Preventing Ransomware Attacks: Best Practices Via Carnegie Mellon SEI CERT
In the wake of WannaCry infecting more than a quarter-million computers last month, a Carnegie Mellon University research scientist is offering tips and best practices for preventing and mitigating ransomware attacks.
The single most effective deterrent is to regularly back up and then verify your system, according to Alexander Volynkin, senior research scientist at the university’s Software Engineering Institute (SEI) CERT Division.
Backups should be stored on a separate system that cannot be accessed from a network, and they should be updated regularly to ensure the system can be effectively restored after an attack, he wrote in a blog post this week.
Though ransomware has been around in some form since the late 80s, more recent attacks have not only encrypted data files but also Windows system restore points and shadow copies that could be used to partially restore data.
Other effective prevention strategies include educating employees, given that ransomware often infects a system through email attachments, downloads and web browsing; restricting code execution; restricting administrative and system access; and maintaining and updating software, particularly security and anti-malware software.
System Level Prevention
While it’s impossible to completely block ransomware at its two most common points of entry — email and websites – steps can be taken at the system level t0 reduce the risk of ransomware attacks, according to Volynkin.
For email, he recommends the following practices:
- Robust filtering – Ensure that employees receive fewer emails that contain spam or potentially malicious attacks
- Blocking attachments – Prohibit certain kinds of attachments over email, including direct executables (e.g. .exe or .js), Microsoft Office files containing macros, and zip files that are executable or contain executable files
- Reviewing permission-related practices – Removing local administrative rights, restricting user write capabilities, preventing execution from user directories, whitelisting applications, and limiting access to network storage or shares
At the Network Level
Preventing and mitigating the spread of ransomware has proved more difficult at the network level, Volynkin said, but firewalls that implement whitelisting or robust blacklisting will lessen the likelihood of successful web-based malware downloads.
Firewalls should limit or completely block remote desktop protocol (RDP) and other remote management services, he said.
Once an internal host has been infected, preventing further spread can be even more difficult, he said. The single most effective method is to disconnect the system as soon as possible, including wired connections, Wi-Fi and Bluetooth. Automatic backups should also be disabled.
If An Attack Occurs
If you believe you’ve been the victim of a ransomware attack, Volynkin recommends taking the following steps:
- Take a snapshot of your system – If at all possible, capture a snapshot of the system memory before shutting it down, which will help later in locating the ransomware’s attack vector
- Identify the attack vector – Recall all emails suspected of carrying the attack to prevent further spread
- Block network access – Shut off access to any identified command-and-control servers used by the ransomware
- Notify authorities – Considering allowing law enforcement to help with the investigation, but know that doing so can increase the risk that data may never be recovered
The number of ransomware attacks is likely to grow, fueled by easier access and greater financial payoff, Volynkin predicts. Larger organizations in government, education and healthcare will be prime targets.
With the level of encryption in ransomware fast approaching the level of encryption in commercial security products, he said, employing these practices is the best way for organizations to shield themselves from the attacks.