Ransomware Protection: How to Stay One Step Ahead of Attackers (from Nakivo White Paper)

Overview
In today’s digitized world, having uninterrupted access to data is critical. This is why the
concept of ransomware occurred to criminals in the first place: locking electronic files is much
easier than seizing a warehouse or otherwise disrupting business activity offline.
The concept proved attractive and lucrative, resulting in a sharp increase of ransomware
attacks. Today, a company falls prey to attackers every 40 seconds, while the average ransom
demand has grown by several times.
The prospects are rather grim – experts predict that ransomware can get more sophisticated
year by year, finding new ways to infect and proliferate.
In such conditions, knowing what you are dealing with and protecting your infrastructure is
essential. Otherwise, your important files could be taken hostage at any moment.
What Is Ransomware?
Ransomware is a type of malware that limits the access of users to their files. The goal is
almost always monetary; access is returned to the user after a certain amount of money (the
ransom) is paid. This means that businesses are some of the primary targets, because they
can afford to pay more than not-for-profit organizations or individual users. Yet cases have
been recorded when public institutions, such as hospitals, fell victim to ransomware, which
resulted in endangering the lives of many patients.
The first attempts at using ransomware were recorded long before the actual term was
coined. In fact, the idea of taking files hostage and demanding ransom for releasing them
belonged to AIDS researcher Joseph Popp. As early as in 1989, he distributed floppy disks
among fellow health researchers all around the world, which supposedly contained a survey
to evaluate their risks of contracting HIV. The floppy disk did contain the survey – as well as
a virus that nested in users’ computers and, after a certain number of reboots, locked their
files, demanding a $189 ransom. Joseph Popp was subsequently arrested, but was ultimately
judged mentally unfit to be prosecuted. His promising idea, however, was soon picked up,
developed, and put into practice. By now, “ransomware” has become a buzzword.
Most Common Types of Ransomware
Over the years, ransomware has lived through numerous transformations, adapting to the
increasing levels of protection and the ever-higher awareness level of users. Hundreds of
strains exist today, each of them with different methods of system penetration and damage
White Paper
2
potential. At a high level, they can all be classified according to several criteria:

Lock,
limiting your access to files. In such cases,
you can only communicate with the attacker and
transfer the ransom.

Encrypt,
leaving you access but depriving you of
the ability to use the files. Modern ransomware
uses hybrid encryption, which makes decryption
near impossible without the permission of the
attacker.

Delete,
which can be done in two ways: the
attacker can threaten to delete all the files unless
the ransom is paid, OR they can delete encrypted
or locked files one by one while waiting for the
ransom.
Destroy
files unless the ransom is paid, setting a
time limit after which they start deleting the files
one by one. The amount of ransom might grow
with every hour.

What the attackers can threaten to do:
Leak
files, such as confidential client information
or internal documents.

Prosecute
the owner of the affected system for
having illegal content. In this case, the attacker
usually poses as a law enforcement agency,
stating that the victim has violated intellectual
property rights or other legislation and has to pay
an electronic fine. This type of ransomware is a
rather advanced one, with attackers determining
the location of their targets and posing as a law
enforcement agency of the relevant country.

White Paper
3

Unleash
more attacks in the future, prompting
the victim to buy software that can supposedly
protect them from future threats.
What devices can be attacked:

Computers,
including PCs and laptops.

Mobile devices,
especially Android-based ones,
because they allow the installation of applications
from third-party sources.
Ways of Contracting the Virus:
Many uneducated users believe that ransomware
viruses arrive only in suspicious email attachments,
and that all you have to do is impose strict control in
this area. However, modern strains of ransomware
are sophisticated enough to find multiple ways of
penetration in your environment, and are sometimes
even capable of turning such environment into a
distributor. Email is, however, the primary channel,
given the relative simplicity and the big number of
users that can be targeted at once.
Other channels include:

SMS text messages prompting users to click a
link.

Malicious websites, where users are tricked
to download infected content or are infected
automatically using an exploit kit. An exploit kit is a tool that finds and exploits
vulnerabilities in a user’s system, causing malware to be downloaded.

Legitimate websites that have been violated by having malware injected into their pages.
These can be websites of any nature, including social media, video platforms such as
YouTube, etc.

Malvertising – ads that contain malware, even though they are placed on trusted websites.
When clicking on an ad, the user is redirected to a server with an exploit kit.

Software applications, such as instant messaging apps, and their updates.

Infected external storage devices.

Computers running Remote Desktop or Terminal Services whose passwords are brute-
forced to gain malicious access to the system.
The biggest threat related to ransomware is that such online extortion is developing rapidly,
constantly finding new ways of damaging the files in your infrastructure.
Payment amount:
The average ransomware
demand was $1,077 in 2016
and went down to $544 in the
first half of 2017. Attackers
are settling for smaller
amounts to make sure that
victims can afford paying
the ransom. They also want
payment to seem the easiest
way out.
Payment methods used for ransomware:
Bitcoin
MoneyPak
cashU
Payment vouchers
Gift cards
White Paper
4
Lower Your Chances of Becoming a Victim
As with any major threat, your defense should start
before the first attack. Ransomware creators are
looking to exploit any security vulnerabilities in your
infrastructure; the earlier you identify and patch
them, the better protected your environment can be.
There is a list of tried and tested best practices that
can help you reduce your chances of falling prey to
attackers.
Education of Users
Email is the primary channel for infecting a system.
In most cases, such emails are crafted individually
to increase the chances of users opening them and
clicking on the link or attachment inside. Sending
mass emails that are designed to trick users into
clicking a link or an attachment contained therein
(i.e., users are tricked with bait en masse) is called
“phishing”. Sending highly targeted emails using
information gathered from other channels, including
social media (i.e., users are singled out and targeted
individually) is called “spear phishing”.
Different deception techniques are used to persuade
users of the legitimate nature of such emails. They
can be disguised as order confirmations, package
delivery notifications, or other seemingly harmless
messages. Educating your system’s users on the
dangers related to opening suspicious emails,
especially clicking on the links and attachments
inside, can be of great help in securing your
endpoints. Don’t forget to educate your network’s
users on the dangers of using social media from
a work computer; social media is one of the most
frequently used channels for spreading malware
through “social engineering” (that is, tricks).
White Paper
5
Email Hygiene
Implement thorough spam filtering and email scanning to block executable (e.g., .exe) files
in attachments, as they are the most dangerous. Unsubscribe users from unnecessary
corporate email lists to reduce the chances of mass distribution of malicious links.
Protection Software
Make sure you have reliable, up-to-date anti-virus, anti-malware, and intrusion-detection
software that scans the systems regularly, taking immediate action if a threat is identified.
Robust protection should cover all components of your infrastructure, including SaaS
applications. When configuring your firewall(s), block access to known malicious IP addresses.
Network Segmentation
Given the ability of ransomware to spread within a company’s infrastructure, the propagation
capabilities of the infection must be limited. You can achieve this through network
segmentation, i.e., dividing resources, applications, and assets into segments. Communication
between segments should be limited by logical and/or physical separation of such segments.
This way, if an infection does find a way into one, the effects of such infection can be isolated
there, leaving other segments unaffected.
Restricted Access
Even though users are sometimes given administrative accounts to reduce some of the IT
team’s workload, such practice puts the entire environment at greater risk. The more users
that have the freedom to install third-party software on their computers, the higher the
chances that at least one of them might get into trouble. Even a single infected computer
is enough to undermine the security of the entire company. That’s why users should be
given guest accounts with limited rights. Apply the “least privilege” rule in all systems and
applications: if possible, grant read-only access to files or folders. Generally, allow access only
for those users that can’t do without such access. Restrict mapped drives on a need-only
basis and consider disabling Remote Desktop Protocol or changing the default port. Switch off
unused Bluetooth and infrared ports. Impose controls on the use of external devices, such as
flash drives. Use application white-listing, i.e., allow access only to those applications that are
trustworthy.
Browser Hygiene
Because exploit kits work based on vulnerabilities in the system, all security settings in
browsers should be on to allow maximum protection. Update or delete outdated plugins
White Paper
6
and add-ons. Make sure syncing folders do not sync files non-stop. Install an ad blocker to
block malvertising.
File-level Measures
Disable macro scripts in Office files because they can be used as downloaders of ransomware
payloads. Enable showing file extensions and pay close attention to those that have
suspicious (e.g., .scr) or double (e.g., .pdf.exe) extensions.
Testing and Improvement
Run regular penetration tests to check the protection level of your infrastructure and
identify possible weak spots. Stay informed on the latest strains of ransomware and how the
infections find ways into systems.
Reliable Backup Practices as the Most Effective
Insurance
Despite often being listed among prevention measures, backup is more of a damage control
method. Having backups might not make your company a less attractive target for attackers
or patch your security holes. However, with properly executed backups, you should be able to
shrug off the threats and simply recover your files from the latest backup.
For virtualized and cloud environments, NAKIVO Backup & Replication can be used as a
reliable form of anti-ransomware protection. With the help of NAKIVO Backup & Replication,
you can:

Back up or replicate all your Hyper-V or VMware VMs and AWS EC2 instances in
accordance with the 3-2-1 rule (3 copies of data, on 2 different media, with one of them
offsite). For better protection, put your offsite copy in a cloud environment.

Store up to 1,000 recovery points for VM backups and as many as 30 recovery points for
VM replicas. Rotate them using the GFS (grandfather-father-son) approach to provide you
with multiple recovery options and a large recovery window, which can be useful if your
recent backup files turn out to be corrupted.

Increase the frequency of backups thanks to the forever-incremental approach, where
only those data blocks that have changed since the last backup job are transferred. With
smaller amounts of data needing to be backed up, the VM backup job takes less time and
can thus be run more frequently without straining the network. Performing frequent
backups means that you should have a recent recovery point available at any time.
White Paper
7

Save storage space thanks to deduplication and compression. This means that your
data can be protected against ransomware without overspending. If you choose to
use a network-attached storage (NAS) device, NAKIVO Backup & Replication can be
installed directly on such device and help achieve even bigger savings, along with higher
performance of your production environment.

Protect your data with encryption in flight and at rest as an additional layer of security.

Verify your VM backups and replicas to make sure they can be used for recovery. NAKIVO
Backup & Replication can perform screenshot verification for every VM after every backup
or replication job and report the results to you via email.
The entire scope of VM data protection measures is at your fingertips in the NAKIVO Backup
& Replication’s intuitive web interface, with convenient scheduling and simple automation.
Is Paying the Ransom the Right Solution?
Assume the worst – your infrastructure was hit by a successful ransomware attack. Should
you recommend that the business owners pay the ransom? There is no single answer to this
question. The “we don’t negotiate with terrorists” philosophy suggests you should not even
consider payment. However, following the resolute path is much harder in practice than in
theor y.
In each individual case, the decision should be made bearing the following things in mind:

Even if you do pay, there is no guarantee that the files get released. In fact, around a
quarter of all companies affected by ransomware who paid never received their files back.

In case of sloppily and hastily made ransomware, the ability to unlock or decrypt files
might not be even included in the initial design.

Paying up once can make your company a likely target in future, because you proved to be
vulnerable.
Yet again – if you have properly made backups that are stored separately from your physical
and/or virtual machines, the question of payment should not arise at all.
White Paper
8
Summary
Ransomware protection is a complex, multi-faceted approach to maintaining your entire
infrastructure and arranging the work processes within. Such approach should include multi-
layered protection of your data (backups as well as replication), educating users on safe work
practices, reducing risks by sealing the weak spots, keeping up with latest developments in
the ransomware protection field, and periodic testing of your environment for vulnerabilities.
Using NAKIVO Backup & Replication can become the first major step in your ransomware
protection plan.