Workload Security
A Guide to Ransomware: Prevention and Response
This article will provide guidelines aimed at helping readers understand how to detect and prevent ransomware and limit its effect.
It seems like every day there’s a new story about a ransomware attack. And while ransomware is certainly costly to the victim, the impact can trickle into society. One recent example is the ransomware attack against one of the largest gas pipelines in the United States, causing panic and raising the average gas price on the east coast. An increase in the scale of costly attacks led to the US government announcing they would treat ransomware attacks as a similar level of priority to terrorism.
As developers, you must do everything you can to protect yourselves and your products from ransomware attacks. To do so, let’s first look at what ransomware is, where it comes from, and how a typical attack may look. Then, we’ll explore some tactics for a strong recovery plan.
What is Ransomware?
A quick refresh: ransomware is a type of malware that infects the host system, locks down essential data and hardware, and then requires a ransom before a user can re-access their data. A regular attack will generally follow four steps. Let’s break down the different steps that a typical ransomware attack executes.
Research
Attackers research the best platforms to attack and look for any accessible information on a potential target. These attackers use sites like social media and company websites to gather information on their prey. With this, they create a library of information they can use to look as legitimate as possible. The attackers do most of this work by hand to achieve the highest success rate they can.
Landing
A landing is how and where a ransomware attack finds its victims. A vast majority of ransomware attacks land through email, specifically through phishing emails. Phishing emails are when attackers send a seemingly legitimate email to their targets, hoping they will click a link and give up crucial information.
These emails are getting smarter and more personalized. Long gone are the days when identifying phishing emails meant avoiding those that were promising you 10 million dollars if you click on the red button below. Now they can gain information when you input information into very realistic-looking and targeted login forms or questionnaires. Once you fill something out on a link like this, that’s when the attackers have genuinely landed.
Exploring
A typical ransomware attack then, unbeknownst to you, explores your file system. These programs use various probing APIs to gain information on what is available in their victim's system. Probing can often be done by hand because the attackers have already acquired access through the previous step. This allows the program or attacker to look for backups and copies of important files to ensure that it locks down any backups you may have, therefore making it more likely the victim will pay the ransom.
Locking
Locking is when the attack locks down and blocks access to files and hardware, requiring some form of payment before releasing the data. This locking method encrypts any important data found. This is done so the victim can’t access it without complicated keys to which they don’t have access. Often, paying the ransom doesn’t help, because the attackers will keep the data after the payment.
Attacks are extremely dangerous and effective because it’s extremely difficult to get rid of them once the virus takes hold of its host system. An attack may look as simple as logging on to your computer and giving system permission to an application that looks familiar. Next thing you know, you have a screen telling you to pay a fee to a Bitcoin wallet and a timer before you permanently lose your data and your computer. But let’s not fear! There are many ways to protect yourselves from these attacks and ensure that critical data is safe.
How to Prevent an Attack
Several steps can be taken to prevent an attack, but there are two areas that you’ll want to pay close attention to: technical infrastructure maintenance and developing team diligence. Your technical infrastructure refers to technical steps you can take to make sure that your devices are secure. For example, ensure that you update your security products regularly and perform periodic scans. Similarly, be sure to implement application safelisting on your endpoints to block all unknown and unwanted applications.
As developers, you must avoid attacks as early and often as possible. When working with the core systems of any project, you have a high level of access to essential data. Best practices for developers include:
- Updating container instances and applying the latest security practices constantly.
- Making sure your reference architecture is up-to-date.
- Using the principle of least privilege.
- Limiting access to IAM policies.
- Backing data up on physical hardware linked to entirely different accounts and servers.
- Developing a strong recovery plan.
Some of the most critical items on this list are the principle of least privilege and backups. The principle of least privilege is the idea that users should receive only the privileges necessary to complete a task at any one time. This means that someone shouldn’t receive administrative privileges to complete a low-level task.
Developing a Strong Recovery Plan
One essential malware safety aspect is to have a great recovery plan in place. Developing this plan requires an in-depth look at your crucial workflows and data sets. When creating a recovery plan, assume that the ransomware will fully compromise at least one of your most crucial data sets or workflows. Ransomware is rarely isolated to one machine or one attack. So, if you have not adequately identified and isolated the attack, an attempt at early recovery may make the situation worse.
Here are three steps to help you create a strong recovery plan:
- Ask yourself, “how long can we go without this aspect of our company?” to quickly identify your ideal system recovery time and data recovery situation. This knowledge helps accurately determine what you need and when.
- Assess how deeply this attack affected your essential workflows. Sometimes ransomware impacts a small piece of a business, and it’s easy to recover and get back to work. Other times, an attack shuts down crucial processes of team leaders and other important figures. In that case, you would start fixing those areas then work down to less-important areas.
- Identify if you need outside help. You need to be sure you have isolated the attack and protected your data so the attack will not spread further than it already has, which may require outside help if you lack high-level security experts within your team.
Only when you have correctly identified and isolated the ransomware and created a hierarchy of needs, use your backups to recover the necessary data. Although ransomware may be intimidating, you have little to fear when you have effective plans in place to fight it.
Conclusion
Ransomware attacks are pervasive, dangerous, and costly. Continuing attacks means that we must do everything you can to keep protected and have solid plans for recovery in the event of an attack. Staying informed on what an attack looks like and following best practices to prevent an attack is an excellent start to keeping our data and hardware safe.
If you want to take your protection to the next level, check out Trend Micro Cloud OneTM. Our cybersecurity services platform continually analyzes and identifies new malware, ransomware, malicious URLs, command and control (C&C) locations, and domains that could be used in attacks. Thanks to the Trend Micro™ Zero Day Initiative™, the world’s largest bug bounty program, we can identify and disclose new vulnerabilities across a wide range of platforms. Test out Trend Micro Cloud One for free for 30 days.