6 Simple Steps to Reduce Your Ransomware Risk
What is Ransomware?
It seems that hardly a day goes by that we don’t read about a new strain of ransomware or a new victim of a ransomware attack. Ransomware is malware that encrypts the user’s or organization’s files and demands payment for the decryption key. The ransomware business model is often one that provides friendly customer service and really does deliver the key in exchange for the requested amount of Bitcoin. However, there is no guarantee that they will, and they don’t always, so it’s not a long term strategy for protecting your enterprise to depend upon the good will of criminals.
Of course, if you are struck by a ransomware attack, and you don’t have good offline backups of the data, we can’t tell you what to do. Whether or not you pay up is a decision based on the cost to your business of losing the data forever. But I think that we all agree that paying money to criminals is ultimately bad for all of us, and we’d all be better off if we could avoid having to make that choice.
This post will outline some relatively easy steps you can take to prevent some of the most common types of malware attacks. Nothing is foolproof, of course, but you can raise the bar for the attacker. Eventually they will up their game, and then we’ll have to as well.
How to Reduce Ransomware Threats
One prominent strain of ransomware (that hit several large hospitals) spreads by attacking unpatched web servers. However, much of the ransomware that’s out there is spread by socially engineered email, phishing or spear-phishing, containing attachments that contain or download the ransomware, which is where we will focus our advice. Most user-side ransomware spreads with either a Microsoft Office document containing macros or a JavaScript file, often contained in a Zip file. Here are some practical steps to help defang these threats:
- Run scheduled backups on all data, and keep offline copies. If you do get infected with ransomware, how you deal with the criminals depends on whether or not you need them to restore your data. Regular backups are your best defense against extortion. Be sure to keep offline copies, or the ransomware will be able to encrypt your backups as well.
- Have Windows Explorer display file extensions by default. JavaScript files have the extension .js, which is usually hidden by Explorer. So a file named invoice.doc.js will show up in Explorer as invoice.doc, although the icon will be wrong. Changing this setting, and locking it with group policy will help keep your users from being taken in by the double extension (.doc.js) trick.
- Change the default application for .js files from the Windows script engine to Notepad. Applications that legitimately need to run JavaScript files are written to launch them with the proper interpreter without depending on the Windows shell to do it for them. Changing this setting will ensure that double clicks on a JavaScript file will harmlessly display them in Notepad rather than launching them. Again, lock this setting with group policy.
- Set Office to require that all macros must be signed. When an Office file contains macros, the user is presented with a button to choose whether or not to enable them. With this setting, that button ONLY appears if the macros are signed with a certificate that is trusted. Since malware writers do not sign their macros, this will stop them. In order to allow legacy unsigned macro in your organization to run, you can set up a trusted location from which unsigned documents can be executed. Both of these settings are in the Group Policy section of Microsoft Trust Center.
- For Office 2016, use the new security setting to disable macros on mail from the Internet. A new security setting in Office 2016 will disable macros in any file from the Internet. If you set it in group policy, the user cannot override it.
- Patch all workstations and servers. This means patching both the OS and all applications. Malware often needs to exploit unpatched vulnerabilities to elevate its privileges or spread across your network. You can make their job harder by closing the holes as patches become available.
These steps are not a panacea, but following them will reduce your risk of getting infected by ransomware, and make it possible for you to recover your data without paying the ransom.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.