In early February 2016, Hollywood Presbyterian Medical Center made national headlines as a result of becoming infected with a specific type of malware called “ransomware.” Ransomware is designed to encrypt files on an individual workstation and any files mounted on network shared drives. Once complete, a message displays indicating that the workstation has been infected and in order to get the password to unlock your files, you must pay the attackers. Ransomware is typically introduced to workstations by someone downloading an infected file or opening an infected attachment in an email.
The best way to protect an organization from ransomware is to prevent it from entering the network in the first place and quickly containing infected workstations once detected. Web site and email antivirus filters will protect against many of the known forms of ransomware, but not all. Additional actions should include:
- End user education – The first line of defense are end users. They should be taught not to open suspicious emails or click on suspicious web links.
- Block Executables – Configure email and web filter systems to block files ending with EXE from entering.
- Disable files running from AppData folders – Most ransomware wants to run programs from these temporary locations. Only allow trusted programs to run from this location.
- Keep multiple backups – Ensure files are properly backed up with multiple generations available. Should your files become encrypted, performing a restore may prove to be the best course of action. But be careful, it may be necessary to restore from an older backup if the ransomware had been introduced into the environment for some period of time.
- Limit file shares – Ransomware can only encrypt files the infected computer can access. Limit users’ read/write access to as few of folders as possible. Lock folders to read-only wherever possible and don’t share what is not needed.
- Monitor file shares – Install monitoring tools or scripts that continually evaluate file shares for changes. Consider creating a fake folder, or honeypot, that users may access, but does not contain files they need. If the files in that folder change unexpectedly, this could be an early warning system for a ransomware infection.
- Monitor your network – Implement and properly manage a robust Intrusion Detection System (IDS) that monitors network activity and create an alert at the first sign of suspicious activity.
Unfortunately, the multilayered approach to detect and stop ransomware is not 100% effective. Even if all of these suggestions were installed, the ever changing ransomware could still be introduced to the network. In that case, you must be prepared to act quickly.
At the first sign of ransomware in the network, IT leadership must act quickly to stop it from spreading further by employing the following actions:
- Stop – Shut down the infected workstation or at least disconnect it from the network.
- Restore and test – Restore the encrypted files to a safe place (like a USB drive) and test them on an isolated workstation. This will prevent any infected files from re-infecting the network.
- Rebuild the infected workstation – It is extremely difficult to remove ransomware completely from a workstation. It is best to format and reimage the workstation from a fresh, known good image.
- Educate – Learn what may have caused the infection and send out a brief email to all users educating them to what ransomware is and specifically reminding them how to prevent it.
It is an unfortunate reality, but computer security is not easy and it is not a “once and done” situation. To be secure requires constant vigilance and changing behaviors. Blocking and monitoring will help to keep the network safe and reacting quickly will limit the infection from spreading.