Ransomware was the main computer threat in the first half of 2020, according to data from the security firm S21sec that our very security colleagues have published. A very special period due to the COVID-19 pandemic and the challenges in cybersecurity that has led to the rise of teleworking, study and home entertainment.
The truth is that these data are not surprising. Ransomware maintains supremacy as the main cyber threat in most member states of the European Union, according to Interpol. These types of cyberattacks are increasingly numerous, sophisticated, dangerous and massive. We had a good sample in 2017 with WanaCryptor, a perfectly planned and structured attack whose objective was to achieve a massive infection worldwide, putting a number of large companies from dozens of countries on the ropes. Some Spanish as important as Telefónica.
All reports point out that cyber criminals they are focusing their scope of action on the business segment as noted in the quarterly threat report from Malwarebytes where he found that the detection of ransomware attacks in companies increased by 200%.
Furthermore, if until now Ransomware used to have exclusively economic motivations producing high benefits for attackers, lately it has been expanding objectives as a preferred method of malware introduction as we saw with the NotPetya ransomware.
Ten measures to combat Ransomware
A typical Ransomware infects a personal computer or mobile device, blocks the operation and / or access to part or all of the computer, taking over the files with strong encryption and demanding the user an amount of money as a “ransom” to free them.
Most infections occur because the user opens a malicious application or program that can come from any source, especially the usual ones such as a web browser (adware deployment, addressing to a malicious website …), email (instead if attached, there is a link to Mega, Google Drive or Dropbox that leads to malware) or messaging services in the case of mobile attacks, increasingly widespread.
It is also common to see it combined with phishing attacks, another great threat. The big problem with Ransomware is that once it is infected, there is no solution unless that particular type has been decrypted, something that usually takes years to happen and file recovery is complex. That said, the best (and only) measure to combat it is to get ahead. We remind you of some of the tips or measures to adopt to try to prevent it:
1.- Backup. Backing up important data as a regular maintenance task is the most effective measure to minimize damage should you become infected. The backup must be hosted on an external medium other than that of the computer in order to recover the files from a “clean” site and not have to pay the “ransom” demanded by these cybercriminals.
2.- System and applications update. Keeping the operating system updated with the latest security patches and all the applications that we have installed is the best starting point. The aforementioned WanaCryptor took advantage of a vulnerability in Windows systems and in the case that concerns us against Spanish companies everything points to vulnerabilities that had been patched, but whose updates had not been applied.
3.- Line of defense. An antimalware solution should be installed and maintained, including a properly configured firewall to allow exclusive access to the necessary applications and services.
4.- Anti Ransom Tool. It is a specific tool against this type of attack, which will try to block the encryption process of a ransomware (monitoring “honey files”). It will dump the memory of the harmful code at the moment of its execution, in which hopefully we will find the symmetric encryption key that was being used.
5.- Antispam filter. Many of the Ransomware attacks are distributed through massive email campaigns. In addition to these filters, you should follow general advice such as not clicking on links or opening attachments from unknown senders.
7.- Security policies. Tools such as AppLocker, Cryptoprevent, or CryptoLocker Prevention Kit facilitate the establishment of policies that prevent the execution of directories commonly used by ransomware, such as App Data, Local App Data, etc.
9.- Accounts with privileges. Do not use accounts with administrator privileges. 86% of threats against Windows can be avoided by using a common user instead of an administrator. So it is important to use a common user for common tasks and only leave the administrator for when you are going to do a series of tasks related to system manipulation.
9.- File extensions. Showing the extensions for known file types is a good practice to identify possible executable files that want to impersonate another type of file. It is not uncommon to see an .exe file with the icon of a Word document. If the extension is not seen, the user may not be able to distinguish whether it is a Word document or a malicious executable, although it is also good to remember that a Microsoft Office document can also contain malware.
10.- Virtual machines. Using virtual machines to isolate the host is another effective technique. In a virtualized environment, the action of ransomware does not usually materialize.
And don’t pay… If unfortunately you have been infected, but you followed the prevention and maintenance tasks, you will have backup copies so that once the storage units have been formatted, you can recover them. It takes time, but it is always better than paying these criminals, which only makes the wheel extend and produce more attacks from this Ransonware that has become the greatest threat to computer security.