20 steps to prevent ransomware attacks

This article shares some tips and actions that you can take to make your organization (both environment and employees) better capable of dealing with the risk of ransomware attacks.

Computer Ransomware is not new in the neighborhood; it’s been around for more than two decades. It is only in the past 4-5 years that ransomware has become more popular. The definition of ransomware is malware which locks or encrypts computers and demands payment for the decryption keys.  The motivation for these attacks is financial; it’s an easy way for hackers to gain profits, therefore a whole industry of ransomware development was created.  It doesn’t look like ransomware is going away any time soon as it is a solid revenue source for cyber criminals.

There isn’t a single product/solution that can stop ransomware but a layered security approach is needed. The first thing to do is to ensure your information is backed up offline and defenses are up. You want to be as prepared as possible. Implementing the recommendations below will ensure your defenses are up and significantly reducing the risk of a successful ransomware exploit.


Prepare your infrastructure:

Machine hardening

1. Protect your File Server against Ransomware, . block ransomware’s changes to your file servers. Harden NTFS permissions and settings, monitor and block unauthorized files usage, check files integrity, creation and deletion. Most file servers and SANs are sabotaged when an infected laptop or workstation on the network has a remote drive mapped.  Locking down and monitoring the file server won’t save the workstation, but it will prevent the shared resource on the file server from being corrupted and raise an alarm.

2.Prevent saving files locally, make sure your files are store on a network storage and been backed up offline.

3.Control write-access permissions to remote files. Use Access Control Lists to specify what actions your users can perform against files. If the only permission a user account has is Read Only, it’s not possible for ransomware that is running as that user to corrupt anything.

4.Enforce Best practices for basic NTFS permissions on a share.

It is recommended to implement a tool/process which standardizes the way shares and files/folder permissions are created in the organization. Once the best practices are enforced, it is essential to actively preserve permissions degradation. Often, administrators start with a well-designed permissions structure, which, over time, is modified. This opens the potential for users to modify the permissions structure and open up security holes.

Good recommendations can be found in the next article http://windowsitpro.com/security/12-commandments-file-sharing

5.Configure the environment not to run unsigned Macros.  Enforce and harden macro application executions, untrusted PowerShell executions and untrusted WSH codes.

6.Enforce best practice OS baselines to reduce the attack surface. User rights, remote services, deactivate autoplay, use of strong passwords, disabling vssaexe, registry keys, etc.

7.Harden and enforce local Firewall configurations, settings and ports usage. For example, block malicious TOR IP addresses – By blocking TOR IP addresses known to be malicious

For best practices- https://www.cisecurity.org/

8.Implement a whitelist approach allows only specified programs to run on the organization’s computers and therefore blocks malware (for example TOR, Flash, Zip blocking). Implementing a whitelist approach at the machine level means that you have full control of the software, processes and actions that runs/performed on your servers. Implement rules that block activity such as files executing from the ‘Appdata’ directory or even disabling the ability for executables to run from attachments.

9.Restrict administrative rights and access. Managing access control from the user perspective is very hard to implement. It is recommended to implement an access control approach at the machine level from critical endpoints. This approach controls the privilege users access to/between network resources.

10.Harden and enforce browser policies, Browser policy hardening best practices- https://www.us-cert.gov/publications/securing-your-web-browser

11.Enforce Filter spam and malicious attachments settings.

12.Antivirus- Harden and ensure antivirus is installed and up to date across all endpoints within the business. While this will not protect against zero day exploits, many ransomwares are not as developed and use older versions for which there are security software defenses.

13.Ensure data backup and secure backups. Harden the files storage location to network/cloud storage and ensure backing up that storage offline.

14.Keep those backups where they cannot be hit! An air gap between the data and the backup copy means that no ransomware, worm, hacker or other hazard can get to it.  Another approach is to burn your backups to DVD or other storage medium that is then write-protected.

15.Patching Verify and enforce the latest security patches for the OS, firewall, antivirus and applications.


User hardening:

16.Don’t give every end user administrator user rights. The principle of “Least-Privilege” has been recommended forever- it is hard to implement but you should try and do the basics.

Implementing Least-Privilege Administrative Models


Most Powerful of All: What Your People Can Do

17.Read Your Logs. Don’t ignore them, your logs provide you with the best intelligence as to what’s going on in your environment.

18.Test Your Disaster Recovery. Although fire drills are not happily accepted you should check that your DR really works and it is not just a policy. When the day will come, your users will be thankful.

19.Test Your Users.  How do they react to suspicious emails and files?

20.Educate Your Users!