Ransomware has been around for a long while and like other types of attacks have been morphed combining more than one attack. Some are automated and some have a human behind the placement. Just because it is ransomware doesn't mean someone specifically targeted you for the attack. You just fell into their trap.This means it doesn't just attack those large targets. Those most of the time can block the traps because they have invested heavily in tech to block it and have procedures in place to lessen the effects it might have on the network. That is when a human usually gets involved and pushes through trying to uncover where and when to release the attack.
Here is a timeline (little old 2017) that shows just how many are out there and how they are variants of one another.
https://p.widencdn.net/0ruah2/Infographic_Ransomware_timelineDefending against Ransomware is about the same as any virus. You want to:
- Have multiple layers of protection
- Plan in place in case it does happen
- Educate your people
- Keep current
1) Layers must be on all levels. A good firewall with multi level protection is needed. We are a Watchguard reseller and with their product they have not only the ability to block a port or filter a port but also proxy a port. This means they look at the content as it is being transmitted to make sure that it is formed correctly and no one is hiding anything within the normal content that could harm the system. It can scan the emails as well as trafic. It also has what they call a TDR host sensor where it monitors machines in your network for signs of security threats. They combine this with Access points that push the protection to those to Bring Your Own Device (BYOD) and VPN to help secure any connection coming into the network from remote users. But even with all that you want to have a good Antivirus that is on each machine that specifically blocks these types of threats. We happen to use Trend Micro. While Trend and the watchguard can both can the emails, we also use Trends Hosted Email scanner to help block it from coming in through email. Another layer we have is with our backups. We use Acronis and they have a ransomware component to monitor if the machine is encrypting data and can stop it before it gets anywhere. Then you have you normal process of updates and configuring the system to limit who has admin accounts that can get anywhere. Changing of passwords, not using the same one everywhere, using 2FA, etc. Don't rely on backups to always save you. A lot of the ransomware attacks are going after backups now as well as trying to inject into SQL.
2) Just because you have these layers of protection doesn't mean you can set it and forget it. You have to have plans in place as to what to do if you go get it and what it is attacking so it can't spread.Plan out how to make sure you are staying current and plan how to keep the equipment updated.
3) Educate the users about phishing attacks, links on websites, but also about social hacks
https://www.intego.com/mac-security-blog/social-hacking/ where they get a call or email that seems weird but innocent enough that they respond to it giving little bits of info at a time without noticing it. There was a study at a college and someone put out 100 USB sticks all around and once put in the computer it would report back to the central computer. Of 100 there were 30 that checked in and the researcher figures there were another 10 or 20 that might have been used but just not on the internet or something blocked it from going out. For those who send emails out to marketing list, that is a BIG return. Here is an example
https://www.theverge.com/2019/8/15/20807854/apple-mac-lightning-cable-hack-mike-grover-mg-omg-cables-defcon-cybersecurity People are usually the weakest point in anyones protection agains treats.
4) Like I said in the layers you have to keep all the equipment and software current. Most of these treats are able to get around due to known issues that have fixes for them. I remember back in 1995 looking at a friends system that had an application that custom built viruses by a easy to use GUI that you click on which viruses you want to add and how you want to distribute it and clicked a button to create it. Within seconds you have your own custom variant of any of a 100 different viruses. He was a whitehat thank goodness but I still didn't let him on my computer. But something tells me that wouldn't have stopped him if he really wanted in.
------------------------------
Todd Martin - President
MBA Business Software (https://www.mbabsi.com)
------------------------------
Original Message:
Sent: 01-23-2020 21:57
From: Wayne Schulz
Subject: Best Practice Recommendations for Avoiding Ransomware
Same customer requires two factor Microsoft Authenticator to login and password change about every 20 days.
---------------------------------
Wayne Schulz - Schulz Consulting - 860-516-8990
---------------------------------