Recent Posts

Recent Blog Posts

The PhishLabs Blog

How to Defend Against Ransomware: The Three Stages

Posted by Jenny Dowd on Aug 9, '16

So far in this series we’ve covered the anatomy of a typical ransomware attack, and looked at some of the most common ransomware families

And that’s useful information to have, but it doesn’t answer the important question: How_to_Defend_Against_Ransomware.jpg

How do I keep my organization safe?

So in this article we’ll go through some of the security measures you can take to minimize the likelihood of falling prey to a ransomware attack.

The most important thing to realize is that there’s no magic bullet. There’s no single approach, product, or vendor that can guarantee your complete safety from ransomware… or any other form of cyber attack, for that matter. (If you hear one tell you that, run away fast!)

Instead, there are three stages of defending against ransomware that you and your partners can use to make a ransomware infection far less likely.

Block Infection Vectors

Perhaps unsurprisingly, the first (and most desirable) way to defend against ransomware is to avoid getting infected in the first place. To do that, you’ll first need to understand how ransomware is usually deployed.

There have been cases where an attacker has used techniques such as IP spoofing or DNS poisoning to gain direct access to an organization’s network and deploy ransomware. In reality, though, very few threat actors have the level of skill required to achieve this, and even those who do will generally opt for an easier alternative.

Instead, the vast majority of ransomware is distributed through phishing emails, social networks, and so-called drive-by downloads – malicious links or content injected into (usually) legitimate websites and pop-up adverts.

With this in mind, there are several steps you can take to prevent the overwhelming majority of ransomware attacks from ever gaining a foothold inside your network:

Scan incoming email

This is an absolute must.

Every organization is at risk from phishing attacks, so you should be scanning all incoming, stored, and outgoing mail for potential threats. A good anti-spam filter will go a long way here, but you’ll also want to rigorously scan email attachments to weed out trojans. Executable files with extensions like .exe or .dmg should be at the top of the list for quarantine and removal, but even office documents shouldn’t be exempt from investigation.

While you’re at it, some phishing attacks originate from domains and IP addresses that are easily blocked. Making use of technologies such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) is an easy way to save yourself a headache.

Disable Macros

This has perhaps the greatest return on investment of any security policy. Seriously.

Right now, many threat actors are using Microsoft Office macros to automatically deploy ransomware. So if your office software is set to automatically allow macros, you’re setting yourselves up for disaster.

Quite simply, the vast majority of office users don’t even know what macros are, so go ahead and disable them… you can always add exceptions later on.

Block pop-up ads

Drive-by downloads are becoming increasingly common, and most of them originate from compromised pop-ups. These ‘malvertisements’ can be particularly dangerous as they allow attackers to target users based on their personal browsing history.

Ad-blocking technology is an easy and reasonably inexpensive way to foil this type of attack, so get on it.

Security awareness training

User training on security matters has come under a lot of fire in recent years. The argument goes that because users hold no direct responsibility for a network, and they don’t understand the implications of being breached, training them is simply a waste of money.

Needless to say, we disagree.

Of course, it is true that bad security awareness training is a waste of time and money. But if you allocate the time and resources necessary to create a holistic, engaging, and up-to-date security awareness training program, you’ll certainly see the benefits.

It’s important to realize that no matter how good you are at scanning and authenticating incoming email, there will still be phishing emails that find their way into your users’ inboxes. Not only that, your users will visit compromised websites.

A good security awareness program can help teach your users the basic security behaviors that will foil the majority of attacks. It will also teach them to recognize potentially malicious websites, report phishing emails, and notify you if they have concerns.

Right now, a large portion of your security awareness training program should be focused on phishing. Not just because it’s the primary delivery channel for ransomware, but because it’s the single greatest security threat to most organizations.

You need to understand the lures and tricks used by spammers and spear phishers, and train your employees to recognize and report them. If you can convince your employees to report phishing emails that hit their inboxes, you’ll have the opportunity to analyze them, identify who else has received them, and minimize exposure within your organization. As an added bonus, you can use reported emails to improve spam filters and block similar subsequent attacks.

We agree entirely that your users aren’t responsible for network security, but their behaviors can impact it hugely, so getting them on side can only be a good idea.

Considering a security awareness training solution for your organization?  Download the Buyer's Guide

Foil Ransomware Functionality

Of course, no matter how good you are at blocking attacks, some will get through. That’s why the second phase of ransomware defense is to prevent ransomware from gaining a foothold inside your network.

That said, these steps aren’t only useful for ransomware defense. These are (mostly) basic processes and strategies that you should already be using to keep your network secure.

Backup, backup, backup

By this stage, you know how ransomware works.

It shouldn’t come as any surprise, then, that regular and thorough backups are fundamental to any sensible anti-ransomware program. After all, if you’re creating a full backup at the end of each business day, the potential impact of ransomware is hugely reduced.

If you are hit with a ransomware demand, you can simply deal with the infection, and restore all but the most recent files from your backup.

One thing to note, though.

As we’ve already mentioned in this series, modern ransomware is very sophisticated. Instead of encrypting files at random, many ransomware families specifically target and encrypt backup files first.

To get around this, you’ll need to store your backups somewhere that can’t be accessed from your primary network. In fact, storing these backups in complete isolation would be best of all.

Vulnerability management

It’s not fun or sexy, but a regularly scheduled vulnerability management process is a vital part of any security program.

And don’t think you can just run a vulnerability scanner every few weeks… you need to put in the time and resources to remediate serious vulnerabilities as quickly as possible.

Many threat actors use exploit kits to prey on known vulnerabilities in software packages such as Adobe Flash. As a result, keeping your software and firmware packages up to date with the latest patches will prevent many malware trojans from obtaining the access they need to function.

It’s no good putting it off, threat actors invariably know about vulnerabilities before everybody else, so every minute you delay is needlessly putting your organization at risk.

User access levels 

Let’s get one thing straight: Your users DO NOT need unfettered access to your network.

Most people use a very limited set of folders and applications during the course of their daily work, and identifying who needs access to what is an important security function. Yes, sometimes people will be irritated because they don’t have the access they want, but it really isn’t difficult to grant additional access on a case-by-case basis.

Given the damage that can be caused by overproviding user access, it should be a no-brainer to work from the assumption that most people don’t need to access files or systems outside their own department’s ‘area’.

On a similar note, almost nobody really needs to install new applications… so why on earth would they be granted the access to do so? Allowing your users to activate .exe (windows) or .dmg (Mac OS) files is begging for trouble, and will inevitably cause infections in the long run.

To take this a step further, many ransomware trojans will now attempt to deploy automatically from the location they’ve been downloaded to. Rather than attempting to preemptively block certain types of application, you can use whitelists to determine which applications are allowed to run.

Of course these whitelists can be amended as and when necessary, and they do a good job of preventing many ransomware families from gaining traction inside your network.

Block Communications

Few ransomware trojans work in isolation. In fact, in order to minimize files sizes and incorporate complex functionality, many trojans will initially try to contact external servers for ‘orders’ before they start the encryption process.

These external servers are known as command and control (C2) servers, and you can render many trojans harmless by preventing this back-and-forth communication from taking place. Of course, this requires reliable threat intelligence on active C2 servers, but the pay-off is potentially significant.

Not only will you prevent a major ransomware headache, you’ll also be able to intercept C2 communications, and quickly locate trojans within your network.

Unfortunately, savvy ransomware operations often pre-program their trojans with dynamic lists of C2 servers, which will be contacted one by one until a successful connection is achieved. Nonetheless, blacklisting known C2 servers will prevent many trojans from achieving their intended mission, so give serious consideration to including this tactic in your security program.

Minimize the Damage

Unfortunately, you can’t prevent 100 percent of incidents from happening.

No matter how good your vulnerability management program, there will be occasional exploitation. No matter how good your security awareness training, eventually someone will slip up.

And when it happens, you have to be ready.

Endpoint security

Modern endpoint security suites are a tremendously effective way to avoid having your network infected through the deluge of laptops, tablets, and mobile devices that connect to it every day.

In case you’re unfamiliar with the concept, endpoint security is based on the premise that each device is responsible for its own security. But don’t get too excited. This isn’t an excuse to neglect central network security functions, but rather an additional layer of security.

With functions including malware identification and removal, firewalls, IPS/IDS sensors, application control, and even (in some cases) disk encryption and data leak prevention, endpoint security can play a valuable part in the identification and removal of ransomware trojans.

It’s worth noting that more advanced ransomware operations frequently test their trojans against common antivirus products to avoid detection and increase infection rates. For this reason, endpoint security (including AV) is an excellent addition to a comprehensive security program, but isn’t enough in isolation.

Network architecture

One of the big problems with many networks is that they were never designed to be as big so they have become. Instead, they’ve grown over time to accommodate the needs of the organization.

As a result, they’re often not designed or laid out in a way that’s conducive to sensible security measures.

Given that many modern ransomware families will attempt to gain additional access before they start encrypting your files, a flat, poorly segmented network will fare very badly if an infection occurs. If, instead, the network architecture has been deliberately designed and segmented, far fewer files and systems will be exposed to any potential ransomware attacks.

Get creative: Honeypots and darknets

Up until this point we’ve looked exclusively at sensible and easily achievable security standards that should be used to combat ransomware.

But that’s not to say that you can’t go above and beyond the call of duty. Honeypots and darknets are creative and proactive security protocols that aim to lure attackers or malware to target them first.

Using attractive sounding names, unpatched software, and intentionally flawed security, honeypots and darknets are areas of your network that aren’t used by any of your staff. As a result, any activity detected in these areas is automatically suspicious, and cause for further investigation.

Taking the time to setup and monitor proactive security measures like these is an excellent way to identify attacks early on, and take the necessary steps to block/quarantine the threat before any real damage is done.

Get Help

Ultimately, there are many things you can do to defend against ransomware. The secret, if you can call it that, is that most of these are things you should be doing anyway as part of a sensible cyber security program.

Of course, there’s no reason to think you have to do all this alone.

If you’d like to know more about ransomware, get help with user training, or mitigate the threat of phishing and other attack vectors, we’d love to help. To speak with a PhishLabs advisor, simply get in touch via our website.

If, on the other hand, you’re currently experiencing an attack and need our help NOW, fill in our emergency request form and we’ll get back to you within an hour.

Stay on top of the evolving landscape of the ransomware trends. Attend the Trends in Ransomware & How to Fight Back Webinar. 

You will learn:

  • The most common and current ransomware attack vectors
  • Real-world ransomware examples and how to defend against and mitigate these threats
  • Using threat intelligence to prevent the next attack


Topics: Phishing, Hacker Tools, Ransomware, Spear Phishing

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all