Published on 28 Dec 2020 | Updated on 03 Nov 2022
Prevention is key to avoid falling victim to ransomware
Ransomware is a form of malware designed to encrypt files on a device. Threat actors then demand a ransom, typically in cryptocurrency, from the victim to decrypt the files. Some ransomware variants will also try to spread to other machines on the network.
Ransomware is a perennial and constantly evolving global threat in the cyber security landscape, as cyber criminals’ tactics evolve in response to improvements made by businesses. To learn more about recent developments in ransomware, as well as other cyber security issues, please visit our monthly CyberSense publication.
How does Ransomware Spread?
Ransomware is commonly spread through the following means:
Once a machine has been infected by ransomware, some types of ransomware may propagate across the network by exploiting vulnerabilities in background services. For instance, in 2017, the WannaCry ransomware exploited the Server Message Block (SMB) protocol. The ransomware may also propagate through commonly exploited authentication techniques (e.g. Kerberoasting, Pass-The-Hash, Pass-The-Ticket) that leverage stolen Kerberos tickets and password hashes to gain access to adjacent systems, and deploy the ransomware payload.
Impact of Ransomware
Ransomware attacks are disruptive to business operations as employees are unable to access the infected files. It is difficult to recover infected files as each type of ransomware requires a unique decryptor, which may not be available for newer ransomware variants. Sensitive and proprietary information may be lost if the data was not backed-up.
Ransomware threat actors may also threaten to publish the data online to pressure victims to pay the ransom, such as what was done by the MAZE ransomware group which publicised the medical files of the Hammersmith Medicines Research to pressure them into paying the ransom, even though they were able to restore their systems.
Prevention is key to avoid falling victim to ransomware. Organisations need to take appropriate measures to secure their infrastructure and systems. It is also essential to formulate a backup and recovery plan for critical data, and to perform data backups regularly. To avoid falling victim to ransomware attacks, it is recommended that organisations also adopt the following cyber hygiene practices.
1. Secure Your Systems
Use Anti-Virus; Update your Systems, Software and Applications Promptly
Threat actors commonly exploit unpatched vulnerabilities to gain unauthorised access into systems and networks to carry out other malicious activities, such as ransomware attacks. Organisations should:
Enable Spam Email Filters, Use Digital Signature and Anti-Spoofing Controls
To reduce the risk to phishing emails reaching end users, organisations should enable strong spam filters, sign emails with a digital signature, and enable the following email authentication protocols to prevent email spoofing where possible:
Enable Microsoft Office macros only when required
One possible delivery mechanism of ransomware comes in the form of malicious Microsoft Office documents that trick victims into enabling macros in order to view its contents. Organisations should allow macros to be enabled only when required.
Implement Network Segmentation and Monitor Network Traffic
Review Settings on Exposed Services and Open Ports
Some ransomware variants may take advantage of exposed services and open ports such as the RDP port 3389 and SMB port 445 to spread across the network. Organisations should review if there is a need to leave these ports exposed and restrict connections to only trusted hosts.
Implement Application Control
Consider installing application control software that provides application and/or directory whitelisting. Whitelisting allows only approved programs to run, and can prevent unknown programs, such as malware, from running.
Limit Privileged Access to Authorised Personnel
User accounts with administrative privileges have the rights to execute a wide range of actions on the system, including installing software or accessing sensitive data.
To reduce the chances of a threat actor gaining administrative privileges, organisations should:
Use Strong Passwords and Enable Two-Factor Authentication (2FA)
Organisations should use strong passwords of at least 12 characters which includes upper case, lower case, numbers and/or special characters, and implement 2FA for all Internet-facing services, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems.
Conduct Regular Penetration Testing
Conduct regular penetration testing on both external and internal facing networks to identify any vulnerabilities that may be exploited during an attack. This will allow organisations to make timely patches to existing vulnerabilities in their networks or systems.
Awareness is key to preventing ransomware attacks. Organisations should conduct regular training for employees to raise their awareness and learn good cyber hygiene practices, such as identifying suspicious emails and not clicking on links or opening attachments found in emails from unknown or untrusted sources.
Monitor for Suspicious Activities
Be vigilant in monitoring for suspicious scanning activities and unauthorised login attempts. This will go a long way to prevent your organisation from falling victim to a ransomware attack.
2. Protect your Data
Encrypt Important or Sensitive Data
Organisations should encrypt important or sensitive data as this makes it more difficult for threat actors to access the data if it is stolen. Encryption may also prevent some ransomware variants from detecting the files, if they work by looking for commonly used file types such as images and documents.
Maintain an Updated Backup, and Keep it Offline
Performing regular data backups facilitates data restoration in the event of a ransomware attack. It is important that the backup data is stored offline and not connected to your network, as certain ransomware variants can propagate across the network.
Maintain regularly Updated “Golden Images” of Critical Systems
This entails maintaining image “templates” of virtual machines or servers. These images should include a preconfigured operating system (OS) and relevant software applications. If there is a need to rebuild the system, these images can be quickly deployed.
Limit Data and Properly Dispose Data That Is No Longer Needed
Organisations should limit the data by only storing information needed for business operations, and ensure that data is properly disposed of when no longer needed.
3. Prepare an Incident Response Plan
It is important to develop an incident response plan and conduct exercises to test the plan, before an incident happens. In the unlikely event that the organisation is affected by an attack, having a plan in place and exercising it will help the staff know what actions to take, and prioritise system recovery.
If your organisation has been infected with ransomware, these steps may help in response and recovery:
Should you pay the ransom?
SingCERT does not recommend paying the ransom. Doing so does not guarantee that the data will be decrypted or that your data will not be published by threat actors. It also encourages the threat actors to continue their criminal activities and target more victims. Threat actors may also see your organisation as a soft target and may strike again in the future.