Introduction and Background
As the impact and severity of crypto ransomware threats and attacks has grown over the past 2½ years, Webroot has published many blogs and articles on how best to defend against these modern day extortionists. Webroot does not believe that businesses or consumers should have to choose between extortion and losing precious, irreplaceable data.
This guide intends to point out some practical approaches to protecting SMBs from crypto ransomware. Some of these recommendations may not be suitable to certain IT environments. Take this guide with the small warning that some recommendations will cause certain programs not to install or function as expected.
On behalf of Webroot, we hope MSPs and other service providers will find this guide educational, useful, and valuable in protecting businesses from extortion.
Crypto Ransomware Mitigation Guide
This guide examines a number of mitigation strategies that help protect organizations’ data from crypto ransomware attacks.
The damage from becoming a victim of crypto ransomware and not having adequate safeguards and mitigation strategies in place is considerable – life-threatening in the case of a recent LA hospital breach. For smaller businesses, such an attack could put them out of business.
1. Use Reputable, Proven, Multi-Vector Endpoint Security
There are a huge number of options when it comes to endpoint security. While published detection tests can indicate whether a solution can stop crypto ransomware, most detection testing is flawed – with many programs achieving 100% detection results that can’t be reproduced in the wild.
Webroot has built a strong reputation for stopping crypto ransomware. The goal, first and foremost, is to be 100% effective. Webroot was the first antivirus and antimalware vendor to move completely away from the standard, signature-based file detection method. By harnessing the power of cloud computing, Webroot replaced traditional, reactive antivirus with proactive, real-time endpoint monitoring and threat intelligence, defending each endpoint individually, while gathering, analyzing, and propagating threat data collectively.
Regardless of the solution, it’s essential the security offers multi-dimensional protection and prevention against malware to ensure it quickly recognizes external threats and any suspicious behaviors. A next-generation endpoint security solution with protection beyond file-based threats is essential.
2. Put Strong Backup Practices in Place
Even service providers and administrators running next-generation endpoint security can still fall victim to crypto ransomware infections. When infections do get through, organizations need a strong backup and business continuity plan to be able to restore data and minimize business downtime.
The recommended best practice is that data and systems are backed up in at least three different places:
- Main storage area (file server)
- Local disk backup
- Mirrors in a cloud business continuity service
In the event of a ransomware disaster, this setup will give administrators the ability to mitigate any takeover of data and almost immediately regain the full functionality of critical IT systems. With all of the disastrous outcomes of not having a mature business continuity and disaster recovery plan in place, it is wise for MSPs and business owners to take a deep look into their systems and invest in available solutions.
3. General Protection Tips
These tips are used to protect IT environments and thwart crypto ransomware threats and attacks.
3.1. Make sure that endpoint security is installed and set up correctly.
It is worth checking that the appropriate protection policies are active and applied to the correct user groups or however policies are allocated.
3.2. Check regularly that backups are working.
It’s vital to check that backups are working and that data integrity is maintained and data is easily restored to the host.
3.3. Ensure the latest Windows updates are applied.
A number of infections are instantly ruled out if Windows is up to date. Reduce workload by putting in place a patching routine. This is a security fundamental.
3.4. Keep all plugins up to date.
Keeping all third party plug-ins updated to their latest build is an important counter to exploits. Make this part of the patch management regime.
3.5. Use a modern browser with an ad blocking plugin.
Modern browsers like Chrome and Firefox are constantly being updated to remove vulnerabilities. They also give the option to add BHOs or plugins that will make users more secure. At the most basic level, simply having a pop-up blocker installed and running can save a lot of users from getting infected.
3.6. Disable autorun.
Autorun is a useful feature, but it is used by malware to propagate itself around a corporate environment. With the growth of USB sticks, malware increasingly uses autorun as a means of proliferation. Commonly used by Visual Basic Script (VBS) malware and worms, it is best to disable it as a Policy.
3.7. Disable Windows Scripting Host.
VBS are Microsoft scripts used by malware authors to either cause disruption in an environment or to run a process that will download more advanced malware. Disable them completely by disabling the Windows Scripting Host engine that VBS files use to run.
3.8. Have users run as limited users and NOT admins.
This is highly desirable from a security perspective but not always possible for power users. This tip is important because some current ransomware threats are capable of browsing and encrypting data on any mapped drives that the end user has access to. Restricting the user permissions for the share or the underlying file system of a mapped drive will provide limits to what the threat has the ability to encrypt.
3.9. Show hidden file extensions.
One way ransomware like CryptoLocker and others frequently arrive is in a file named with the extension “.PDF.EXE” or something similar. The malware writer counts on the default Windows behavior of hiding known file extensions. If full file extensions are visible, it is easier to spot suspicious files.
4. Creating Windows Policies to Defend Against Ransomware
When it comes to crypto ransomware, some Windows Policies need to be created to block certain paths and file extensions from running. Java is generally the most popular way to exploit software, but these rules apply to nearly all commonly used plugins. Generally speaking, if users do not intend on usingm certain plugins, it is better not to have them installed.
Protect your customers from crypto ransomware – download now!