat when it comes to ransomware.

Even as ransomware continues to threaten industries, costing organizations an estimated $1 billion in 2016 and predicted to be even more expensive this year following WannaCry, Petya and other high profile outbreaks, many organizations skip out on some obvious steps that could help them prevent future infections, such as properly training employees on online safety, actively monitoring their networks, ensuring systems are patched, and properly backing up important files to name a few

Until IT departments start taking these threats seriously and taking a more proactive approach, organizations will continues being hit with otherwise preventable attacks. Known vulnerabilities with available patches are providing gateways for criminals to infect entire networks such as with WannaCry and it's crucial that organization ensure they're systems are up to date to prevent repeats.

WannaCrypt ransomware was distributed through the EternalBlue Windows SMB vulnerability, a flaw that was patched in March 2017 but was heavily exploited in the May 2017 WannaCry attacks and June 2017 NotPetya attacks. The attacks didn't have to be as damaging as they were.

SiteLock Web Researcher Michael Veenstra told SC Media that beyond the ever-present need for strong data loss contingencies, the most important thing an administrator can do is maintain effective security policies across the board that ensure systems are maintained and patched in a timely fashion.

“The EternalBlue vulnerability was patched on all supported Microsoft operating systems two months prior to the WannaCry outbreak, and one month before the existence of the vulnerability was publicized by a leak from the Shadow Brokers,” Veenstra says. “Organizations affected by this attack would have been saved countless dollars – between paid ransoms, incident response, and immaterial costs like the loss of customer trust – if the servers on their network were kept up-to-date.”

Ignorance of how ransomware attacks work also contributes to the spread of ransomware infections. Employees often aren't aware of best practices to prevent attacks. Human errors can prove just as dangerous, if not more so, as unpatched systems, meaning that organizations should work to better educate employees on how to spot phishing attacks and admins should enable backups and contingency plans in the event of mistakes, researchers say.

“According to Verizon's DBIR Report, the use of social actions, like personalized phishing emails, increased from 8 percent to 21 percent of malware incidents in 2016,” Cyberbit Chief Technology Officer Oren Aspir tells SC Media. ”By training employees to avoid phishing emails the majority of ransomware will be avoided.”

There's an added bonus for putting effort into training. Preventing phishing attacks can also curb other cyberattacks as well, Shalabh Mohan, vice president, products and marketing, at Area 1 Security

“Phishing is the root cause for a majority of all cybersecurity incidents; and that includes ransomware breaches,” Mohan says. “In order to truly protect against ransomware, organizations should look towards stopping phishing attacks comprehensively for their end users, irrespective of what attack vector it may be coming from.”

STEALTHbits Technologies Chief Technology Officer Jonathan Sander told SC Media the while there are very good platforms that can ramp up user awareness of these threats, the real trick is to find ways to keep the damage to a minimum in the case where ransomware does get in.

Experts agree, Dean Ferrando, SE Manager – (EMEA) at Tripwire told SC Media “organizations should continually test their backups and implement a streamlined restoring process to reduce the impact an attack will have on trade” in case an infection slips through.

One of the biggest ways to reduce the damage of a ransomware attack is by ensuring all important files are frequently backed up in a safe place in the event of a compromise.

“Fresh backups are key to remediating after a ransomware attack, and destructive attacks more generally,” Chris Doman, a security researcher at AlienVault, tells SC Media. “It's also important that the backups are located somewhere that the ransomware can't touch” since it's possible for ransomware to infect backups as well.

It's also important to understand that cloud storage can also become corrupted and plan accordingly to prevent cloud backups from becoming compromised as well. As more organizations move to the cloud, researchers warn organizations to keep track of the blind spots that could arise from using these platforms. 

“In the cloud, you get huge advantages in agility but it's also harder to maintain an accurate assessment of your entire environment,” Tim Prendergast, CEO at, says. “New functionality is turned on, updates are deployed, and default settings run counter to your policies; no one organization can see and respond to everything going on.”

Prendergast says ransomware in the cloud takes advantage of unprotected data, services and servers operating in company cloud environments and that once the malware has infiltrated the environment through one of many potential weakness, it locates and encrypts unprotected data and systems to fuel ransom demands for Bitcoin, Ethereum, or other digital currencies.

“An organization that carries out an effective data-backup strategy for servers and for user-endpoints is far more likely to successfully recover from a ransomware event than the organization that puts their faith in the criminal's ability to assist in a recovery,” says Scott Keoseyan, threat intelligence leader at Deloitte Risk and Financial Advisory Cyber Risk Services.

Organizations should also ensure they have the proper tools to effectively monitor their networks and spot potential attacks before they can cause major damage.

Keoseyan saysa comprehensive vulnerability management program that provides a continuous monitoring outlook of an organization's publicly-exposed assets, is critical and that the information gathered must be fed into a remediation process that includes timelines and SLAs for mitigation and remediation.

“Incident response, disaster recovery and business-continuity planning had been moving in the direction of understanding things like ‘how to acquire bitcoin to pay ransoms' but it is critical that these key cyber-security and IT processes be adapted to account for scenarios where recovery via ransom is not an option.” Keoseyan says. “This means that an organization that carries out an effective data-backup strategy for servers and for user-endpoints is far more likely to successfully recover from a ransomware event than the organization that puts their faith in the criminal's ability to assist in a recovery.”

Some researchers recommend going above and beyond, if possible, to ensure their systems are protected. Eldon Sprickerhoff, founder and chief security strategist at eSentire, says the majority of his clients have taken better-than-usual precautions against ransomware which include the technical hardening of systems, improved analysis of attachments through upstream email services, local firewall/mail server, hardening of workstations including improved patch rigor, restricted access, removal of local administrator, disabling macros through GPO, endpoint solutions, and more.

Sprickerhoff says these measures were coupled with coupled with a better sense of what's appropriate from a backup/restore perspective. He notes that even with training employees can still be at risk in which one of his clients was tasked with opening another employee's email since the other employee was on vacation and almost exposed the network to malware.

“Even though they had ransomware-specific training, they disabled all of the protections and became infected when they opened an email with ransomware.” Sprickerhoff says. “We identified and shot down the attack immediately, and the client restored quickly from backup.”

He says these types of scenario underscore the necessity for a multi-pronged approach that includes technical precautions, training, eyes-on-glass, rapid incident response and backup/restore capabilities.

Sander had a similar experience that testifies to the importance of monitoring networks for unusual activity and taking alarms seriously. As soon as an alarm went off signaling unusual activity everyone including the Engineer though it was a mistake but soon they learned it wasn't and found themselves in an all-out ransomware attack. Ultimately the attack didn't spread far and the firm only lost a few files on the first machine that was hit with the attack which belonged to a user who clicked a malicious link. And most of that user's files had already been backed up which minimized loses even more.

And while it's important to take every measure to prevent and minimizing attacks, researchers emphasized there is no silver bullet to preventing ransomware attacks and that firms have to remain diligent against the threats.

"There is no fool-proof method to completely avoid ransomware attacks, you can only try to prevent some from succeeding, minimize the damage of those that succeed and reduce the time and effort of recovering from such an attack.” Mounir Hahad, senior director of Cyphort Labs, says, adding that you can't afford the time to decide if you should pay the ransom or not as you are under attack.

Other experts agree. Ilia Kolochenko, CEO of web security company High-Tech Bridge, contends “we'll hardly invent any groundbreaking techniques to fight ransomware without following cybersecurity fundamentals.”

Until companies “perform holistic risk assessments to establish a cybersecurity strategy with a priority-based roadmap, any “local” solutions will likely fail or give temporary relief,” Kolochenko says. “Comprehensive inventory of all your digital assets, their proper maintenance and patch management, security hardening and continuous monitoring - are among the pivotal processes, essential to reliably preventing ransomware.”

Prevention is key and using tools like AV, Sandbox, IDS, spam filtering, Threat Intelligence feeds in addition to frequently backing up systems will help organization remain resilient against ransomware attacks.

“Once an adversary encrypts your data, your options to deal with the attack get very limited, very fast,” Sanjay Kalra, co-founder and chief product officer at Lacework, tells SC Media. “The most important defense against a ransomware attack is to be prepared before it happens.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.