5 ways to protect your enterprise network against ransomware

5-ways-to-protect-featured-image2

I think most of us will agree:

Ransomware is one of the largest security threats to your enterprise network.

Even with ransomware evolving, there are steps you can take to prevent it from encrypting files and spreading through your network.

In today’s article we will walk through 5 ways to combat ransomware:

Browser based Crytpo Currency Miners

This will probably be one of the biggest unreported attacks this year. It seems to be one of the most recent cyber security threats across all industries and personal security. It’s simple really, have someone go to a website where JavaScript gets loaded in the browser to mine for Monero (XMR). The most ingenious part about it is, most people will NEVER know.

An article over at bleepingcomputer.com found that malware developers are installing the coinhive JavaScript Monero Miner on typo’ed domains. Coinhive, a JavaScript Monero miner, has been popping up in various AV and HIDS logs over the past few months. You can bet it coinhive and browser based mining clones will evolve as much as possible to stay ahead of the detection game.

Below we will predict and discuss the new threats you will encounter in 2018:

  • Perform Phishing Email Tests
  • Minimize Network Share Access
  • Install an IDS / IPS
  • Continuous Backups!
  • Segment Networks

Perform Phishing Email Tests

The best thing would be to stop ransomware at the time of infection or prevent it entirely. Unfortunately, users clicking on phishing emails and installing ransomware is still the largest source of infection. Simply telling employees to stop clicking on links from unknown senders doesn’t work, and many of the phishing emails appear to come from services such as Facebook or national banks.

5-ways-to-protect-blog-image2
A phishing email test will find out which emails are secure and which contain ransomware.

Make users part of the solution:

We have found that performing regular Phishing Email Tests against your own users is a great way to:

  • Make users feel like part of the solution

  • Find which users are most vulnerable to clicking on phishing emails

No one wants to be that person:

If people know you are testing, they’ll pay more attention. No one wants to be asked, “Why did you click on that link?” If you let your users know you are performing Phishing tests at any time, they will start paying attention before clicking.

Be positive and make it a game:

Part of this strategy can also involve recognition for the first person to catch a round of phishing emails. “You can’t get one over on Sharon… That’s the third phishing test she’s caught. Security has to get trickier!”

Minimize Network Share Access

When ransomware lands on a user’s workstation, most will scan the local hard drive and then look for connected or open network shares.

Network Shares Vulnerable to Attack

Authenticated and Connected: Network drive share that the current user has already authenticated and connected.

Open: Network Shares that simply have no authentication required or anonymous access.

Examples: Q:\ share which contains all of Accounting, or R:\ share which contains all of R&D without a password.

The simple fact is, if the user who gets infected with ransomware can access the network share, ransomware will attempt to encrypt the files and start deleting them.

5-ways-to-protect-blog-image
Open network shares are vulnerable and can get infected with ransomware.

Therefore, if someone doesn’t need access to the share, don’t give it to them. Don’t leave the file share unprotected, make sure it requires a password. This would have saved one client over 25 hours in time that they spent restoring data from backup.

Install an IDS / IPS

An Intrusion Detection System or Intrusion Prevention System has a good chance of detecting or stopping the ransomware before it starts! IDS signatures that are updated daily often detect when ransomware calls home, and alerts you which machine was just infected!

What good is alerting after an infection?

Ransomware takes time. Time to encrypt and delete all of your files, time to find network shares, time to spread. Every second counts when files are being lost or ransomware is spreading to more machines.

Rapid alerting allows administrators time to turn off and separate the infected machine. Quick response is the difference between one machine becoming infected versus losing everything on your network!

Continuous Backups:

Yeah, I get it, you’re tired of hearing about backups. But, in every case of helping with ransomware, backups were the difference between paying hefty ransoms and getting back to business quickly.

Clients have been saved from ransomware because they used continuous backups on their servers and workstations. Depending on your industry, this option may or may not be for you. Continuous backups refers to backup systems which check and backup every 15 minutes on average. Services like CrashPlan and Jungle Disk are options people use to safe guard their data.

Segment Networks

You’ve probably heard this before, if not, you should probably get a Security Assessment of your network. What this means is that different areas of your network should have different access permissions. Specifically, do not give network level access to resources that groups of workstations or groups of users do not need.

For example, the mail room probably doesn’t need remote desktop access to the accounting server, or limit general employee access to web servers to only ports 80, 443, or other application ports.

What does this get you?

We have seen recent ransomware upgraded to use 0-day exploits to gain access to password protected services and install themselves on the new machine. Segmentation cuts off access for this method and limits infection once it takes hold on the user’s workstation.

Out of all of these suggestions, segmenting your network will most likely take the most effort, but it has long term benefits.

Wrapping Up:

Unfortunately, ransomware programmers are always adapting to trick users into installing the ransomware on their workstation. While I don’t want to say that part of the battle is lost, preparing for the eventuality of infection is necessary. The changes we have listed here have had great results in identifying and reducing the affects of ransomware infection.

About Patrick Stump

The CEO and founder of Roka Com, Patrick has been a key player in both offensive cyber intrusion and security operations with multiple branches and agencies of the United States Government (USG), the military, and commercial industry.

Connect with Patrick on LinkedIn