Don’t Wave the White Flag: Practical Steps to Avoid and Stop Ransomware Before It’s Too Late

2183 2

Another day, another hospital shut down by ransomware. And while going back to pen and paper and avoiding anything connected to the web may start to sound like a valid option, it’s not a realistic one. You can’t just throw in the towel or wave the white flag. However, there are a few practical steps you can take to avoid being taken down by ransomware and shut it down if your company falls victim.

Avoiding Ransomware

There are several techniques a company can use to avoid ransomware and some of the methods being actively discussed include changing your computer’s language to Russian and creating a fake HKCU\Software\Locky registry entry. These approaches might do the job, but unless you’re fluent in Russian and don’t mind creating bogus registry keys, they’re simply unworkable workarounds.

Here are a few tips to minimize chances of infection that any company can and should employ:

  1. Back up your files – It’s simple, it’s obvious, and it directly addresses the purpose of the scam in the first place: if you already have up-to-date copies of all your files, there’s no reason to pay the ransom to get them back.As I write this article, it is being automatically saved and uploaded to the cloud. While it would still be a pain to remove the infection and then re-sync files from the cloud to the local machine, doing so is infinitely easier than paying and further emboldening criminals.
  2. Keep your malware and detection software up-to-date – For Mac users, make sure to automatically update XProtect. For Windows machines, be sure to update your endpoint protection software, antivirus, and so on. There’s nothing worse than being infected by a known threat that could have been stopped. Being diligent with updates will stop you from potentially “kicking yourself” later.
  3. Use multiple security products – Ransomware authors test their code against antivirus products, email filters, and endpoint detection products to maximize the chance that they get through. While buying every detection solution isn’t likely practical, having multiple detection systems increases the chances of detection before the infection can happen.
  4. Make sure macros are disabled by default in your Microsoft Office settings – Macros are an advanced feature in Microsoft office that most people have no need to use or think about. But their ability to execute tasks within Word, Excel or PowerPoint documents that flow freely in and out of most inboxes – and are often opened without a second thought – make them a powerful tool for hackers. Microsoft has taken steps to minimize this threat by adding a new feature in Office 2016 to block macros from loading in certain scenarios. If your company has little or no use for macros, it’d be smart to take advantage of this feature.

Here’s what Microsoft had to say:

In the enterprise, recent data from our Office 365 Advanced Threat Protection service indicates 98% of Office-targeted threats use macros.

In response to the growing trend of macro-based threats, we’ve introduced a new, tactical feature in Office 2016 that can help enterprise administrators prevent the risk from macros in certain high risk scenarios.

Shutting Down Ransomware Post Infection 

While it is certainly best to avoid ransomware in the first place, all is not lost once a malicious file has been downloaded. Here’s what you can do to mitigate the damage when ransomware has infected a machine on your company’s network.

  1. Get an alert when any known ransomware file extensions are detected – The following post on spiceworks includes a list of known ransomware file extensions. While this doesn’t actually stop files from being encrypted and doesn’t stop the infection from spreading, you can at least get an alert when ransomware is starting to spread so you can quickly take steps to stop it.
  2. Automatically quarantine files with known ransomware infections – Some antivirus applications will allow you to write rules to automatically quarantine files matching a certain file extension. There’s no reason to not do this as a means for stopping known threats.
  3. Implement a security orchestration and automation solution – Security orchestration and automation tools that are able to investigate every cyber alert and remediate malicious activities can shut down ransomware before it is too late. A client of ours recently saw this in action first hand after their security team received a call that files on a shared drive were being encrypted. The ransomware was able to make it past their email filters and antivirus, and a user clicked a link in an email, downloading the malicious files.By running an investigation, they were able to identify the machines and users that were infected, were able to kill the processes, quarantine the files, and sever the connection to the adversary’s IPs, stopping the attack as it happened.

While recent incidents have proven that ransomware is a real and serious threat, there’s no need to waive the white flag just yet. By first ensuring that basic and practical steps are implemented, and then looking to more advanced techniques to sure up defenses, this is a fight that companies can win.

About Idan Levin
idanIdan Levin is Hexadite’s co-founder and chief technology officer. Prior to Hexadite, Idan spent four years at Elbit Systems Ltd. as a cyber-software engineer and development leader responsible for the product life cycle of the company’s intelligence systems. Prior to his work in the private sector, Idan served in an elite intelligence unit of the Israel Defense Forces (IDF), where he led the development of several cyber security products and managed various development teams.

In this article