Ransomware, if you're a bad guy, is a profitable market. And for victims, even ones who don't pay the ransom, consequences are expensive, with indirect costs like downtime and system recovery, incident analysis and response, and auditing.
Ransomware is on the move, with crimeware authors evolving their toolkits to go beyond encryption of files. In the wild, it targets specific e-commerce websites for encryption and encrypts entire disk drives. It's time to think about the ransomware prevention tools you need to employ now to avoid having your systems and data taken hostage.
Ransomware prevention explained
Ransomware is just another type of malware, so the usual advice on how to avoid getting malware applies: Use system management tools to keep your systems patched, particularly riskier applications such as Microsoft Office and Adobe Reader. Deinstall repeat security offenders, such as Flash and Java, unless a clear business need requires them. Protect user devices with an endpoint security tool and email with an email security gateway.
But offering the same old advice raises a question: If we're all already doing this, why is there still so much ransomware out there? The answer lies in the details. Many of these ransomware prevention tools were configured five or even ten years ago and haven't been revisited. Vendors have added features, and enterprises are not taking advantage of them.
To acquire or better deploy tools to fight ransomware, let's first look at system management tools, endpoint security and email security to see how they work, what's new and what's most important in avoiding ransomware.
How ransomware prevention works
System management tools help avoid ransomware by enforcing patching, to start. IT managers should be looking into patch failures and aggressively resolving problems. Depending on a group policy setting in Windows Update isn't good enough; system management tools that automate endpoint patching are critical to get good reporting and control over installed software. With more than a dozen of these tools available at every price point, there's a product to fit almost every company's needs.
Endpoint security tools block ransomware from downloading or executing, but that's just the beginning. While all endpoint security products have firewall and antimalware tools, IT managers can use them to protect the desktop (or mobile device) in other ways. Because these products operate in the context of the desktop itself, they are better suited to identify malware and bad behavior than network devices, which have a picture-limited view of endpoint activities.
The most common way for ransomware to start to worm its way onto employee desktops is via email. That means email security gateways are an important part of stopping the phishing attacks that end up as ransomware attacks and filtering out the malware attachments on incoming email.
Features to look for
System management tools are not just about patching; they secure the desktop with ransomware prevention features -- such as software census, which gives IT managers a window into what's installed on each desktop -- and an ability to remove unused or unneeded packages. Where obvious vulnerabilities are present, such as in internal scripting languages within applications -- a favorite tool for attackers -- system management tools can help remediate weak spots in must-have applications through additional configuration. A key feature is the ability to handle the inevitable exceptions cleanly: reducing the attack surface that is presented by permitting insecure configurations or versions only for those users who have a clear business need.
Endpoint security suites have come a long way past firewall and antimalware tools. Application whitelisting is a great strategy for protecting legacy systems from ransomware, especially servers or locked-down workstations. Many endpoint security suites include both whitelisting and blacklisting as basic features. URL filtering can be enabled at the desktop level to help block known malicious sites where ransomware may be hosted, and new behavioral analysis features can prevent ransomware before it does any harm. Desktop controls, such as disabling execution of downloaded applications, should be revisited by IT managers who may not be aware of new features being added by their current endpoint security vendor.
Steps to reduce the ransomware risk
The best way to survive a ransomware attack is to not care whether you get hit or not. Here are some steps to get you there:
- Have a solid backup strategy in place.
- Keep staff from storing sensitive information on local hard drives so that if ransomware strikes, all that's required is a restoration from backups.
- Replace file shares with modern collaboration tools so that ransomware can't affect more than a handful of files.
- Give staff solid training; if you help employees feel that they can depend on IT teams to support them when they have questions, phishing attacks and ransomware will have minimal effect.
IT managers should also look for desktop endpoint security features in Windows 10. Microsoft has been aggressively hardening the operating system with features -- such as code integrity checking, device guard and virtualization-based security -- that make it harder to get malware onto desktops. An upgrade to Windows 10 raises the bar for attackers and delivers protection all on its own.
What used to be "antispam" is now "email security," but it's more than a name change: Features for blocking malware are a big part of what's new. Simple malware scanning has been replaced by more sophisticated policy-based protections that include scanning deep inside of attachments for spyware and malware, blocking password-protected attachments, "zero-hour" detection based on reputation and file characteristics, and using sandboxing systems and services to detect malware when signature-based scanning fails.
Email security gateways and standalone supplementary email protection products also have been adding protections specifically for phishing attacks by validating incoming email from well-known domains and identifying forged email. Some protections are based on existing -- but seldom-used -- email protection protocols such as DMARC (Domain-based Message Authentication, Reporting and Conformance), DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework); others are based on more sophisticated analysis of sender patterns.
The bottom line
McAfee proclaimed 2016 "The Year of Ransomware" and reported that a single ransomware author had extorted more than $121 million in Bitcoins from targets around the globe. IT managers who want to avoid the pain of ransomware need to have a start-to-finish strategy for protection that includes a full menu of ransomware prevention tools.
One key piece is technological assistance: reducing the attack surface, blocking malware on the desktop and keeping out phishing attacks. Three tools that can help here and are already in the security arsenal at most organizations include system management and patching tools, endpoint security suites and email security gateways.
IT Managers should evaluate each of these three tools to be sure that they're getting maximum benefit out of the protections -- and, if necessary, change out a tool that hasn't kept up with today's needs. If patching isn't happening and excess software is installed, use system management tools to remediate. If malware is still getting onto end-user desktops, find out whether it's because your ransomware prevention tool needs replacing or if a configuration needs updating. And if phishing attacks and unwanted attachments are getting through the email security gateway, look at what can be done using existing tools to increase protection and keep ransomware from making its way into the enterprise -- or find a better tool.
How U.S. states are fighting ransomware via legislation
Learn about doxware, a new 'spin' on ransomware
Is there really a vaccine for ransomware?