How To Prevent Ransomware
Ransomware is malicious code that renders the files and/or operating environment of an endpoint unavailable—be it an end user device or a server—until a payment is made to the cybercriminal.
Cybercriminals use ransomware to take over devices or systems to extort money. Once the malware has been installed, the hacker controls and freezes you out of it until you pay a ransom. In the earliest versions of ransomware, the attackers claimed that after you paid the ransom, you would get a decryption key to regain control of your computer.
The Evolution of Ransomware
Ransomware has evolved and now there are various types. Some ransomware just encrypt files while others that destroy file systems. Some cybercriminals are solely financially motivated and will indeed return systems to operation after payment. Other types of attackers aren’t and won’t restore operations after payment out of spite or, perhaps, for political or other reasons.
Currently, many ransomware campaigns employ multiple measures and methods to elicit payment. In addition to holding systems for ransom, some cybercriminals steal data and threaten to release it if ransom is not paid. Other attackers even go so far as to contact the customers whose data they’ve stolen in an attempt to collect payment from them.
Ransomware attacks have crippled entire organizations for hours, days, or longer. The latest ransomware threat class requires much more than just a secure backup and proactive restore process.
Initially, protecting against ransomware with a secure backup and proactive restore process were often enough to get an organization off the hook. However, the latest versions of ransomware require more comprehensive security solutions.
There is some good news: Today’s sophisticated, multi-stage ransomware attacks provide potential victims/organizations with multiple opportunities to stop a ransomware attack before it steals data or locks up computers/files.
Of course it's ideal to stop an attacker from ever gaining a foothold to start their mission, but even if they do get in, identifying early stages such as network discovery, command and control communications, lateral movement, data collection and staging, exfiltration and encryption are critical. See below for tips on ransomware prevention and how best to respond to a ransomware attack.
9 Tips To Reduce Ransomware Risk
1. Never Click on Unverified Links
If a link is in a spam email or on a strange website, you should avoid it. Often, hackers spread ransomware through a malicious link that initiates a malware download. Once the malware is on your computer, it can encrypt your data, holding it hostage, only allowing someone with a decryption key to access it.
However, the malware has to get on your computer first, and the most popular method of spreading ransomware is through a malicious link. If a link has not been verified, it is best to leave it alone.
2. Scan Emails for Malware
How to stop ransomware virus or other malware starts with scanning email communications. Email scanning tools can often detect malicious software. After the scanner has detected malware, the email can be discarded, never even reaching your inbox.
Typically, the malware in the email will be embedded in an attachment or inside a file within the body of the email. Hackers have been known to insert images that appear innocent, but when you click on the image, it installs ransomware on your computer. Scanning for emails with these kinds of files can prevent your device—or others on your network—from getting infected.
3. Use Firewalls and Endpoint Protection
Firewalls can be a good solution as you figure out how to stop ransomware attacks. Firewalls scan the traffic coming from both sides, examining it for malware and other threats. In this way, a firewall can ascertain where a file came from, where it is headed, and other information about how it traveled and then use that to know whether it is likely to contain ransomware.
With endpoint protection, individual endpoints are shielded from threats. There are certain types of traffic that are more prone to carrying threats, and endpoint protection can keep your device from engaging with those kinds of data. Also, hackers may use malicious applications to infect your endpoints with ransomware. Endpoint protection will prevent designated endpoints from running these kinds of applications.
4. Only Download from Trusted Sites
It is common for hackers to put malware on a website and then use content or social engineering to entice a user to click within the site. Social engineering applies pressure on the user, typically through fear, to get them to take a desired action—in this case, clicking a malicious link.
In many cases, the link itself may look innocent. If you are not familiar with the site or if its Uniform Resource Locator (URL) looks suspicious even though it appears to be a trusted site, you should steer clear. Cybercriminals often create fake sites that look like a trusted one. Always double-check the URL of a site before downloading anything from it.
5. Keep Backups of Important Data
Ransomware attackers like to take advantage of users who depend on certain data to run their organizations. Often, because the data plays an integral role in daily operations, a victim may feel it makes more sense to settle the ransom so they can regain access to their data. You can avoid this temptation by backing up your important data on a regular basis.
If your data is backed up to a device or location you do not need your computer to access, you can simply restore the data you need if an attack is successful. It is important to make sure you back up all critical data frequently because if enough time goes by, the data you have may be insufficient to support your business’s continuity.
6. Use a VPN When Using Public Wi-Fi
Public Wi-Fi is convenient because it is easy to get onto, often without a password. Unfortunately, it is just as easy for hackers to use public Wi-Fi to spread ransomware. Whenever you are on a public Wi-Fi network, you should use a virtual private network (VPN).
A VPN encrypts the data flowing to and from your device while you are connected to the internet. In effect, a VPN forms a “tunnel” that your data passes through. To enter the tunnel, a user has to have an encryption key. Also, to read data that goes through the tunnel, a hacker would need to decrypt it. To block ransomware, a VPN keeps outsiders from sneaking into your connection and placing malware in your path or on your computer.
7. Use Security Software
Security software can be a powerful tool in ransomware prevention. Therefore, it is often listed among the best practices to prevent ransomware. Security software checks the files coming into your computer from the internet. When a malicious file has been detected, the software prevents it from getting into your computer.
Security software uses the profiles of known threats and malicious file types to figure out which ones may be dangerous for your computer. To stay current, security software often comes with free regular updates. These can be installed automatically by the provider. As the provider becomes aware of new threats, their profiles are included in the update. As long as you make sure your software is updated periodically, you will have the best protection the software can provide.
8. Do Not Use Unfamiliar USB Devices
A Universal Serial Bus (USB) device can be used to store a malicious file that could contain ransomware. Whether the USB has an executable file on it that can infect your computer or the file is launched automatically when you insert the USB device, it can take very little time for an apparently benevolent USB to capture your computer.
Cybercriminals may leave a USB device laying around, knowing that some people may be tempted to pick it up and insert it into their computers. The criminal may even print a seemingly innocent label on it, making the device look like a free gift from a reputable company. If you ever find a USB device, do not insert it into your computer. The safest USBs are those purchased from a store and sealed inside intact packaging.
9. Avoid Giving Out Personal Data
With the right personal data, a cybercriminal can set a variety of traps to get ransomware on your computer or trick you into installing it on your device yourself. People often use the same passwords for their computers as they do for websites and accounts. A cybercriminal can use your personal data to gain access to an account, and then use that password to get into your computer and install ransomware.
If you avoid giving out personal data, you make it far more difficult for an attacker to levy this kind of attack, particularly because they would have to find another way to figure out your passwords or other account information. Personal data also includes the names of people, pets, or places that you use as the answers to security questions for your accounts.
How to Respond to Ransomware Attacks
Just because a ransomware attack has made it onto your computer or network does not mean there is nothing you can do to improve the situation. You can often limit the damage of ransomware by quickly taking action.
Isolating the ransomware is the first step you should take. This can prevent east-west attacks, where the ransomware spreads from one device to another through their network connections. You should first shut down the system that has been infected. Shutting it down prevents it from being used by the malware to further spread the ransomware.
You should also disconnect any network cables attached to the device. This includes anything that connects the infected device to the network itself or devices on the network. For example, your device may be connected to a printer that is linked to the local-area network (LAN). Unplugging the printer can prevent it from being used to spread the ransomware.
In addition to hardware cables, you should also turn off the Wi-Fi that serves the area infected with the ransomware. The Wi-Fi connection can be used as a conduit to spread the ransomware to other devices connected to the same Wi-Fi network. Shutting it down can stop this kind of east-west spread before it begins. However, if it has already begun by the time you realize the computer has been infected, cutting off Wi-Fi can prevent it from spreading further.
Storage devices connected to the network need to be immediately disconnected as well. The ransomware can potentially find the storage device and then infect it. If that happens, any device that connects to the storage system may get infected. This may happen immediately or at some point in the future. Therefore, if you have been a victim of a ransomware attack, it is important to assume each storage device has been infected and clean them before allowing any devices in your network to attach to them.
The next step is to ascertain the type of malware used to infect your system with ransomware. In some cases, knowing the kind of malware used can help an incident response team find a solution. The decryption keys of some ransomware attacks are already known, and knowing the type of malware used can help the response team figure out if the decryption key is already available. If it is, they can use it to unlock your computer, circumventing the attacker’s objective.
Also, the kind of malware may help determine other ways of dealing with the threat. To understand your remediation options, your IT team or outside consultant will need to know what kind of malware they are dealing with, making early identification a critical step.
Remove the Malware
It may go without saying that you need to remove the malware, but the necessity of this step is less important than its timing. It is important to only try to remove the malware after the previous steps, isolation and identification, have been performed. If you try to remove the malware before isolating it, it could use the time you take to uninstall it to spread to other devices connected to the network.
Also, if you remove the malware before it can be identified, you may miss out on the opportunity to gather information about it that could be useful to your incident response team, external consultants, or law enforcement.
Once you have taken the preceding steps, removing the malware can prevent it from getting to other devices. Even though the computer is no longer connected to the network, the malware could be spread at a later date if it is not removed.
Recover the Data
As soon as the attack has been contained and your computer has been secured and cleaned, you should start recovering your data. This can help ensure business continuity and improve your resiliency, particularly if the data was recently backed up.
Successful data recovery depends on a data recovery program put in place prior to the attack. If the data is backed up multiple times a day, for example, an attack will only set you back a few hours, at worst. You can use cloud-based services or on-premises hardware to back up your data—as long as whatever service you use can be accessed from a different device. Ensuring access may require storing login information securely instead of merely on the devices that access the backup storage.
Never Pay the Ransom
When a ransomware attack has taken hold, it can be tempting to pay the ransom. A user may reason that they are losing more money than the attacker is asking for as time goes by. For example, if critical systems are shut down and customers cannot make purchases, the losses could easily get into the thousands. If the attacker is asking for a few hundred dollars, you may feel paying would be the prudent choice. However, this is not the case.
Similar to hijackers and terrorists who hold humans captive, hackers depend on ransomware attacks successfully extorting the victims. If enough users refuse to pay the ransom, attackers may think twice before using ransomware, investing their energies in a potentially more profitable venture. Therefore, when you refuse to pay the ransom, you are helping others who could be targets in the future.
Also, if you pay one time, attackers know you are likely to pay again when faced with a similar situation. So when you pay, you may identify yourself as a potentially lucrative target for future attacks.
When Should You Pay the Ransom (And When Not To Pay)
Generally speaking, you should never pay the ransom. Paying can tell the attacker they can get away with extorting you, causing them to return for a second attack later on. It also harms others in that it sends a message to the hacker community that ransomware is still an effective attack vector. Also, keep in mind that once you pay the ransom, there is no guarantee the attacker will allow you back onto your computer.
However, saying no can be easier said than done, especially when you are without an adequate backup or resiliency plan. While it is never advisable to pay the ransom, you may have to weigh the consequences before making a final decision. You may want to consider the following factors:
- How much it will cost to recover lost data?
- Whether your cyber insurance—if you have any—can help defray some of the cost?
- How much it will cost to rebuild systems that have been destroyed by the attack?
- What is the likelihood that the specific ransomware operator that targeted you will decrypt the systems after payment?
How Fortinet Can Help?
The Fortinet Security Fabric offers a wide range of products and services that can be deployed across the digital attack surface and along the cyber kill chain in order to reduce the risk and potential impact of ransomware. These can help organizations prepare for and prevent ransomware incidents, detect and respond to them should they occur, and augment in-house teams as needed.
Each organization’s current exposure, appetite for risk, licensing situation, security skills and other factors will determine which products and services are most appropriate at any given time, but options include:
- Preparation: Incident Readiness Service, FortiRecon Attack Surface Management, FortiTester Breach Attack Simulation. InfoSec Training and Awareness
- Prevention: FortiGate Next-Generation Firewall, FortiMail Secure Email Gateway, FortiWeb Web Application Firewall, FortiEDR Modern Endpoint Security, FortiSandbox Inline Sandbox Analysis
- Detection: FortiDeceptor, FortiXDR Extended Detection and Response, FortiNDR Network Detection and Response
- Response: FortiAnalyzer, FortiSIEM, FortiSOAR, FortiGuard Incident Response Service
- Augmentation: FortiGuard SOCaaS, FortiGuard Managed Detection and Response