Ransomware attacks: what is and how to prevent an infection

Ransomware attacks seem to have risen sharply this year. As long as the world continues to operate with a hybrid or remote working model, our data are becoming more and more vulnerable to malware infections. So, it is crucial to learn more about digital attacks and how to protect your files.

Let’s start from the beginning.

What is ransomware?

It is a type of malware that blocks access to a device, system, or files until a ransom gets paid. Suddenly, on your screen appears a notification that your files are encrypted. To gain access to your files again, you have to pay the ransom, typically in a cryptocurrency, ex. Bitcoin, for the cybercriminals not to be easily detected.

Who is a target for ransomware attacks?

In recent months, Germany’s “Federal Office for Information Security” has identified large-scale ransomware attacks addressed to financially strong victims, a strategy commonly referred to as “Big Game Hunting (BGH)”. Cybercriminals benefit from using tools offered as “Cybercrime-as-a-Service (CCaaS)” and blackmailing methods, such as the deletion, encryption, or leak of victim’s data, which seem to be effective. Cyber-attacks at most targeted at Microsoft Windows versions. Now there are some attack cases appearing on Linux operating systems. Ransomware attacks do not only prefer computer systems, but they also deploy on mobiles, servers, and IoT.

Government agencies and large companies, law firms, hospitals, financial companies, and many other industries are usual targets. Cybercriminals know that institutions with prestige and sensitive data in their possession are more likely to pay ransom to retrieve their records. One such case was that of Acer in March this year. The company asked to pay a ransom of $ 50 million, without declaring whether the company finally paid. However, anyone can easily become a victim of such an attack. The best protection is always awareness and prevention.

How to prevent an infection

Backup

Don’t forget to back up your data regularly. Keep at least three backups. Save the two on different media and keep a backup encrypted offline. It is difficult for an attacker to infect this copy with ransomware. Therefore, even in the worst scenario, you will be able to restore the infected devices with backups.

Updates

Keep your system updated with the latest security updates, while there should be a patch management plan for the scheduled installations.

Antivirus

Invest in a condition-based antivirus with an import detection system. Behavioral-based antivirus detects malicious behavior on your devices and prevents the attack. This way, you will have a higher detection rate, early alert, and protection.

Multi-Factor Authentication (MFA)

It will help you as an extra security check to log in to your online accounts. For your account login, you will be asked, except for your username and password, another confirmation step. Such extra security steps are usually an SMS code, soft token, or hard token with a call on your mobile. The MFA not only can prevent a ransomware attack but also other types of attacks, like account breaches, spyware, etc. 

Security Awareness

Members of an organization, business, or network are the “first line” of defense to prevent a ransomware attack. It is critical to educate the employees to beware of phishing emails, malicious links, insecure attachments, downloads, and other methods of spreading ransomware. The more educated they are, the more immediately they will detect and prevent a malicious action. However, users of a network should have restricted and not administrator rights to limit the attack. They should also avoid connecting personal devices or using their social applications and websites on corporate computers.

Email control

Email sandboxing analyzes email links and attachments in a secure environment before being delivered to the recipient. This added layer of protection, together with the use of Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) reduce the risk of a ransomware attack on your network. SPF, DKIM, and DMARC are all free add-ons for your email system that authenticate the sender’s and content’s validity.

IP control and geo-blocking

Use an Egress Firewall Whitelisting firewall to regulate access to external IP addresses. This firewall monitors traffic from your network to the Internet and only admits the information requested by the network administrator. It works best with geolocation IP blocking, which blocks the activity based on IP addresses from specific geographical locations.  This geo-blocking is either because you have no business activity in these places, or you may have intentionally excluded them because they are may probably renowned for cyber-attacks. Blocking traffic from specific locations is another high level of control.

Create a multi-level defense

For the external perimeter of your network, use firewalls, IDS (Intrusion Detection Systems), IPS (Intrusion Prevention Systems), access control lists, etc. Organize your defense internally as well by segmenting your network physically or virtually (virtual LANs), implementing user and device access rules and royalties, and creating DMZs.

Get ready

Prepare a disaster recovery plan and incident response plan with clear roles to deal with the attack and a specific strategy and actions that will be tested periodically.

Are you facing a ransomware attack?

Κeep calm. You do not need to pay a ransom, as you will encourage such criminal acts, and there is no guarantee that your files will indeed be decrypted or restored.

• Isolate the infected devices and disconnect from the internet.
• Activate the antivirus and restart the device in safe mode.
• If you do not have a backup of your files, there are tools available online to help you.

You may visit NoMoreRansom.org and find free decryption tools and instructions to deal with different types of malware. The «No More Ransom» project is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky, and McAfee with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.

This project also attempts to educate users about how ransomware operates and what precautions may be taken to avoid infection. The more people who support this effort, the better the outcomes will be. Other public and private entities are welcome to participate in this effort.

Personal data breach

A ransomware attack is a breach of personal data and should be reported to the authorities in charge of monitoring cyber-attacks. So, it might be a good idea to save a screenshot of the ransomware attack message that appeared on your screen so that you can show it to authorities and provide them with as much information as possible.

According to the European Data Protection Council’s guidelines (Guidelines on Personal data breach notification under Regulation 2016/679 or WP250rev.01), a ransomware attack must be reported to the Personal Data Protection Authority (APDP) unless it can be proven that no data was leaked.