Practical Ransomware Prevention Techniques & Practices That Won’t Break the Bank

*Note: This article was originally published by the author on June 6, 2021.

“All war presupposes human weakness and seeks to exploit it.” ― Carl von Clausewitz

We are in the preliminary stages of an undeclared cyberwar. If we’re honest with ourselves, it’s been ramping up to this for the last three decades. We’re in the probing, testing the waters stage of cyberwarfare. The lines are fuzzy, not internationally agreed upon, and very much the Wild West. Nation-state Advanced Persistent Threat (APT) actors are testing the limits of what they can get away with all in the name of cyber espionage and furtherance of their strategic national agendas. Pushing the envelope of what other governments will tolerate.

The Russians more so than other nations have become adept at it, playing the long game in cyberwarfare strategy as an instrument of national policy. The Chinese also, but their activity in this area has been likened more to a “smash and grab” jewelry heist whereas Russian APTs have been quietly lurking within our networks, planting backdoors, exfiltrating data, and watching. The U.S. is no stranger to this game, either. All superpowers use cyber espionage, it’s simply a lot cheaper and sometimes way more effective than kinetic warfare with less collateral damage to innocent civilians. The Duqu, Stuxnet, and Flame malware demonstrated that the U.S. possesses the capability to play dirty when it wants to let’s say prevent an autocratic regime from developing weapons-grade Plutonium.

On the heels of the more sophisticated APT malware groups are less sophisticated but just as dangerous cybercriminal ransomware gangs such as DarkSide, REvil, and Maze. We’ve reached a point in cyber criminality maturation with ransomware where let’s face it, just about every time we turn on the news or open social media there is a brand new story about the latest victim company that was hit by ransomware.

But ransomware is not a new cyber threat, it’s more like a cancer that’s been left untreated which continues to metastasize.

Ransomware is an interesting problem and when we objectively study it there are many different strategical approaches that can be taken to defend against it. One thing is for certain, however. As long there is money to be made by cybercriminals perpetrating ransomware and victims who are willing to pay these ransoms, it will not stop happening. Eventually, we may even see ransomware metastasize to the point where victim data is encrypted and ransomed but the victim’s refusal to pay the ransom could result in the cybercriminals wiping or bricking the victim’s systems remotely.

Why Does It Keep Happening Though?

While I think the obvious answer to this question is the opportunity for financial gain, there are certainly many more factors at play that allow for these exploits to occur in the first place. I could go on pontificating but take a look at some of the tweets from former CISA Director, Chris Krebs on why he thinks the ransomware problem has become so bad.

Basically, wherever there is an opportunity for financial gain, there is the motive for crimes of all types. Nobody is immune from ransomware. Think about it, if no one ever paid a single ransom do you think cybercriminals would continue investing so much effort, time, and resources into ransomware if it wasn’t profitable? Probably not. Governments enable this behavior by failing to pass stiff regulations against making ransomware payments and by giving safe harbor to cybercriminal gangs such as is commonly seen with Russia.

Methods of Compromise — The Usual Suspects

While this isn’t meant to be an exhaustive list of techniques used by cybercriminals to compromise systems, listed below are a few of the common technical and non-technical methods witnessed across the industry in recent years. As this article is intended for the layman reader, I won’t delve into the technical processes of how ransomware encryption works and it’s also worth noting that there are also several different types of encryption algorithms used.

1. Phishing emails- cleverly (sometimes not so cleverly) crafted emails, a form of social engineering, that contain malicious links and/or malicious file attachments are a very common method of ransomware infection.
2. Fake law enforcement notifications- sometimes ransomware criminals will encrypt an individual’s computer drive and demand payment due to viewing CSAM. Less sophisticated cybercriminals might send emails randomly to different accounts claiming to have recorded webcam video of the victim while naked and try to extort Bitcoin payments from gullible victims who may not know better. It’s lucrative enough of a scam for cybercriminals to continue perpetrating it.
3. Drive-by Downloading- users unknowingly visit a website or accidentally type in the wrong Uniform Resource Locator (URL) address to a website that is meant to seem the same but is actually malicious and controlled by cybercriminals.
4. Passwords- if system user passwords are somehow compromised that can also lead to ransomware infection like in the recent example of the Colonial Pipeline ransomware attack which is reported to have been the result of a single compromised user password (Turton & Mehrotra, 2021).
5. Remote Desktop Protocol (RDP)- TCP port 3389, when open or ‘exposed’ can present a serious risk to any system. Increasingly, we’ve seen RDP abused by attackers of all types, including ransomware, to compromise computer systems with malware, install Remote Access Trojans (RATs), and more (Rashid, 2019).
6. Software vulnerabilities- each day new software vulnerabilities are discovered by security researchers and if they aren’t patched in a timely fashion, attackers can sometimes use them to easily exploit unpatched systems. A couple of notable examples of this were how WannaCry and NotPetya ransomware infected systems that failed to apply the Shadowbrokers leaked NSA “EternalBlue” exploit of the Windows SMBv1 vulnerability (i.e., CVE-2017–0144, a.k.a., MS17–010 as named by Microsoft) patch that affected Windows XP SP2/SP3, XP Embedded SP3, Vista, 7, 8 RT, 8.1, 8.1 RT, and 10; Windows Server 2003 SP2, 2008, 2008 R2, 2012, 2012 R2, 2016; Windows Server Core Installations 2008, 2008 R2, 2012, 2012 R2, 2016 (UoM, 2017).

Ransomware Payments

To eventually defeat ransomware, it’s also important to understand how the ransomware payment process works whereby payments are made by victims to the cybercriminals perpetrating the crime. Bitcoin is the predominant method of ransom payment despite it being publicly transparent and traceable, it has allowed cybercriminals to launder their illicitly acquired funds into legitimate financial transactions through reputable retailers and/or banking institutions that deal in cryptocurrency trading and payments. There are many other cryptocurrency types but Bitcoin is by far one, if not the, biggest on the market.

“Pros” of cryptocurrency:

• Decentralized (i.e., unregulated by governments)
• Peer-to-Peer network
• Operates using the Blockchain digital ledger system (*currently requires 349 GB of disk space to store the Bitcoin Blockchain according to Y-Chain as of 4 June 2021 — and growing more every day)
• No taxes (*The IRS is rapidly becoming wise to cryptocurrency & is contracting exploits to de-anonymize users for taxation purposes)
• No electronic payment transaction fees
• No third-party seizure risk
• Cannot be stolen without access to the victim’s crypto coin wallet key

YCharts Bitcoin Blockchain Size as of June 4, 2021

“Cons” of cryptocurrency:

• Valuation volatility due to market fluctuation
• Cryptocurrency is still not widely accepted as a form of payment by retailers, although it’s been growing in adoption
• Bitcoin’s not private, meaning “…anyone can see the balance and all transactions of any address” (Bitcoin.org, 2021)
• Private IP addresses can be logged unless anonymization techniques and tools are used
• Negative stigma due to cybercriminal use

That is not to say it’s all bad, but this is a major issue with cryptocurrency depending on which side of the argument fence you’re sitting on. There’s no arguing that without Bitcoin, ransomware wouldn’t be as prolific as it has become today.

Affordable & Practical System Hardening Practices

Best practices in cybersecurity will go a long way in helping to prevent ransomware infection, but let’s not pretend that they are 100% effective. Where there is a will, there is a way. I am not going to reinvent the wheel when people much smarter than I am have already laid out the foundations for success in protecting against ransomware, namely the computer scientists who work at NIST. NIST’s advice which I’ve elaborated a bit on includes:

• Always use an antivirus (AV) software product on all of your devices — ensure it’s set up to automatically update itself with new virus definitions because they get published multiple times daily by vendors and also ensure it’s automatically configured to scan your emails and removable media (e.g., flash drives) for ransomware and other malware.
• Keep all computers fully patched with security updates. This sounds simple and easy to do and yet so often it isn’t done by both individuals or big corporations who have thousands of computers to maintain. This one single action of updating your software will go a long way toward protecting your computers/devices from many types of malware including ransomware.
• Use security products or services that block access to known ransomware sites on the internet. Your AV software should help with this, most of the well-known AV software products come with Internet website blacklists. Get in the habit of double-checking URLs before clicking “Go” or hitting “Enter” and hover over links to see if they really are taking to where they say they are. If it’s a shortened URL or it looks funky, run it through VirusTotal or URLscan.io to see if it’s flagged as malicious.
• Configure operating systems or use third-party software to allow only authorized applications to run on computers, thus preventing ransomware from working. This is also known as the Principle of Least Functionality. Configuring computers for the least privilege and functionality is more advanced than the average user may be accustomed to but it is an essential part of hardening your computer systems.
• Restrict or prohibit the use of personally owned devices on your organization’s networks and for telework or remote access unless you’re taking extra steps to assure security. Generally speaking, it’s best to try to keep your employer’s work data and equipment completely separate from your personal devices. Often times employers or organizations will have specific IT security policies on personally-owned devices.

NIST also advises users to follow these tips for their work computers:

• Use standard user accounts instead of accounts with administrative privileges whenever possible. This is done so that the all-powerful Admin account isn’t used for lower-level actions that don’t require an administrator and could possibly lead to issues for regular users or even possible privilege escalation by attackers.
• Avoid using personal applications and websites, such as email, chat, and social media, on work computers. These types of websites are rife with malware and are often full of malicious links, suspicious users, and content that is generally not appropriate for use during work hours.
• Avoid opening files, clicking on links, etc. from unknown sources without first checking them for suspicious content. For example, you can run an antivirus scan on a file, and inspect links carefully. However, if you don’t recognize the sender or if at work and notice that the email isn’t digitally signed or looks suspicious in some, report it as a possible phishing attempt. It’s better to safe than sorry.

NIST recommends that organizations follow these steps to accelerate their recovery:

• Develop and implement an incident recovery plan with defined roles and strategies for decision-making. A good idea is to have playbooks for how your team and organization will respond to various types of security incidents like malware outbreaks, phishing, data theft, denial of service, unauthorized access, and malicious insiders. There is free info here.
• Carefully plan, implement and test a data backup and restoration strategy. It’s important not only to have secure backups of all your important data but also to make sure that backups are kept isolated so ransomware can’t readily spread to them. It’s also important to understand that offline backups of data are not a panacea for ransomware. They are a very important component of a well-architected defense strategy.
• Maintain an up-to-date list of internal and external contacts for ransomware attacks, including law enforcement. Know who to call. Who is your go-to security incident response consultant for digital forensics and/or ransomware? You don’t have one? You need to fix that.

Additionally, I also recommend the following:

1. Turn off computers at night when not in use. *Double advantage: Energy bill savings. Some will argue that this is merely security by obscurity which doesn’t work but I argue that you can’t infect or breach systems that you can’t connect to online. So, suit yourself. It’s a rudimentary form of online defense. If you’ve got a need to run your systems 24/7, then disregard this advice but ensure they are locked down tight. Otherwise, why leave them on 24/7? It only invites risk. IT can plan system updates prior to the core work hours or on a weekend, it all depends on your organization’s mission and risk tolerance level.
2. Encourage users to use strong, unique passwords for each website they log into. Under no circumstances should their password for their work account be the same as any other online account.
3. Use Multi-Factor Authentication (MFA)- this will help preclude successful user account takeovers when a password is compromised by attackers through whatever means. Use the strongest form of MFA your organization or website will support such as Auth apps or a Universal Two Factor (U2F) security key. SMS or text-based MFA has vulnerabilities but it is still better than not using MFA at all.
4. Implement SPF, DMARC, and DKIM on your organization’s email domain. This will help mitigate the phishing email threat by making it harder for cybercriminals to spoof your email domain. This isn’t hard to do, take a day and knock it out. It will save you a lot of headaches.
5. If you’re a Windows shop, really look hard at the affordability and consider if purchasing a subscription for Microsoft’s Azure Cloud Security services is in the realm of possibilities. As depicted below, they offer some great services that can help a lot with detecting phishing emails, ransomware threats, and just generally make the incredibly arduous job of cybersecurity a lot easier. That’s not to say there aren’t other great vendor products and services like Cisco or Palo Alto, this is just a very useful product I can vouch for as I’ve used it professionally.
6. Last, but not least, look into implementing a Zero Trust Architecture (ZTA). This isn’t something you can do overnight, in fact, it could take years to fully implement but it is highly effective at stopping network intrusions because re-authentication is required at every logical access point within the network architecture. Zero Trust Architecture assumes data breach, meaning that your network security is locked down to the point where the entire network is set to “fail secure.” If an attacker is able to penetrate your defenses they won’t make it far because they’ll be challenged every step of the way by your security architecture, the data will be encrypted at rest, in transit, and much more. ZTA is more of a long-term cybersecurity strategy that will cost your organization some money but you can plan for it and slowly implement it when it becomes feasible. Obviously, the sooner the better.

Microsoft Azure Cloud Security services; credit: Microsoft

As you can see, a lot of these defensive security controls are affordable and will work for large enterprises, Small Offices Home Offices (SOHO), and individuals to some extent. There are several affordable cybersecurity measures that you can take to help prevent ransomware attacks and/or data breaches.

Remember also that once your system has been compromised, it should be treated as a data breach whether data was stolen, encrypted, leaked, or whatever. Either way, all are bad and you want to avoid data breaches and ransomware infections at all costs. It could mean the difference between staying in business or having to declare impromptu bankruptcy. Hopefully, I’ve given readers a few pointers on what ransomware is all about, how it works, and some measures you can take to avoid becoming a victim.

In addition to the resources listed below, I recommend checking out the CISA Protecting Against Ransomware webpage which lists a ton of good tips and information. Be careful and observant out there in cyberspace.

Never Trust. Always Verify. Think Like An Adversary.

References

Bitcoin. (2021). Understanding Bitcoin traceability. Retrieved from https://bitcoin.org/en/#:~:text=All%20Bitcoin%20transactions%20are%20public,stored%20in%20the%20Bitcoin%20network.&text=Anyone%20can%20see%20the%20balance,addresses%20cannot%20remain%20fully%20anonymous

National Institute of Standards and Technology. (2021, May 13). NIST Releases Tips and Tactics for Dealing With Ransomware. Retrieved from https://www.nist.gov/news-events/news/2021/05/nist-releases-tips-and-tactics-dealing-ransomware#:~:text=Use%20standard%20user%20accounts%20instead,checking%20them%20for%20suspicious%20content

Rashid, F.Y. (2019, September 26). Attackers combine attacks against RDP with ransomware. Retrieved from https://duo.com/decipher/attackers-combine-attacks-against-rdp-with-ransomware#:~:text=Adversaries%20get%20on%20to%20the,authors%20suggested%20in%20the%20paper.

Turton, W., Mehrotra, K. (2021, June 4). Hackers Breached Colonial Pipeline Using Compromised Password. Retrieved from https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password

University of Michigan. (2017, June 28). Advisory: New Petya ransomware exploits same vulnerability as WannaCry. Retrieved from https://safecomputing.umich.edu/security-alerts/new-petya-ransomware-exploits-same-vulnerability-wannacry

YCharts. (2021, June 4). Bitcoin Blockchain Size. Retrieved from https://ycharts.com/indicators/bitcoin_blockchain_size#:~:text=Basic%20Info,from%20281.52%20one%20year%20ago.