First Things First

Some of the most significant world events we saw in 2021 included high profile ransomware attacks that targeted public services, education & healthcare providers.

In a recent report, Emisoft claimed that in the US alone, 2,323 local governments, schools, and healthcare providers experienced ransomware attacks last year.

Some of the most notable attacks around the world were on:

• The Colonial Pipeline
• JBS Foods
• AXA
• Kaseya
• Brenntag
• Acer

It’s not a phenomenon that is limited to bigger countries either. Irelands entire healthcare system was attacked as well as NUIG, (the National University of Ireland in Galway).

And here’s a graphic showing a few notable ransomware attacks that happened in Switzerland in Q4 2021.  What’s interesting is that several of them including Montreux, Mellingen, and St Gallen were municipalities & state governments.

It sounds obvious but the economic loss and cost of remediating a ransomware attach is far more than the ransom payment demanded, and multiple times the cost of preventing it in the first place.

That does not even consider the human cost in lost activity, stress, and unpaid overtime that IT departments must endure to clean up the mess afterwards.

Why Ransomware Attacks Happen

Cyber Security is not exactly a new concept, so why are ransomware attacks increasing in frequency and severity?

• Have hackers got access to quantum computers?
• Did Morpheus give them the red pill?
• Or maybe they now have superpowers they didn’t have before?

The answer is that many organisations are simply ill prepared to prevent ransomware attacks. The people who should know better, are underestimating the need to be thorough in securing their digital assets.

Effective Cyber Security has always needed three key elements, people, processes, and technology.

• People need to be properly qualified to do their job, trained frequently and learning content must be refreshed regularly.
• Security policies must be constantly improved, and documentation updated.
• And new technology like machine learning must be added to the Cyber Security toolkit quickly, to ensure that organisations are best protected against the latest Cyber Security threats.

But these three core elements are not enough by themselves.

What are the Core Issues?

In many cases an organisation's Cyber Security infrastructure, processes & policies could be improved, but IT leadership don’t have the budget, or political will to do so, as they fear pushback from business stakeholders and users.

Worse still, security controls and processes are often created but not followed.

Many people are trained sufficiently to satisfy an auditor, but never tested to ensure they have absorbed and understood the training content.

Many Cyber Security teams don’t have predefined incident response plans to follow, or don’t fully leverage the technology they have at their disposal to detect and prevent ransomware.

10 Steps to Prevent Ransomware Attacks

In this article, I suggest 10 improvements to your Cyber Security that will prevent ransomware attacks if you implement them along with the right Cyber Security Solutions.

Step #1: Use E-mail Protection

The root cause of many ransomware attacks in 2021 was found to be users clicking on malicious links in e-mail or executing attached scripts and programs containing malware.

Malware and ransomware payloads can be delivered disguised as different file types, and often they are hidden within in large .zip files that are too large for anti-virus software to scan.

Malware may also be delivered in the form of a script, embedded in a Word or Excel macro, or malicious code embedded in a PDF file.

Once a user clicks and executes the malware file or macro, many signature based anti-virus scanners will not detect the infection, or the malware may disable the signature based anti-virus scanning service.  The malware will still almost certainly be detected and deactivated if an advanced behavioural anti-virus solution like Kaspersky is installed.

Despite being trained annually and simulated phishing campaigns being used to test users, people will always make mistakes and it only takes one person to execute a malicious payload to spread ransomware into an entire organisation.

So, what is the answer?

First of all, Microsoft announced this week that it is now disabling execution of all VBA macros downloaded from the Internet by default in updated Office products.

And just last month Microsoft also announced that Excel 4.0 XLM macros would soon be disabled by default.

Unfortunately, in both cases the user is still given the option to run the macro anyway, so I guess we will still have to live with the “Are You Sure Button” for a while.

So how can an organisation prevent malicious attachments being executed on mobile devices and workstations, or being delivered in the first place?

There are many options available including:

• Using a MailScanner or Milter with Postfix as an SMTP relay
• Using Exchange Online attachment stripping
• Implementing device management with Microsoft Intune
• Preventing macros being run using ADMX backed group policies
• Implementing Mail Threat Protection on Outlook Clients
• Ensuring that the organisation's anti-virus product has behaviour detection

None of these options are rocket science.

So, there is really no excuse for not preventing ransomware through email.

Whether you are an Apple, Linux or Microsoft fan, users can be prevented from downloading or executing malware and ransomware.

Step #2: Update Systems and Applications

Systems that are internet facing can be exploited very quickly using zero-day attacks, or if software patches are not applied in time. When a high scoring vulnerability like Log4j is announced, botnets quickly start scanning all public IP addresses on the Internet to find vulnerable systems.

When an Internet facing system with a high scoring vulnerability is found, it is highly likely to be exploited in minutes, which often ultimately leads to a successful ransomware attack.

Once intruders have penetrated one internal system, they quickly spread malware or ransomware to other reachable systems using lateral movement techniques.  The exploited system is effectively used as a jump host to discover and exploit more targets that are not isolated from the system that was initially compromised.

Because hackers now use automated scripts (typically downloaded during an attack using like Curl on Linux), once inside, they can compromise multiple systems and infrastructure devices quickly.

Workstations and smartphones are also vulnerable, so it’s equally important to ensure that user endpoints are all updated and patched quickly and automatically.

But it’s not enough to just update operating systems alone.

All applications running on servers, workstations, security appliances, and mobile devices must be patched, since high CVE scoring vulnerabilities are regularly found in open-source applications, web browsers, Microsoft Office, and in smartphone apps.

Organisations must ensure that mobile devices are centrally monitored and managed by the organisation, to ensure that their systems are updated, and that the organisation’s data cannot be compromised from an unpatched mobile device.

Older operating systems and applications that no longer have security patches available, must be decommissioned immediately.

Step #3: Provide Relevant Training

Whether you are a single user working as a solopreneur, or a software developer in a large multinational organisation, you need Cyber Security training appropriate to your role.

In addition to basic annual security awareness training, developers need refresher training on secure coding principles including topics like the OWASP top 10 and best practises in code review.

Security teams may need security analyst training on incident response, forensics, chain of custody, threat hunting, vulnerability management and security standards like PCI-DSS.

Training can take many forms, but a simple PowerPoint delivered to a group on a Zoom call is not effective. People don’t pay attention and tend to multitask during the training.

A more effective option is to use an online learning management system (LMS) with built-in quizzes, exercises, & gamification. For developers this can include practical exercises in a virtualised lab or in a cloud-based test environment.

There are many companies offering Cyber Security awareness training now and they often integrate automated phishing campaigns on their platform. For standard users automated phishing tests can be helpful, but they are only part of the overall solution.

In summary, organisations must ensure that those who are employed to prevent ransomware attacks are very well trained and that they have sufficient experience to do their job.

Unfortunately, this does not seem to happen, and when ransomware strikes, many organisations use their own developers or IT teams as scapegoats and then spend a small fortune on external consultants when it’s too late.

Step #4: Use Secure Access Control

Three of the most important concepts in identity and access management (IAM) are:

1. Privileged Access Management
2. Least Privilege Access
3. Role Based Access Control

Privileged access management refers to the proper control of highly privileged accounts, for example Administrator accounts on Windows, root account on Linux, DBA account on databases and so on.

To help prevent ransomware attacks organisations must implement a comprehensive access management policy to ensure that the highest privileged access level to systems is not granted to users by default, but instead on a need-to-know basis and with strict logging and control in place, as well as regular reviews.

A good Identity and Access Management system like SailPoint makes enforcing an access management policy much easier than using manual alternatives like Active Directory, LDAP directories and manual access reviews.

In addition, users must not have access to Linux root accounts directly, but sudo privileges must be used to ensure accountability for privileged user actions.

Windows AD user access must be properly managed using AD roles to ensure that users are not given excessive privileges to perform actions for which they have no legitimate business need.

How can a good access management policy help prevent ransomware?

Two of the weakest links in access management are bad password management and excessive user privileges on user workstations.

Many users will use the same passwords on public SaaS services, and when changing passwords, they will simply change one or two digits at the end of the password. This makes brute force and dictionary attacks on accounts much easier.

A good IAM system can enforce strict password controls that ensure compliance with access management policies, and this can be further enhanced using multi-factor authentication.

Another issue is users being system administrators by default on their workstations.  This is often facilitated through IT departments trying to reduce the number of support tickets from users wanting to install software.

If users must have administrator access to their workstations, then it is better to create an administrator account, that has no email or network access, and use a non-privileged standard account to carry out everyday tasks on the workstation.

Most malware does not need administrator privileges to infect a system because often an exploit is used to gain elevated privileges.  But running a malicious attachment as a standard user may at least give the anti-virus software more time, and a better chance of detecting the infection quickly and minimising damage. Being a standard user may also make it more difficult to spread the infection further.

Step #5: Use Browser Protection

Email and USB storage devices are not the only way of getting malware into organisations.  A web browser can also be exploited to deliver malware and ransomware.

Many browsers are not updated automatically, and an old browser may have many vulnerabilities that can be exploited by drive-by attacks. Unlike many other types of cyberattack, a drive-by doesn't need a user to take any action to launch the attack.

Malicious code in PDF files can also be used to exploit Adobe Reader in a browser, so PDF files should be saved and opened only after offline checks a good anti-virus solution.

But there are many other ways a browser can be exploited by hackers to infect your system.

One of the best solutions in an organisation is to ensure that browser configurations are managed centrally.

Centrally managed browsers can:

• Enforce the use of a web filtering proxy like Bluecoat
• Block installation of insecure browser extensions
• Enforce secure DNS settings
• Enforce the use of browser protection

Browser protection works by checking the sites that you visit against lists of reported phishing, unwanted software, and malware sites.

Browser protection is often built into browsers but can also be implemented using browser extensions. For example, Microsoft Defender Browser Protection is available as a Google Chrome extension.

Other examples of browser protection options include:

• Malwarebytes Browser Guard
• Firefox Phishing & Malware Protection
• Google Chrome Enhanced Safe Browsing Protection
• Kaspersky Protection extension

Which one should you choose?

It really does not matter which of these browser protection methods you use.  The point is that if you don’t use any of them then you are wide open to many types of browser attack.

A final word about browser safety.

Modern browsers now prevent users visiting sites with known malware or with invalid certificates.  But this is not always the case and educating users about blindly ignoring browser warnings is important.

Step #6: Block USB Ports

Using USB storage devices in organisations is asking for trouble, and many security managers ban them for some very good reasons.

For example, did you know that a USB device can be configured to look like USB storage but act like a keyboard? This $49 Rubber Ducky USB stick can inject keystrokes at superhuman speeds, by posing as a keyboard. MAC, PC or Linux are all vulnerable to this kind of attack.

Imagine if one of your users finds one of these on the ground and plugs it into a USB port.  It could then launch a script or executable and install ransomware in a just few seconds.

USB keys can also be used to carry out an Evil Maid attack on an unsupervised laptop, so as to capture a disk encryption password.  This attack was first proposed by Joanna Rutkowska from Invisible Things Labs, as one method to defeat TrueCrypt or PGP disk encryption.

Let’s not forget that in his book Edward Snowden claims to have used micro storage devices to repeatedly smuggle top secret data out of a US government datacentre. So, banning the use of USB storage is also one measure you can take in data loss prevention (DLP).

USB storage devices were also used to attack air-gapped computers controlling Iran’s centrifuge control systems with the Stuxnet malware which is now being referred to as the first ever Cyber Weapon.

So how can we prevent ransomware attacks with USB devices?

There are several solutions, but your users are not going to like any of them.

You can:

• Physically block access to USB ports using Lindy USB port blocker
• Use enterprise tools like Endpoint Protector to block USB storage devices.
• Use the Systools USB Blocker program
• Modify the Windows “USBSTOR” registry key with a group policy

Step #7 Use the Best Anti-virus

One of the first rudimentary anti-virus programs was developed by John McAfee in 1987, but today’s anti-virus and anti-malware products bear hardly any resemblance to those early innovations.

Over the last 30 years anti-virus and anti-malware products have evolved in many ways but all used the concept of signature-based detection.  In practise, anti-virus vendors from the mid 1990’s until the mid 2000’s created large databases of virus signature or hashes, which could be compared with analysed samples.

Then from 2005 until 2015 anti-virus vendors added innovative new features, such as detection of malware in macro’s, email scanning, detection of rootkits, community and cloud based anti-virus solutions.

From 2015 onwards vendors have been introducing next generation detection techniques which are broadly referred to as signature-less detection.

Methods used for signature-less detection include:

• Behavioural detection
• Artificial intelligence
• Machine learning
• Cloud-based file detonation
• Sandboxing
• Cloud detonation

It is beyond the scope of this article to examine all of these in detail, but just know that these methods have the advantage of being able to detect new zero-day attacks that could not be detected by signature-based approaches.

Unfortunately, despite these innovations, the effectiveness of many anti-virus and anti-malware solutions against ransomware has been declining while the frequency and cost of malware and ransomware attacks has been increasing.

This is often because vendors overstate the effectiveness of their products, or some so called independent reviews turn out to be not so independent.

Another problem is that many organisations simply rely on the Microsoft anti-virus solution with default configuration. A safe bet if nobody ever got fired for buying Microsoft.

But tests conducted by The PC Security Channel in February 2021 found that Microsoft Defender with default settings, was only able to block around 80% of ransomware samples on Windows 10 20H2. In November 2021 it was found that Windows Defender was still unable to detect some ransomware in its standard configuration on Windows 11.

In December 2021 the same company found Kaspersky to be the best antivirus product when tested against the 10 most popular anti-virus products on the market.  The company said that “even when you disable most of Kaspersky’s protection features and signatures, it still manages to stop ransomware entirely”.

Step #8: Beware of Public Wi-fi

My first wireless networking projects were in the early 1990’s, using Lucent and Cisco Aironet bridges to connect buildings in London.

One of the most important things that I learned about Wi-fi at that time is that is that most Wi-fi networks are insecure.

Why is that?

Whether you are using the latest Wi-fi encryption or not, there’s no guarantee of data privacy, integrity, or security, because every Wi-fi standard that has been released so far had serious security weaknesses that were not known until after their release.

Wi-fi security can be implemented in personal mode or authenticated (enterprise) mode but many smaller hotels and public Wi-fi hotspots still use personal mode which means that users have the same Wi-fi password and are on a shared network.

Sharing a network with unrelated people, means your computer or smartphone is more vulnerable to attack.

Because whether an attacker joins an open (unencrypted) Wi-fi network or manages to gain access to an encrypted Wi-fi network, they can use many of the same exploits that they could if they were on a wired LAN. That means running scanners to detect vulnerabilities in hosts, sniffing passwords on unencrypted connections, or man-in-the-middle attacks.

In an enterprise or more secure public Wi-fi scenario the IEEE 802.1X standard is used for port-based access control, so you can control who joins your LAN or WLAN by authentication.

If you or your employees use public Wi-fi, then their devices and data are at risk.

People are especially vulnerable when using hotel Wi-fi captive portals. For example many senior executives in sensitive organisations were targeted in the Darkhotel spying campaign that used trusted hotel Wi-fi captive portals.

Ideally employees will be prevented from using all non-corporate Wi-fi using system management policies.  However, that has become impractical due to the number of remote workers and those working from home nowadays.

As a minimum the use of a securely configured advanced VPN with a kill switch configuration should be enforced while connected to any home or public Wi-fi network, and employees should be discouraged or prevented from installing any software updates whilst on public Wi-fi.

A better alternative would be to provide mobile employees with securely configured portable Wi-fi hotspot with a local SIM card and data plan, still enforcing the use of a securely configured VPN client.

Step #9: Use Host Based Firewalls

If you do click on a malicious link in an email or run an attachment with malware, often the malware will attempt to make connections to a command-and-control system somewhere on the Internet, or the malware will begin sending your data out straight away.

If your computer is connected to the Internet, then these outbound connections are almost certain to succeed, and more malware will be downloaded or your data will be exfiltrated.

Having a data loss prevention system (DLP) or a modern well configured next generation corporate firewall like those available from Palo Alto Networks, or a properly configured Web and Socks proxy will block these connections.

But what if you are an entrepreneur, working from home or in a hotel, or your company does not enforce the same strict security policies when you are remote?

There are still solutions that can protect you.

People who are not protected by corporate security infrastructure must use an advanced host-based firewall.

Although PC’s and MAC computers are often configured by default with a basic host-based firewall, these are not easy to configure in a secure way and are not sufficient by themselves to protect users from advanced threats.

The solution is to use an advanced firewall product such as Glasswire on Windows, Little Snitch on a MAC, or NetGuard on Android.

The advantage of these solutions is that they give users an easy-to-understand user interface showing actual connections and attempted connections, which means that suspicious outbound connections are much easier to notice and prevent.

Linux users can also use native Iptables built into Linux with either command line front end tools like UFW or GUI configuration tools like Gufw.

Step #10: Use Trusted Software

It might be last on the list but installing only trusted software is a step to take to ensure that you can prevent ransomware in your organisation.

Trusted software is found on:

• Microsoft Store for Windows PC’s
• Apple’s App Store for Apple products
• Official Linux repos for Linux hosts
• Google Play Store for Android

Why do we need to only use trusted sources for software downloads?

Often when users download and install freeware tools or pirated copies of software from untrusted sites, they are also unknowingly downloading malware embedded in the downloaded applications.

And even if the software does not contain malware, sometimes freeware tools are not maintained and are susceptible to multiple unpatched vulnerabilities.

A trusted software policy can be enforced in a corporate environment using Microsoft group policies or other enterprise management tools.

Application whitelisting technologies like Application Control Plus from Manage Engine or Microsoft Windows Defender Application Control can be used to solve this issue in an enterprise environment.

Final Words

I have already said in my Clarity Around Cyber Security post that there is no such thing as 100% secure, so you should always have a plan B.

But if you implement all 10 steps in this article, I am 110% sure that you will prevent ransomware in your organisation.

But just in case.

If you do have a ransomware incident, you really need three things to get through it.

You will need a thorough written incident response plan, a team that is able and ready to execute it, and you must have offline, immutable or write once read many (WORM) backups of your critical systems, applications, configurations, and data.

Some possible solutions to the immutable backup challenge are:

• Acronis Cyber Protect
• Amazon Web Services Amazon Web Services Object Lock
• Hardened Linux Repositories

Just remember, you don’t need rocket science to prevent ransomware.

If you found something useful in this article or you’d like to be notified before anyone else when new articles are published, please go ahead, and join my newsletter mailing list.

And if you need help with preventing ransomware in your organisation, please don’t hesitate to reach out to me.