Now that the day of Safe internet perhaps it is a good time to recall some measures and recommendations that may be useful to combat one of the “technological pandemics” that have persecuted us the most in recent times: the ransomware.
Nobody is aware that the concept of ransomware it has acquired a leading role never before known. It is a kind of malware designed to deny access to a computer or its data until the victim is forced to pay the requested ransom. A blackmail that for a few years has been causing significant damage among individuals, companies and public bodies.
From All4sec they point to a set of recommendations aimed at implementing measures, tools and resources that can serve to mitigate the effect of this threat. They are not foolproof measures. However, they can help prevent or reduce its impact.
Preparing for ransomware
The first and most important thing that an organization must do to maintain its operability in the face of a ransomware it is have a backup, encrypted and offline, of your most critical elements. This is a fundamental task, whatever the threat that presents itself. Copies must be “selective” including critical data and operating system and application settings.
It is also important to identify and have Backup HW for systems recovery, bearing in mind that the affected equipment may be temporarily unfit and that the configurations may vary when similar equipment is not available.
We must also not forget to define, develop and evaluate recovery plans that contemplate communication or notification of the incident to the corresponding bodies. And, above all, record the logs of the events that occur in the systems for later analysis and monitoring.
Analysis of configurations and vulnerabilities
An essential first step to be able to combat an attack of ransomware it is inventory all assets of the organization, as well as the information flows between them.
Periodically we must manually or automatically scan systems and networks in search of possible vulnerabilities. Likewise, we must regularly update applications and operating systems.
Devices must be configured to implement basic security options such as disabling ports and protocols that are not needed for your regular use. In particular, the services RDP or other remote access services require special attention. For example, these must be configured with port disabling, account blocking after a number of failed login attempts, or with double authentication mechanisms. Protocol (de) activation should also be reviewed SMB to prevent the spread of malware.
Knowledge of attack vectors
Another fundamental recommendation resides in the user awareness. The ransomware tends to spread through the phishing. Therefore, it is essential that users are able to identify and block the techniques of phishing most common.
In many cases, attacks of ransomware come from communications through emails and it is key to distinguish those messages that may be malicious. That is why it is necessary to deploy mail filtering solutions and enable DMARC mechanisms on mail servers. Likewise, it is advisable to install solutions for blocking suspicious IP addresses through DNS and firewalls. And of course, and not least, disable macro service when using Microsoft Office tools.
However, organizations also need tools that provide protection to their infrastructures. They must have IDS to detect C&C activity of possible malwares or have antivirus platforms installed and anti-malware (preferably centralized) at workstations.
They should be used lists of authorized applications and double authentication mechanisms wherever possible, mainly in webmail services, remote access or connection to critical applications. And in general, they must apply the principle of “least privilege possible” that only allows users to access what they really need. A particular case responds to the use of tools such as Powershell that should only be enabled under very controlled conditions.
Ransomware is one of the most damaging threats facing organizations today. Being prepared to avoid it, and if necessary combat it, is a fundamental task within any company. With a series of basic security measures we can certainly reduce your success rate. Solving it, however, a posteriori, will be a “somewhat more complex” task.