Ransomware attacks are increasing rapidly and pose a major threat to both SMBs and larger companies. The enormous dangers posed by ransomware attacks first became known to the general public in 2017. Back then, an unknown group of hackers was distributing malware known as WannaCry. The malware spread to numerous computers over the Internet, exploiting a weak point in the Windows operating system. In a matter of hours, WannaCry infected over 230,000 computers worldwide, bringing down numerous companies and institutions. The ransomware caused around four billion euros in damage. In Germany, among other things, the Deutsche Bahn was affected. Numerous display boards and ticket machines at several train stations indicated the typical ransom demand.
Headlines about blackmail incidents now dominate our everyday lives. Especially during the peak of the Corona crisis in June 2020, the number of ransomware incidents rose significantly again, according to a study by Skybox Security .
25 Tips to Protect Against Ransomware
The protection of digital information, i.e., IT security, is more important than ever. It is considered to be one of the greatest challenges for the 21st century. Ransomware attacks can have devastating financial consequences for companies and cause enormous damage to a company’s reputation.
In the following, available options are explained how companies, but also private individuals, can protect themselves against ransomware:
Secure Use Of The Email
- Block executables in an email: Most ransomware spreads through email attachments. These can be supposedly harmless Word files, for example. Occasionally, however, malicious programs are also sent as executable files that can be recognized by file extensions such as .bat, .cab, .cmd, .exe, .js, .vbs. Configure your mail server to block such attachments. There is no valid reason to email executables. In particular, files with double file extensions such as invoice.txt.VBS should be rejected. There is nothing to be said for obtaining or using such files.
- Be careful with attachments and links: never click on links/attachments in emails. Unless, after thorough inspection, you are sure that the link/attachment is secure. It is advisable to have service instructions to open links/email attachments only after consulting the sender or giving advance notice. It is not enough to know the sender. If the sender’s computer is infected with a malicious program, a mail could have been sent by the malicious program on behalf of the sender with a subject line already used.
- Do not leave your email address unsuspectingly on any website. Be skeptical if the email address is requested.
- Use anti-spoofing technologies such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) on your mail server.
General Protective Measures
- Regular backups should be made to protect the availability and integrity of important data. In the case of a ransomware infection, there is a high risk of data loss as there is a risk that the files encrypted by the Trojan cannot be recovered.
- If possible, disable macros in Office files. Macros are small sub-programs with which you can develop complete programs in the large Office packages (e.g., automated warehouse management). The problem: Macro programs have enough rights to smuggle in malware. Many well-known blackmail Trojans have already found their way into companies, schools, universities, hospitals, and other institutions.
- Update or patch your software regularly: Unpatched programs are often used by hackers for cyber attacks. WannaCry, one of the biggest waves of ransomware ever, spread through the vulnerability called “Eternal Blue” – a month after the vulnerability was patched. Without this negligently slow patch management, the damage could have been reduced significantly. Trend Micro Research found in a recent study that it takes an average of almost 51 days for a company to patch new vulnerabilities.
- Some attackers use.VBS (VBScript) files to install ransomware. Deactivate the COM-based runtime environment “Windows ScriptHost” if you do not need this feature.
- If you don’t use PowerShell, turn it off. Windows PowerShell is a task automation framework. It consists of a command-line interpreter and a scripting language. Criminals often use PowerShell to execute ransomware from memory to bypass detection by antivirus solutions.
- Deactivate unused wireless connections. Again and again, z. B. discovered critical security flaws in Bluetooth applications.
- Disable Windows Remote Desktop Protocol (RDP) to protect against RDP exploits. Ransomware variants such as Cryptolocker / Filecoder use RDP as a gateway .
- Display all file extensions in Windows Explorer. Any file that contains a duplicate file extension such as “foto.jpg.exe” should be considered suspicious.
- Use modern antivirus software.
- Do not work with administrator rights. Because once started with admin rights, malware can immediately take over system control.
- Use secure passwords: Whether it is access to the operating system, an application program, a web GUI, or the email client, a password is used to authenticate yourself everywhere. A good password:
- Is at least 10 characters long. The longer the password, the better.
- Contains uppercase and lowercase letters, numbers, and special characters.
- It cannot be found in any dictionary.
- Does not contain any alphabetic character sequences / memorable keyboard paths.
- Is not based on personal data.
- Is unique for each account. The same applies to the user names/email addresses used. The use of different user names/email addresses increases the security of the individual accounts significantly. An attacker never knows exactly which username or email address was used for each login. Tip: Use “catch-all” email addresses. With a catch-all email account, all emails sent to your domain are forwarded to your mailbox – regardless of what is in front of the @ sign. This allows you to use any number of aliases dynamically.
- If possible, secure all your access with so-called two-factor authentication (2FA).
- You must store sensitive and confidential data in encrypted form.
- “AutoRun” is a Windows function with which users can run removable media such as USB sticks and CDs immediately. Malware authors can use this feature to spread ransomware. You should disable this feature on all workstations.
- Divide computer networks into smaller, separate subnetworks to limit the spread of ransomware. Above all, industrial plants and IoT devices should be subdivided or segmented into different areas.
- Firewalls are an important tool for defense against hackers. Even in smaller companies, a firewall is an indispensable standard for connecting to the Internet.
- Cybercriminals are increasingly using the TOR network for command and control (C&C) communication, making tracking down the C&C infrastructure much more difficult. Block known IP addresses from entry and exit nodes as well as Tor bridges. Also, block applications that want to connect to .onion domains.
- Training: An important prerequisite for protecting your system and working with the system is that a user develops a general understanding of the security problems involved. He should not see safety as a stumbling block but as part of his work protecting him and the components involved. Regular training courses on the subject of IT security help employees stay on the ball.
- Authorization management: When it comes to secure access to computer systems, a good authorization management concept is the be-all and end-all: If an employee joins the company, they must be registered in all possible systems and given appropriate rights. These rights can change and therefore require an ongoing management process. When you leave, there are a corresponding number of blocks. Incorrect assignment of rights and delayed blocking increase the IT risk enormously. It is important to keep an eye on the entire authorization structure.
- IT emergency plans: Companies must plan how to deal with such situations before an IT emergency occurs (responsibilities, lists of measures …). This shortens downtimes and minimizes damage.
In practice, there are unfortunately more than enough companies/users who only use antivirus software and a firewall and believe that they are adequately protected. Some of the protective measures described in this article may seem annoying or unnecessary, but antivirus software and a firewall alone are not enough to protect against ransomware! The problem with this is that you may not be convinced otherwise until damage has already occurred.