Recent Posts

Recent Blog Posts

The PhishLabs Blog

How to Identify and Block Ransomware

Posted by Jenny Dowd on Apr 13, '17

bigstock-Digital-Security-Concept-80983148.jpgIn the last post, we took an in-depth look at how ransomware changed during 2016, and what we expect to see happen in the coming year.

The post, which was based on a recent webinar, was pretty long and in-depth, so if you'd like some context you might like to go back and read it before continuing or feel free to watch the on-demand webinar.

In this post we’re going to run through the most important part of the webinar: what you can do to secure your organization against ransomware.


Want to know more about ransomware? Why not download our free definitive guide, which contains everything you need to understand and intelligently defend against ransomware.

Download Definitive Guide to Ransomware

Guard Your Perimeter

The first stage of ransomware defense is simple: Put up a digital wall between the outside world and your critical assets.

Now, if you’re a regular reader of cyber security news and opinion, you’ve no doubt noticed that perimeter defenses are often denigrated as being insufficient, and an old fashioned approach to network security. And while that might be true (to a point) it’s still an essential part of your organization’s cyber defense program.

And since ransomware is overwhelmingly distributed through phishing emails, a number of traditional perimeter defenses can form a highly effective barrier against a good proportion of incoming attacks. Here are some of the steps you can take to minimize the likelihood of ransomware making its way inside your network:

  • Scan all incoming email, attachments, and URLs
  • Content filtering
  • Gateway antivirus (AV) scanning
  • Email authentication (e.g. SPF, DKIM, DMARC)

These may seem like obvious and natural steps to take, but you’d be surprised how many organizations fail to take them seriously. DMARC, for instance, is widely underutilized, but can dramatically reduce the chances of incoming malicious email being able to successfully spoof your organization’s email domain.

More importantly, while many organizations do take these steps, they don’t routinely maintain and tighten their technical controls.

Which brings us neatly on to one of the most important aspects of perimeter defense: Intelligence.

In order to properly tighten your perimeter defenses, your organization should have access to high quality threat intelligence feeds, which constantly highlight the most recently identified malicious domains, IP addresses, and hashes. Using this intelligence, your organization’s technical controls can be constantly refined and enhanced at a level that simply wouldn’t be achievable without.

The Human Firewall

Unfortunately, no matter how hard you try, it simply isn’t possible to block all incoming ransomware attacks at the perimeter. Ultimately, at least some phishing emails containing ransomware payloads will end up in your users’ inboxes.

And at that point, your organization’s security is quite literally in their hands.

Does that fill you with fear? It doesn't have to.

Unfortunately, this is where traditional security awareness training has let organizations all over the world down. Instead of arming users with valuable security knowledge and skills, it simply requires them to sit in a stuffy room once each year while a bored trainer covers precisely nothing of any interest or practical use.

But there is another way. Instead of security awareness training, we encourage you to think about phishing awareness training.

Quite literally, what we suggest is that you (or a trusted security partner) construct simulated ransomware phishing lures, based on real samples, and use them to teach your users how to identify and properly respond to real phishing emails.

Screen Shot 2017-04-12 at 11.55.59.pngThe image above is of a real phishing email used to distribute the Locky ransomware trojan

The process for this is simple. Each month, construct your simulated phishing campaign, and send it to each of your users. If they successfully identify and report the phish, they should be automatically thanked and congratulated. If the phish ‘fools them’ into following a link, or taking some other action, they should be immediately informed of their mistake, and provided with some powerful training to help them succeed in the future.

Screen Shot 2017-04-04 at 13.07.30.png

Screen Shot 2017-04-04 at 13.07.59.png

This process is known as ‘point of failure’ training, and is absolutely the best practice for generating a sustainable change in security behaviors.

Of course, in order to be successful, your phishing awareness campaign must be based on the latest real-world phishing samples, and it must also include truly high-impact training materials, preferably in multimedia format.

With this type of program in place, you should quickly notice a dramatic improvement in users’ ability to identify and report phishing emails, both within your simulation campaigns and in the wild. 

Thinking of buying in a powerful security awareness training (SAT) program? Before you do, check out our FREE 2017 buyer's guide.

Get the SAT Buyer's Guide

Blocking Ransomware Installation

Of course, while your human firewall is a superb asset, and one that every organization should have the benefit of, mistakes do happen.

Every now and then, somebody is bound to click on a malicious link. It could be a new employee who hasn't yet benefited from your training program, or a senior executive checking their email before rushing off to an important meeting, or just a person having a bad day.

Really, it doesn’t matter who makes the mistake. All the matters is that it can happen, and it’s important to take precautions.

The first, and simplest, control you can put in place is to disable macros in MS Office. A surprising number of ransomware trojans are deployed using simple macro scripts, which can be effectively prevented by simply disabling macros by default.

Screen Shot 2017-04-04 at 13.08.47.png

Additionally, there are several other simple controls you can put in place to minimize your organization’s exposure to ransomware. Since most ransomware (and other malware) are deployed using exploit kits, a powerful vulnerability management program is essential.

Equally, whitelisting and AV protection can help to identify and block ransomware during its deployment phase, although naturally these controls are only effective against trojans that are already known.

Beyond these, there are several more controls that can be effective in preventing or minimizing the damage caused by ransomware:

  • Network segmentation (flat networks don’t fare well)
  • Enforce a ‘least privilege’ model for user access levels
  • Backup routinely (preferably off site)
  • Block pop-up ads to avoid the danger of ‘malvertising’


Analyze and Respond

One of the major benefits of a powerful phishing awareness training program is the constant supply of reported, real-world phishing samples. By analyzing both the email & payload aspects of these phish, you can dramatically improve both your organization’s technical controls and incident response.

But in order to do all that, you’ll need to have at least one analyst capable of breaking down phishing content and answering the key questions. For example:

  • What type of ransomware is this?
  • How does it encrypt? (If at all)
  • How does it spread?
  • Are there decrypters available?
  • What are the IOCs?

By way of example, the following is a breakdown of the Locky ransomware trojan conducted by our own analysts.

Screen Shot 2017-04-12 at 12.04.55.png

Screen Shot 2017-04-12 at 12.05.34.png

Having this type of intelligence at your fingertips can be tremendously beneficial to your organization’s security profile, as it can inform improvements to technical controls, and make the task of identifying and containing ransomware attacks in progress far more achievable.

But when all else is said and done, you must have a ransomware specific incident response plan. Not only does it need to be fully documented and tested, it also needs to be practiced regularly to ensure all staff know exactly what they need to do and how to do it.

And once again, threat intelligence, whether produced internally or procured in the form of a threat feed, can be highly valuable in the development and evolution of your incident response plan, particularly when you’re dealing with new ransomware families that you may not have seen before.

Get Help

When you strip away the technical controls side of things, which naturally will be handled in-house, there are two vital elements to a powerful anti-ransomware program:

  1. Phishing awareness training
  2. Relevant and actionable threat intelligence

But here’s the thing: both of these can be outsourced. In fact, if you likely don’t have access to a constant stream of real-world phishing/ransomware samples and a team of analysts to deconstruct them, they probably should be outsourced.

Our analysts in the PhishLabs Research, Analytics & Intelligence Division (R.A.I.D.) see thousands of phishing samples every day, including payloads, not to mention deconstructing other elements of the phishing ecosystem such as phish kits, phishing sites, top level domain (TLD) usage, and much more.

If you’d like to know how our managed security awareness training and threat intelligence services could help secure your organization against ransomware (and all other phishing based threats), click here to arrange a live demonstration.

Topics: Phishing, Ransomware, Phishing Trends and Intelligence Report,

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all