Ransomware is a new kind of malware, in which instead of hacking or damaging the computer in traditional way, the goal of the attacker is to apply a high end encryption on each file of the computer mostly .docx and .pdf file which are of course business oriented files. And a clock is ticking on the screen , that shows the time left to pay the ransom and get the key to decrypt the encryption.
Also a less sophisticated Ransomware are ones in which it Locks the screen of the infected computer and renders it useless. However, incidences of file encryption are more common as compared to file encryption as the attacker wants their victims to use their computer in order to pay computer their encrypted data.
The encryption that is applied on each file is very sophisticated and is impossible to crack it. So what to do???
In case of a Ransomware you cannot do much, but pay the ransom and get the private key , that would decrypt the encryption. Ransom is paid to the attackers in form of virtual cyber currency called Bitcoins. The value of 1 Bitcoin is 39375.54 INR(as on August 13, 2016).
Since an infected machine cannot be restored but some preventions can be taken into consideration to minimize the chances of getting infected by the following steps:
- Never open/attend E-mails from unknown or unwanted sources.
- Never download attachments on your E-mails from unknown or unwanted sources.
- If an email seems to have been sent by someone you know and carries a sense of urgency, call up the sender and verify. Most phishing emails are made to sound important or urgent. The way they are written is mainly to trick you into taking an action like clicking on a link or downloading an attachment.
- Avoid using Torrent sites/files(most of them are infected by malwares.)
- Apply all recommended security updates for your Operating System, programs like Adobe, Java, Internet Browsers, etc. These updates fix security weaknesses/vulnerability in these programs and prevent malware from exploiting them.
- Take regular backup of your data (preferably offline like in external hard disk, flash disk etc.)
- Make sure your anti virus is updated on regular basis and enable anti – phishing websites.
- Establish a Sender Policy Framework (SPF),Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser
- Restrict execution of powershell /WSCRIPT in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
- Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA%, %PROGRAMDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations. Enforce application whitelisting on all endpoint workstations.
- Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
- Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
- Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
- Maintain updated Antivirus software on all systems
- Consider installing Enhanced Mitigation Experience Toolkit, or similar host-level anti-exploitation tools.
- Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
- Regularly check the contents of backup files of databases for any unauthorized encrypted contents of data records or external elements, (backdoors /malicious scripts.)
- Keep the operating system third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches.
- Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.
- Network segmentation and segregation into security zones – help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.
- Disable remote Desktop Connections, employ least-privileged accounts.
- Ensure integrity of the codes /scripts being used in database, authentication and sensitive systems, Check regularly for the integrity of the information stored in the databases.
- Restrict users’ abilities (permissions) to install and run unwanted software applications.
- Enable personal firewalls on workstations.
- Implement strict External Device (USB drive) usage policy
All above stated precautions can be useful, if implemented and kept in mind.