What is Ransomware & how to avoid it?

60-Second Summary

Ransomware encrypts files and demands payment, often using strong encryption. It spreads through phishing, software vulnerabilities, weak RDP access, and drive-by downloads. Some variants also threaten to leak data or use supply chain attacks.

AMCO’s Top Security Tips

• Email security: Block phishing emails with advanced filters.
• Update software: Regularly patch vulnerabilities.
• Restrict RDP access: Enforce strong authentication for remote access.
• Endpoint security: Use NGAV and EDR for comprehensive protection.
• Backups: Keep secure, offline backups for data recovery.
• User training: Educate employees on cybersecurity awareness.

What is Ransomware?

Ransomware is a cyberattack that locks users out of their data or systems until a ransom is paid. It has evolved into multiple variants, including:

• Crypto Ransomware: Encrypts files using strong cryptography (e.g., AES, RSA).
• Locker Ransomware: Locks users out of their devices, preventing system access.
• Ransomware-as-a-Service (RaaS): Attackers rent or sell ransomware to affiliates.
• Double Extortion Ransomware: Exfiltrates data before encrypting files, threatening public release if the ransom is not paid.

Famous examples include WannaCry, REvil, Petya, and Clop.

How Does Ransomware Spread?

Ransomware spreads through various methods, with phishing and social engineering being among the most common and effective tactics used by attackers. Keep reading to learn about these tactics:

1. Phishing & Social Engineering

Ransomware often spreads through manipulation and deception, with attackers exploiting human trust to deliver malicious payloads. Common tactics include:

• Attackers send fake emails impersonating trusted sources (e.g., banks, IT departments).
• Emails contain malicious attachments (e.g., Word, Excel, ZIP files) or links leading to fake login pages.
• Enabling macros or clicking links downloads the ransomware payload.

2. Exploiting Software Vulnerabilities

• Attackers scan for unpatched software and exploit known vulnerabilities.
• Commonly exploited flaws include EternalBlue (WannaCry), PrintNightmare, and ProxyLogon (Exchange vulnerabilities).

3. RDP & Weak Credentials

• Cybercriminals brute-force weak or default RDP credentials (Port 3389).
• Once inside, they disable security software and deploy ransomware.

4. Drive-by Downloads & Malvertising

• Users visit compromised websites that automatically install ransomware.
• Fake software updates (e.g., Adobe Flash prompts) trick users into downloading malware.

5. Supply Chain Attacks

• Attackers inject ransomware into legitimate software updates.
• Users unknowingly install compromised updates, allowing attackers remote access.

How to Prevent Ransomware Attacks

1. Strengthen Network Security

• Implement Zero Trust Architecture (ZTA) to verify every access request.
• Microsegmentation: Isolate critical systems to prevent lateral movement.
• Use next-gen firewalls (NGFWs) and Intrusion Prevention Systems (IPS).
• Restrict RDP access using VPNs, MFA, and IP allowlisting.

2. Endpoint Security & Hardening

• Deploy Next-Gen Antivirus (NGAV) and Endpoint Detection & Response (EDR).
• Enforce application whitelisting to block unauthorized software execution.
• Disable macros, PowerShell scripts, and Windows Script Host (WSH).
• Block unauthorized USB device access to prevent infections.
• Keep systems patched and updated to eliminate vulnerabilities.

3. Backup & Disaster Recovery

• Implement immutable backups that cannot be altered by ransomware.
• Use air-gapped backups stored offline or in a separate network.
• Follow the 3-2-1 backup rule:
  • 3 copies of data.
  • 2 different storage media.
  • 1 copy stored offsite or in the cloud.
• Regularly test backup recovery to ensure data integrity.

4. Email Security & Phishing Protection

• Deploy email security gateways (SEG) to block phishing attempts.
• Enable SPF, DKIM, and DMARC to prevent domain spoofing.
• Use sandboxing to scan email attachments and links before delivery.
• Conduct phishing awareness training and simulation exercises.

5. Behaviour-Based Detection & Response

• Deploy honeypots and decoy files to detect unauthorized encryption attempts.
• Use File Integrity Monitoring (FIM) to track abnormal file modifications.
• Leverage AI-driven security solutions to detect suspicious activity in real time.

6. Incident Response & Containment

• Immediately isolate infected systems to prevent further spread.
• Terminate ransomware processes using Task Manager or EDR tools.
• Investigate logs for forensic analysis and identify the attack source.
• Disable compromised accounts and enforce password resets.

AMCO Recommendations

• Prevent Phishing Attacks: Deploy email security, train users, and block malicious attachments.
• Patch Software & Restrict RDP: Regularly update systems and enforce MFA for remote access.
• Harden Endpoints: Use NGAV, disable unnecessary scripting, and implement application whitelisting.
• Secure Backups: Maintain immutable, air-gapped backups and test recovery processes.
• Use Network Segmentation: Implement Zero Trust, firewalls, and microsegmentation to limit ransomware spread.
• Incident Readiness: Have an emergency response plan, conduct security drills, and continuously monitor for threats.

By implementing these strategies, organisations and individuals can significantly reduce their risk of falling victim to ransomware attacks.