Introduction to Ransomware
Ransomware is a type of malicious software that has caused extensive damage to systems around the world. Basically, it encrypts files on a machine so that they are inaccessible, and shows a message informing you of the encryption. It then gives instructions on how to make a payment as a ransom to get your files back, which is often done through paying bitcoins.
A ransomware infection can cost a business a lot of time and money to recover from an attack. Without adequate backups implemented, a businesses data could be entirely inaccessible with the only way left to retrieve the data is paying the ransom.
How can ransomware infect a system?
#1 Email attachments
A common method of infection is a fake email for a bill payment or invoice. It will ask the user to click on a link which will lead to a malicious website or will ask them to open the attachment. These attachments are often for a word document which has a macro embedded to download the ransomware from an external server.
#2 Downloads from a compromised website
A user can visit a compromised website and can download the ransomware without their knowledge. An attacker can exploit security weaknesses in a website and can embed malicious code that can redirect the victim to another website which is in their control. It can then run an exploit kit on the user’s machine, scanning for security weaknesses and then executing code without the users knowledge, presenting a ransom message.
#3 Remote Desktop Protocol (RDP)
This is a protocol that is commonly used by IT administrators to access a machine remotely. It connects using port 3389 however, it was found in 2017 that 10 million machines were advertising themselves to public internet as having this port open. This allows for hackers to search for machines on search engines that have this port open and are vulnerable to an attack. Once connected, the attacker can brute force the password by using password cracking tools, then login as an administrator and then can run the encryption process.
Preventing a ransomware attack:
There are ways to work towards preventing a ransomware attack:
#1 Train End Users
Alert the end users to be aware of malicious emails that they may receive and things to look out for. Once they receive a malicious email, they’ll know to simply delete the email instead of opening attachments or clicking links.
#2 Frequent Security Updates
Make sure all machines in the business are updated with the latest Windows security updates. Also, ensure that any antivirus programs installed are up to date with the latest definitions.
#3 Regular Backups
Having a secure backup system in place will allow you to restore any data and documents that have been encrypted by the ransomware.
#4 Intrusion Detection
This is a system that can alert you to the signs and symptoms of a ransomware attack before it is executed. Intrusion detection systems will be able to detect suspicious activity such as disabled firewalls, corrupted antivirus software or unusual policy updates. This detection will alert an IT administrator who can quarantine the infected system as soon as possible before the ransomware spreads.