{"id":1572,"date":"2018-05-01T17:01:18","date_gmt":"2018-05-01T17:01:18","guid":{"rendered":"https:\/\/beta.webuildsolutions.com\/?p=1572"},"modified":"2019-08-29T11:00:45","modified_gmt":"2019-08-29T16:00:45","slug":"ransomware-protection-how-to-stay-one-step-ahead-of-attackers-from-nakivo-white-paper","status":"publish","type":"post","link":"https:\/\/www.webuildsolutions.com\/index.php\/2018\/05\/01\/ransomware-protection-how-to-stay-one-step-ahead-of-attackers-from-nakivo-white-paper\/","title":{"rendered":"Ransomware Protection: How to Stay One Step Ahead of Attackers (from Nakivo White Paper)"},"content":{"rendered":"
\n
\"\"<\/span><\/strong><\/div>\n
Overview<\/span><\/strong><\/div>\n
In today\u2019s digitized world, having uninterrupted access to data is critical. This is why the<\/div>\n
concept of ransomware occurred to criminals in the first place: locking electronic files is much<\/div>\n
easier than seizing a warehouse or otherwise disrupting business activity offline.<\/div>\n
The concept proved attractive and lucrative, resulting in a sharp increase of ransomware<\/div>\n
attacks. Today, a company falls prey to attackers every 40 seconds, while the average ransom<\/div>\n
demand has grown by several times.<\/div>\n
The prospects are rather grim \u2013 experts predict that ransomware can get more sophisticated<\/div>\n
year by year, finding new ways to infect and proliferate.<\/div>\n
In such conditions, knowing what you are dealing with and protecting your infrastructure is<\/div>\n
essential. Otherwise, your important files could be taken hostage at any moment.<\/div>\n
What Is Ransomware?<\/div>\n
Ransomware is a type of malware that limits the access of users to their files. The goal is<\/div>\n
almost always monetary; access is returned to the user after a certain amount of money (the<\/div>\n
ransom) is paid. This means that businesses are some of the primary targets, because they<\/div>\n
can afford to pay more than not-for-profit organizations or individual users. Yet cases have<\/div>\n
been recorded when public institutions, such as hospitals, fell victim to ransomware, which<\/div>\n
resulted in endangering the lives of many patients.<\/div>\n
The first attempts at using ransomware were recorded long before the actual term was<\/div>\n
coined. In fact, the idea of taking files hostage and demanding ransom for releasing them<\/div>\n
belonged to AIDS researcher Joseph Popp. As early as in 1989, he distributed floppy disks<\/div>\n
among fellow health researchers all around the world, which supposedly contained a survey<\/div>\n
to evaluate their risks of contracting HIV. The floppy disk did contain the survey \u2013 as well as<\/div>\n
a virus that nested in users\u2019 computers and, after a certain number of reboots, locked their<\/div>\n
files, demanding a $189 ransom. Joseph Popp was subsequently arrested, but was ultimately<\/div>\n
judged mentally unfit to be prosecuted. His promising idea, however, was soon picked up,<\/div>\n
developed, and put into practice. By now, \u201cransomware\u201d has become a buzzword.<\/div>\n
Most Common Types of Ransomware<\/div>\n
Over the years, ransomware has lived through numerous transformations, adapting to the<\/div>\n
increasing levels of protection and the ever-higher awareness level of users. Hundreds of<\/div>\n
strains exist today, each of them with different methods of system penetration and damage<\/div>\n
White Paper<\/div>\n
2<\/div>\n
<\/div>\n
potential.<\/span><\/strong> At a high level, they can all be classified according to several criteria:<\/div>\n
\u0016<\/div>\n
Lock,<\/span><\/strong><\/div>\n
limiting your access to files. In such cases,<\/div>\n
you can only communicate with the attacker and<\/div>\n
transfer the ransom.<\/div>\n
\u0016<\/div>\n
Encrypt,<\/span><\/strong><\/div>\n
leaving you access but depriving you of<\/div>\n
the ability to use the files. Modern ransomware<\/div>\n
uses hybrid encryption, which makes decryption<\/div>\n
near impossible without the permission of the<\/div>\n
attacker.<\/div>\n
\u0016<\/div>\n
Delete,<\/strong><\/span><\/div>\n
which can be done in two ways: the<\/div>\n
attacker can threaten to delete all the files unless<\/div>\n
the ransom is paid, OR they can delete encrypted<\/div>\n
or locked files one by one while waiting for the<\/div>\n
ransom.<\/div>\n
Destroy<\/strong><\/span><\/div>\n
files unless the ransom is paid, setting a<\/div>\n
time limit after which they start deleting the files<\/div>\n
one by one. The amount of ransom might grow<\/div>\n
with every hour.<\/div>\n
\u0016<\/div>\n
What the attackers can threaten to do:<\/strong><\/span><\/div>\n
Leak<\/strong><\/span><\/div>\n
files, such as confidential client information<\/div>\n
or internal documents.<\/div>\n
\u0016<\/div>\n
Prosecute<\/strong><\/span><\/div>\n
the owner of the affected system for<\/div>\n
having illegal content. In this case, the attacker<\/div>\n
usually poses as a law enforcement agency,<\/div>\n
stating that the victim has violated intellectual<\/div>\n
property rights or other legislation and has to pay<\/div>\n
an electronic fine. This type of ransomware is a<\/div>\n
rather advanced one, with attackers determining<\/div>\n
the location of their targets and posing as a law<\/div>\n
enforcement agency of the relevant country.<\/div>\n
<\/div>\n
White Paper<\/div>\n
3<\/div>\n
<\/div>\n
\u0016<\/div>\n
Unleash<\/strong><\/span><\/div>\n
more attacks in the future, prompting<\/div>\n
the victim to buy software that can supposedly<\/div>\n
protect them from future threats.<\/div>\n<\/div>\n
\n
What devices can be attacked:<\/strong><\/div>\n
\u0016<\/strong><\/div>\n
Computers,<\/strong><\/span><\/div>\n
including PCs and laptops.<\/div>\n
\u0016<\/div>\n
Mobile devices,<\/strong><\/span><\/div>\n
especially Android-based ones,<\/div>\n
because they allow the installation of applications<\/div>\n
from third-party sources.<\/div>\n<\/div>\n
\n
<\/div>\n
Ways of Contracting the Virus:<\/strong><\/span><\/div>\n
Many uneducated users believe that ransomware<\/div>\n
viruses arrive only in suspicious email attachments,<\/div>\n
and that all you have to do is impose strict control in<\/div>\n
this area. However, modern strains of ransomware<\/div>\n
are sophisticated enough to find multiple ways of<\/div>\n
penetration in your environment, and are sometimes<\/div>\n
even capable of turning such environment into a<\/div>\n
distributor. Email is, however, the primary channel,<\/div>\n
given the relative simplicity and the big number of<\/div>\n
users that can be targeted at once.<\/div>\n
Other channels include:<\/div>\n
\u0016<\/div>\n
SMS text messages prompting users to click a<\/strong><\/span><\/div>\n
link.<\/strong><\/span><\/div>\n
\u0016<\/div>\n
Malicious websites<\/strong><\/span>, where users are tricked<\/div>\n
to download infected content or are infected<\/div>\n
automatically using an exploit kit. An exploit kit is a tool that finds and exploits<\/div>\n
vulnerabilities in a user\u2019s system, causing malware to be downloaded.<\/div>\n
\u0016<\/div>\n
Legitimate websites that have been violated<\/strong> <\/span>by having malware injected into their pages.<\/div>\n
These can be websites of any nature, including social media, video platforms such as<\/div>\n
YouTube, etc.<\/div>\n
\u0016<\/div>\n
Malvertising<\/strong><\/span> \u2013 ads that contain malware, even though they are placed on trusted websites.<\/div>\n
When clicking on an ad, the user is redirected to a server with an exploit kit.<\/div>\n
\u0016<\/div>\n
Software applications<\/strong><\/span>, such as instant messaging apps, and their updates.<\/div>\n
\u0016<\/div>\n
Infected external storage devices<\/strong><\/span>.<\/div>\n
\u0016<\/div>\n
Computers running Remote Desktop or Terminal Services<\/strong> <\/span>whose passwords are brute-<\/div>\n
forced to gain malicious access to the system.<\/div>\n
The biggest threat related to ransomware is that such online extortion is developing rapidly,<\/div>\n
constantly finding new ways of damaging the files in your infrastructure.<\/div>\n
<\/div>\n
Payment amount:<\/strong><\/span><\/div>\n
The average ransomware<\/div>\n
demand was $1,077 in 2016<\/div>\n
and went down to $544 in the<\/div>\n
first half of 2017. Attackers<\/div>\n
are settling for smaller<\/div>\n
amounts to make sure that<\/div>\n
victims can afford paying<\/div>\n
the ransom. They also want<\/div>\n
payment to seem the easiest<\/div>\n
way out.<\/div>\n
<\/div>\n
Payment methods used for ransomware:<\/strong><\/span><\/div>\n
Bitcoin<\/div>\n
MoneyPak<\/div>\n
cashU<\/div>\n
Payment vouchers<\/div>\n
Gift cards<\/div>\n
<\/div>\n
White Paper<\/div>\n
4<\/div>\n
<\/div>\n
Lower Your Chances of Becoming a Victim<\/strong><\/span><\/div>\n
As with any major threat, your defense should start<\/div>\n
before the first attack. Ransomware creators are<\/div>\n
looking to exploit any security vulnerabilities in your<\/div>\n
infrastructure; the earlier you identify and patch<\/div>\n
them, the better protected your environment can be.<\/div>\n
There is a list of tried and tested best practices that<\/div>\n
can help you reduce your chances of falling prey to<\/div>\n
attackers.<\/div>\n
<\/div>\n
Education of Users<\/strong><\/span><\/div>\n
Email is the primary channel for infecting a system.<\/div>\n
In most cases, such emails are crafted individually<\/div>\n
to increase the chances of users opening them and<\/div>\n
clicking on the link or attachment inside. Sending<\/div>\n
mass emails that are designed to trick users into<\/div>\n
clicking a link or an attachment contained therein<\/div>\n
(i.e., users are tricked with bait en masse) is called<\/div>\n
\u201cphishing\u201d. Sending highly targeted emails using<\/div>\n
information gathered from other channels, including<\/div>\n
social media (i.e., users are singled out and targeted<\/div>\n
individually) is called \u201cspear phishing\u201d.<\/div>\n
Different deception techniques are used to persuade<\/div>\n
users of the legitimate nature of such emails. They<\/div>\n
can be disguised as order confirmations, package<\/div>\n
delivery notifications, or other seemingly harmless<\/div>\n
messages. Educating your system\u2019s users on the<\/div>\n
dangers related to opening suspicious emails,<\/div>\n
especially clicking on the links and attachments<\/div>\n
inside, can be of great help in securing your<\/div>\n
endpoints. Don\u2019t forget to educate your network\u2019s<\/div>\n
users on the dangers of using social media from<\/div>\n
a work computer; social media is one of the most<\/div>\n
frequently used channels for spreading malware<\/div>\n
through \u201csocial engineering\u201d (that is, tricks).<\/div>\n
<\/div>\n
<\/div>\n
<\/div>\n
<\/div>\n
White Paper<\/div>\n
5<\/div>\n
<\/div>\n
Email Hygiene<\/strong><\/span><\/div>\n
Implement thorough spam filtering and email scanning to block executable (e.g., .exe) files<\/div>\n
in attachments, as they are the most dangerous. Unsubscribe users from unnecessary<\/div>\n
corporate email lists to reduce the chances of mass distribution of malicious links.<\/div>\n
Protection Software<\/strong><\/span><\/div>\n
Make sure you have reliable, up-to-date anti-virus, anti-malware, and intrusion-detection<\/div>\n
software that scans the systems regularly, taking immediate action if a threat is identified.<\/div>\n
Robust protection should cover all components of your infrastructure, including SaaS<\/div>\n
applications. When configuring your firewall(s), block access to known malicious IP addresses.<\/div>\n
Network Segmentation<\/strong><\/span><\/div>\n
Given the ability of ransomware to spread within a company\u2019s infrastructure, the propagation<\/div>\n
capabilities of the infection must be limited. You can achieve this through network<\/div>\n
segmentation, i.e., dividing resources, applications, and assets into segments. Communication<\/div>\n
between segments should be limited by logical and\/or physical separation of such segments.<\/div>\n
This way, if an infection does find a way into one, the effects of such infection can be isolated<\/div>\n
there, leaving other segments unaffected.<\/div>\n
Restricted Access<\/strong><\/span><\/div>\n
Even though users are sometimes given administrative accounts to reduce some of the IT<\/div>\n
team\u2019s workload, such practice puts the entire environment at greater risk. The more users<\/div>\n
that have the freedom to install third-party software on their computers, the higher the<\/div>\n
chances that at least one of them might get into trouble. Even a single infected computer<\/div>\n
is enough to undermine the security of the entire company. That\u2019s why users should be<\/div>\n
given guest accounts with limited rights. Apply the \u201cleast privilege\u201d rule in all systems and<\/div>\n
applications: if possible, grant read-only access to files or folders. Generally, allow access only<\/div>\n
for those users that can\u2019t do without such access. Restrict mapped drives on a need-only<\/div>\n
basis and consider disabling Remote Desktop Protocol or changing the default port. Switch off<\/div>\n
unused Bluetooth and infrared ports. Impose controls on the use of external devices, such as<\/div>\n
flash drives. Use application white-listing, i.e., allow access only to those applications that are<\/div>\n
trustworthy.<\/div>\n
Browser Hygiene<\/strong><\/span><\/div>\n
Because exploit kits work based on vulnerabilities in the system, all security settings in<\/div>\n
browsers should be on to allow maximum protection. Update or delete outdated plugins<\/div>\n
White Paper<\/div>\n
6<\/div>\n
<\/div>\n
and add-ons. Make sure syncing folders do not sync files non-stop. Install an ad blocker to<\/div>\n
block malvertising.<\/div>\n
<\/div>\n
File-level Measures<\/strong><\/span><\/div>\n
Disable macro scripts in Office files because they can be used as downloaders of ransomware<\/div>\n
payloads. Enable showing file extensions and pay close attention to those that have<\/div>\n
suspicious (e.g., .scr) or double (e.g., .pdf.exe) extensions.<\/div>\n
<\/div>\n
Testing and Improvement<\/strong><\/span><\/div>\n
Run regular penetration tests to check the protection level of your infrastructure and<\/div>\n
identify possible weak spots. Stay informed on the latest strains of ransomware and how the<\/div>\n
infections find ways into systems.<\/div>\n
Reliable Backup Practices as the Most Effective<\/div>\n
<\/div>\n
Insurance<\/strong><\/span><\/div>\n
Despite often being listed among prevention measures, backup is more of a damage control<\/div>\n
method. Having backups might not make your company a less attractive target for attackers<\/div>\n
or patch your security holes. However, with properly executed backups, you should be able to<\/div>\n
shrug off the threats and simply recover your files from the latest backup.<\/div>\n
For virtualized and cloud environments, NAKIVO Backup & Replication can be used as a<\/div>\n
reliable form of anti-ransomware protection. With the help of NAKIVO Backup & Replication,<\/div>\n
you can:<\/div>\n
\u0016<\/div>\n
Back up or replicate all your Hyper-V or VMware VMs and AWS EC2 instances in<\/div>\n
accordance with the 3-2-1 rule (3 copies of data, on 2 different media, with one of them<\/div>\n
offsite). For better protection, put your offsite copy in a cloud environment.<\/div>\n
\u0016<\/div>\n
Store up to 1,000 recovery points for VM backups and as many as 30 recovery points for<\/div>\n
VM replicas. Rotate them using the GFS (grandfather-father-son) approach to provide you<\/div>\n
with multiple recovery options and a large recovery window, which can be useful if your<\/div>\n
recent backup files turn out to be corrupted.<\/div>\n
\u0016<\/div>\n
Increase the frequency of backups thanks to the forever-incremental approach, where<\/div>\n
only those data blocks that have changed since the last backup job are transferred. With<\/div>\n
smaller amounts of data needing to be backed up, the VM backup job takes less time and<\/div>\n
can thus be run more frequently without straining the network. Performing frequent<\/div>\n
backups means that you should have a recent recovery point available at any time.<\/div>\n
White Paper<\/div>\n
7<\/div>\n
<\/div>\n
\u0016<\/div>\n
Save storage space thanks to deduplication and compression. This means that your<\/div>\n
data can be protected against ransomware without overspending. If you choose to<\/div>\n
use a network-attached storage (NAS) device, NAKIVO Backup & Replication can be<\/div>\n
installed directly on such device and help achieve even bigger savings, along with higher<\/div>\n
performance of your production environment.<\/div>\n
\u0016<\/div>\n
Protect your data with encryption in flight and at rest as an additional layer of security.<\/div>\n
\u0016<\/div>\n
Verify your VM backups and replicas to make sure they can be used for recovery. NAKIVO<\/div>\n
Backup & Replication can perform screenshot verification for every VM after every backup<\/div>\n
or replication job and report the results to you via email.<\/div>\n
The entire scope of VM data protection measures is at your fingertips in the NAKIVO Backup<\/div>\n
& Replication\u2019s intuitive web interface, with convenient scheduling and simple automation.<\/div>\n
Is Paying the Ransom the Right Solution?<\/div>\n
Assume the worst \u2013 your infrastructure was hit by a successful ransomware attack. Should<\/div>\n
you recommend that the business owners pay the ransom? There is no single answer to this<\/div>\n
question. The \u201cwe don\u2019t negotiate with terrorists\u201d philosophy suggests you should not even<\/div>\n
consider payment. However, following the resolute path is much harder in practice than in<\/div>\n
theor y.<\/div>\n
In each individual case, the decision should be made bearing the following things in mind:<\/div>\n
\u0016<\/div>\n
Even if you do pay, there is no guarantee that the files get released. In fact, around a<\/div>\n
quarter of all companies affected by ransomware who paid never received their files back.<\/div>\n
\u0016<\/div>\n
In case of sloppily and hastily made ransomware, the ability to unlock or decrypt files<\/div>\n
might not be even included in the initial design.<\/div>\n
\u0016<\/div>\n
Paying up once can make your company a likely target in future, because you proved to be<\/div>\n
vulnerable.<\/div>\n
Yet again \u2013 if you have properly made backups that are stored separately from your physical<\/div>\n
and\/or virtual machines, the question of payment should not arise at all.<\/div>\n
White Paper<\/div>\n
8<\/div>\n
<\/div>\n
Summary<\/strong><\/span><\/div>\n
Ransomware protection is a complex, multi-faceted approach to maintaining your entire<\/div>\n
infrastructure and arranging the work processes within. Such approach should include multi-<\/div>\n
layered protection of your data (backups as well as replication), educating users on safe work<\/div>\n
practices, reducing risks by sealing the weak spots, keeping up with latest developments in<\/div>\n
the ransomware protection field, and periodic testing of your environment for vulnerabilities.<\/div>\n
Using NAKIVO Backup & Replication can become the first major step in your ransomware<\/div>\n
protection plan.<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Overview In today\u2019s digitized world, having uninterrupted access to data is critical. This is why the concept of ransomware occurred to criminals in the first place: locking electronic files is much easier than seizing a warehouse or otherwise disrupting business activity offline. The concept proved attractive and lucrative, resulting in a sharp increase of ransomware<\/p>\n","protected":false},"author":1,"featured_media":1390,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rs_blank_template":"","rs_page_bg_color":"","slide_template_v7":"","footnotes":""},"categories":[16],"tags":[],"class_list":["post-1572","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it-security"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webuildsolutions.com\/index.php\/wp-json\/wp\/v2\/posts\/1572","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webuildsolutions.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webuildsolutions.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webuildsolutions.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webuildsolutions.com\/index.php\/wp-json\/wp\/v2\/comments?post=1572"}],"version-history":[{"count":0,"href":"https:\/\/www.webuildsolutions.com\/index.php\/wp-json\/wp\/v2\/posts\/1572\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.webuildsolutions.com\/index.php\/wp-json\/wp\/v2\/media\/1390"}],"wp:attachment":[{"href":"https:\/\/www.webuildsolutions.com\/index.php\/wp-json\/wp\/v2\/media?parent=1572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webuildsolutions.com\/index.php\/wp-json\/wp\/v2\/categories?post=1572"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webuildsolutions.com\/index.php\/wp-json\/wp\/v2\/tags?post=1572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}