3 Simple Steps to Disrupt Ransomware

4 minute read | Last updated 13-Jan-2017 |  Security, Trend Micro

Originally posted on the Trend Micro blog.

I recently posted about why ransomware is such a money maker for criminals. Read it through and I think you’ll understand why this is an area of massive growth for criminals. Ransomware is one of the fastest rising attacks currently out there with no end to that growth in sight.

Criminals are making a lot of money from ransomware. What can you do to make sure that you’re not another statistic?

Here are the three main areas that you need to invest in to fight back:

1. Backup, backup, backup
2. Patch ASAP
3. Key security controls

It might be the paranoid security professional in me speaking but I don’t like relying on one layer of defense. Multiple controls are key to protecting your data.

Stacking your defenses will provide strong protection for minimal investment.

#1 Backup, Backup, Backup

Ransomware is often compared to physical crime. It’s easier to understand the underlying concept that way. But there is a fundamental difference that you have to remember: digital data can be copied easily for little to no expense.

That can change the dynamics of the crime. In the physical real world, if criminals steal an object to hold for ransom, you no longer have the that object. If you pay up the might return it or they might simply take the money and run.

In the digital world when criminals encrypt your data, they block your access to that data until you pay the ransom…maybe.

When ransomware first infects a system, it encrypts all of the data it can find. This effectively locks you out of your data which is the leverage the criminal needs to get you to pay a ransom. But if you have another copy of the data that you control the situation shifts in our favour.

A strong backup strategy is the first step to defending against ransomware. Your backups make the ransom demand meaningless. Now you simply have a malware infection that needs to be cleaned and a vulnerability that needs to be patched (aka how the criminal got in in the first place).

Hard drive prices have plummeted in recent years and cloud storage is pennies a gigabyte. There is no excuse not to have a local and remote backup of all of your critical data. And yes, that goes for personal systems and large organizations.

Once you’ve got a regular backup—or two—you need to test them regularly. Backups are only useful if you can restore the data in the event of an issue.

#2 Patch ASAP

Software is inherently complex. Mistakes will be made and updates will be available. These updates usually contain important security updates that patch the very vulnerabilities that criminals take advantage of.

Patching is a frustrating activity for most people and organizations but it’s an important piece of your defense.

How important? Year after year the Verizon DBIR states ( PDF link, page 3 ) that most attacks take advantage of known vulnerabilities. These are vulnerabilities where patches were available. That means most attacks can be stopped by patching regularly!

Turn on automatic updates. Do it now. For software that doesn’t have an automatic update feature, make sure you’re checking regularly for updates and installing them ASAP. The benefits far outweigh the possibility that the update will break something.

#3 Key Security Controls

Even with a strong backup strategy and patching immediately, there is still a strong possibility that your systems remain partially exposed. This is where 3rd party security controls come into play.

To help combat against ransomware and other types of attacks, you’ll want to take a layered approach to your defense:

1. Stop incoming attacks using an intrusion prevention system
2. Try to stop infections from taking root by using anti-malware software
3. Block outbound connections to attackers infrastructure using outbound filtering

These three controls provide coverage for traffic as it enters your network, is processed by your endpoints, and then again when it leaves. It’s a great combination of controls.

No More Ransomware

The question I get asked a lot is whether or not your should pay if you get infected by ransomware. Almost every organization—including Trend Micro and the FBI —has officially stated that you should not pay a ransom.

Money is the motivating factor for criminals, paying them only increases their profits with no guarantee of your data being returned.

I agree with that position but also understand the difficult nature of the position you might be in after an attack of this nature.

That’s why it’s critical that you make a small investment now to ensure that you have backups in place, patch regularly, and have basic security controls to help stop any attack being they lock up your data.

If you want to read more on ransomware, check out The No More Ransom Project project.

Want to chat more about ransomware? Find me on Twitter where I’m @marknca or connect with me on LinkedIn .