How To Prevent Ransomware: A Simple Guide For Protection

By: Kris Lahiri, Chief Security Officer

Share this Page

Within this guide, you'll learn how to prevent ransomware with simple, in-depth tactics to protect yourself from cybercriminals. If you're entirely unfamiliar with this type of malware, you can start with this What is Ransomware guide to learn the basics.

Based on the 2019 Verizon Data Breach Report, ransomware trails only command & control (C2) attacks amongst all malware attacks; therefore, it's a great idea to learn how to prevent it from happening to you and your business. In fact, 60% of CIOs are concerned about external attacks like hacking, ransomware, and viruses according to Egnyte’s 2020 Data Governance Trends report.

How Ransomware Works

Ransomware depends not on the complexity of its code, but the vulnerabilities of its targets. At its core, ransomware is just a worm looking for a hole. Preparation for a near-inevitable ransomware attack prevents it from becoming a breach repelling it before it enters and closing holes.

How To Prevent Ransomware By Minimizing Entry Points

Many organizations have porous security perimeters, especially with the spike in remote workers. However, ransomware usually takes an easier approach. It enters from a download delivered via email, because this point of entry requires the least effort on the part of the attacker. The ransomware appears as a link or attachment, often from a known source, with an enticement to click it. The attachment or link is an executable file that unleashes the ransomware.

Inadvertent downloads of malware from an infected website—sometimes executed by clicking, others by simply landing on the site—are also popular attack points for ransomware. (This includes chat and social media messaging.)

This stealthy ransomware enters systems through vulnerabilities in various browser plugins, with the delivery mechanism being merely visiting a website. This ransomware, known as drive-by ransomware, is delivered in the background, often without the user being aware of it. Other entry points include good, old-fashioned social engineering and malware carried on USB drives.

More sophisticated ransomware attacks take advantage of systems’ and networks’ backdoors or vulnerabilities. Attackers probe targets to find weaknesses in security systems, such as lapsed patches and updates, gaps in the configuration of security tools, and insecure remote users.

How To Prevent Ransomware That Attacks Profiles

Attacks do not necessarily begin at the time of entry. Often ransomware works quietly without users noticing. It lurks in the background while it prepares for its attack on the point-of-entry system or spreads across the network to other systems before activating and making its presence known.

Sometimes the ransomware lies dormant after download or downloads in segments to avoid detection. Regardless of its download timeline, once file lockdown begins, the ransomware acts quickly—taking between 18 seconds and 16 minutes to encrypt 1,000 files.

Ransomware software has two approaches to encryption. The simpler versions use the encryption functions that exist on Windows and Unix, including macOS and Linux. More sophisticated ransomware uses custom encryption implementations to bypass security software. “Off-the-shelf,” open-source projects offer packaged ransomware. No matter what type of ransomware attack, once files are encrypted, no one can decrypt them without the attacker’s decryption key.

After files are locked down, the ransomware presents a message (i.e., a ransom note) that tells users:

  • What has happened
  • How much to pay to undo it
  • Where to send the payment
  • What happens if the payment is not received

Ransom notes usually reveal the type of ransomware used for the attack. See examples of ransomware and related notes later in this guide.

The Ransom and Related Threats

The two main threats from ransomware attacks are that files will remain encrypted and that files will be made public. Sometimes these threats are used in tandem—pay the ransom or files will be shared—to encourage the organization to pay the ransom even if they have a backup of the encrypted files.

This tactic is particularly effective when customers fear losing private data or intellectual property. Ransomware often has a built-in timer to trigger notices that the ransom has increased or delete encrypted files.

Security experts and law enforcement agencies do not support paying ransom in response to a ransomware attack. According to the FBI, “It does not guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”

However, as Stephane Nappo said, “It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” In addition to reputation damage, loss of productivity, and the ensuing business disruption, often motivates organizations to pay the ransom. Increasingly companies are adding ransomware insurance to their coverage portfolio. Whether paid for out-of-pocket or by insurance, payments are delivered with digital currency sent to an anonymous wallet.

Current Ransomware Threats

See below for a list of current ransomware threats. For more details on how a particular strain of ransomware works, download the Ultimate Guide to Ransomware.

  1. 1. Petya Ransomware

    • Discovered in March 2016
    • Morphed into NotPetya, which was released in June 2017
  2. 2. Ryuk Ransomware

    • Discovered in August 2018
  3. 3. MegaCortex Ransomware

    • Discovered in January 2019
  4. 4. Clop Ransomware

    • Discovered in February 2019
  5. 5. REvil Ransomware (a.k.a. Sodin and Sodinokibi)

    • Discovered in April 2019
  6. 6. DoppelPaymer Ransomware

    • Discovered in April 2019
  7. 7. Maze (previously known as ChaCha) Ransomware

    • Discovered in May 2019
  8. 8. TFlower Ransomware

    • Discovered in July 2019
  9. 9. Nemty Ransomware

    • Discovered in August 2019
  10. 10. NetWalker (a.k.a. Mailto) Ransomware

    • Discovered in September 2019
  11. 11. Zeppelin (previously Vega or VegaLocker) Ransomware

    • Discovered in November 2019
  12. 12. Ragnor Locker Ransomware

    • Discovered in December 2019
  13. 13. Tycoon Ransomware

    • Discovered in December 2019
  14. 14. Thanos Ransomware

    • Discovered in January 2020
  15. 15. Ekans Ransomware

    • Discovered in January 2020
  16. 16. Nephilim Ransomware

    • Discovered in March 2020
  17. 17. ProLock Ransomware

    • Discovered in March 2020
  18. 18. PonyFinal Ransomware

    • Discovered in May 2020

Considerations for How To Prevent Ransomware

Benjamin Franklin’s cautionary words still ring true, “An ounce of prevention is worth a pound of cure.”

When considering how to prevent ransomware, protection should focus on the essential asset in all organizations—content. Prevention must go beyond infrastructure protection. It needs to protect content wherever it resides, including PCs, desktops, mobile devices, file storage, and cloud applications.

Like all effective security, ransomware prevention must take a holistic approach and incorporate multiple tools and tactics to protect potential targets. Ransomware protection strategies should include:

  • Content protection
  • Identity management policies
  • Early threat detection
  • Compute layer security
  • Cybersecurity awareness and training
  • Continuity planning
  • Ransomware insurance

How to Prevent Ransomware by Protecting Your Content

Backup is at the core of any content protection plan. Systems should be backed up locally and using cloud storage. The cloud backups provide redundancy and add an extra layer of protection. While backups remain a crucial part of content protection, more must be done. The following best practices ensure that content survives a ransomware attack intact.

  1. 1. Backup Policies

    • Have multiple backups in case the last backup gets overwritten with encrypted ransomware files
    • Keep a backup of sensitive data offsite in data centers with strictly limited access
    • Separate backups from production systems—not connected to the computers and networks they are backing up
    • Backup frequently and provide granular rollback capabilities
  2. 2. Data Access Policies—for Internal and Remote Users

    • Limit access to areas where valuable data and content are stored
    • Enable or deny permissions by:
    • Account
    • User
    • Specific elements, such as date, time, IP address, or whether requests are sent with SSL/TLS
    • Use the principle of least privilege—only give users access to the accounts, systems, and data they require
  3. 3. How To Prevent Ransomware with Network Segmentation

    • Limit data access
    • Prevent lateral movement
    • Defend Active Directory
    • Segregate networks into distinct zones and require different credentials for each
    • Implement Dynamic Access Control in Windows
  4. 4. How To Prevent Ransomware with Encryption

    • Encrypt metadata to make it more difficult to identify types of data stored in different applications
    • Establish policies to encrypt data in transit and at rest
  5. 5. How To Prevent Ransomware with Logging and Versioning

    • Use versioning to enable preservation, retrieval, and restoration of data
    • Maintain access logs to provide an audit trail
    • Create restore and recovery points
  6. 6. Rights Management To Help Prevent Against Ransomware

    • Give users the lowest system permissions needed
    • Turn off admin rights for users who do not require them
    • Restrict write permissions on file servers
    • Set up roles that do not allow certain users to delete any data and enforce no-delete rules by requiring a code to delete any version of data

Preventing Ransomware with Identity Management Policies

Impersonation persists as the most common entry point for cybercriminals. Pretending to be a legitimate user makes it easier for cybercriminals to perpetrate malicious activities and harder to detect them. The following policies help reduce the risk of impersonation.

  1. 1. How To Prevent Ransomware with Strong Passwords

    • Establish policies that require complex passwords—the National Institute of Standards and Technology’s (NIST) Digital Identity Guidelines suggests no fewer than eight characters, and passwords should use mixed case letters, numbers, and special characters (e.g., P@ssw0rd$) Mandate that passwords are changed regularly—as frequently as every month Implement a password management strategy
  2. 2. How To Prevent Ransomware with Multi-Factor Authentication (MFA)—Require It EVERYWHERE

    • Use this second validation or authentication method to provides another layer of protection
    • Enhance logins with a credential from a physical token, a personal smartphone, or a unique biometric signature
    • Ensure that even if an attacker gets their hands on a weak or stolen employee password, they cannot log in
  3. 3. How To Prevent Ransomware by Actively Managing Users’ Accounts and Applications

    • Eliminate accounts when an employee leaves, including access to:
      • Databases
      • Applications
      • Other repositories
    • Ensure that all keys are rendered unusable
    • Remove outdated or unnecessary programs from user devices
    • Ensure that all software and firmware on all devices are updated and patched automatically
  4. 4. How To Prevent Ransomware with Early Threat and Infection Detection

    Monitor and analyze systems to detect suspicious activity. This allows for preemptive threat neutralization. Stop threats before they become attacks with these solutions.

    • Utilize machine learning algorithms, bot detection solutions, and proxy analysis to detect and alert for unusual behavior—continuously
    • Identify abnormal file sharing
    • Monitor for anomalies, such as inconsistent file types
    • Flag file extensions that have changed or contain known ransomware signatures
    • Look for rapid, successive encryption of files
    • Detect known ransomware using a “signature-based” approach
    • Alert admins about irregularities
  5. 5. How To Prevent Ransomware with Entry-Point Protection

    • Prevent unauthorized access using perimeter controls, such as firewalls, secure email and web gateways, and intrusion prevention/detection systems (IPS, IDS)
    • Filter web content and block sites that may introduce malware
    • Block unknown email addresses and attachments on the mail server
    • Reject addresses of known spammers and malware
    • Deploy anti-virus, anti-malware, anti-phishing tools at the end-user and email-server level—and keep them up to date

How To Prevent Ransomware with Compute Layer Security

A secure compute layer ensures the availability of systems and data as well as keeps cybercriminals from using compute power to spread the ransomware further. Consider the following to reexamine and harden the compute layer, including mobile devices, and reduce attack surfaces.

  • Assess and secure remote entry points with endpoint security software installed on external devices, such as laptops and mobile devices
  • Apply software and OS patches as soon as they are available and keep service packs and patches up to date
  • Delete stale DNS to protect against DNS protocol attacks, such as DNS spoofing, DNS ID hacking, and DNS cache poisoning
  • Adjust hypervisor firewall rules to manage both ingress and egress traffic
  • Enable secure login to keep assets protected when users move across unsecured networks by issuing SSH keys
  • Deploy a VPN to protect connections between devices and the Internet
  • Implement SIEM solutions to monitor and log network activity, then analyze log and memory data identify unusual activity on the system to pinpoint an attack
  • Use a jump host (also known as a jump server) as an intermediary host or SSH gateway to a remote network when connecting to another host in a dissimilar security zone that is outside the firewall or in a demilitarized zone (DMZ)
  • Set up viewable file extensions to identify executables, such as a .exe, vbs, or .scr
  • Use Group Policy (in Windows) to block the execution of files from local folders
  • Scheduled frequent security scans
  • Uninstall PowerShell or, if it is required, track every single script that is running and monitor PowerShell closely with endpoint detection and response systems
  • Block vulnerable plugins, such as WordPress related ones
  • Limit Internet connectivity for highly-sensitive, critical data—in some cases, it may make sense to disconnect completely

How To Prevent Ransomware with Cybersecurity Awareness and Training Programs

Create a cyber-resilient organization with security awareness training to help employees learn to avoid ransomware and malware traps as well as recognize signs of an attack or potential attack. Invest in educational programs and regular training that teach employees about common ransomware delivery techniques and red flags. Consider the following recommendations for areas to focus on cybersecurity education and training.

  • Provide easily accessible channels for reporting and getting help with suspicious activity
  • Make it clear that anyone reporting suspicious activity does not have to be positive that a problem exists—better a false positive, since waiting until an attack is happening can mean responding too late
  • Remind users that ransomware preys on their inattentiveness and that no technology can protect a system like human vigilance
  • Teach users to recognize the signs of a phishing attack
  • Warn employees about clicking links or attachments that come within unsolicited emails
  • Stress the importance of examining links and attachments to make sure they are from a reliable source
  • Ensure that users know not to click on executable files or unknown links
  • Incorporate regular practical tests that entice users into clicking on would-be malicious links or downloads
  • Keep users apprised of the latest malware and ransomware attacks
  • Warn staff about the dangers of giving out company or personal information in response to an email, text, or phone call
  • Institute a policy never to use public WiFi

How To Prevent Ransomware with Red, Blue, and Purple Teams to Test Security

Simulated attacks help detect security weaknesses before cybercriminals do. Issues uncovered are often related to misconfigurations and coverage gaps in existing security products. When run with internal teams, the “attacks” also can enhance understanding and cooperation among the IT and security teams.

Red Teams

Red teams play offense. They are comprised of internal security professionals or consultants who are experts in attacking systems and bypassing defenses. They use real attack techniques to identify vulnerabilities across infrastructure, systems, and applications by performing vulnerability scanning and penetration testing. Red teams also ferret out weaknesses in processes and users’ behavior.

Blue Teams

Blue teams take defense. They are usually the analysts and engineers responsible for maintaining the organization’s security systems. Blue teams use a combination of threat prevention, detection, and response to thwart attacks by red teams. Blue teams receive no warnings about attacks and must react without preparation to demonstrate their defensive capabilities.

The Rise of Purple Teams

Red team assessments can help an organization identify its vulnerability to cybercriminals’ latest tools and tactics. These assessments help to improve threat hunting, monitoring, and incident response.

Unfortunately, red and blue teams often do not work together, since blue teams are mostly internal and red teams are consultants. In these cases, the blue team does not get continuous feedback or an opportunity to engage with the red team. This is a lost opportunity to improve overall operations rather than uncover issues.

Companies form purple teams that bring red and blue together to share insights and develop a feedback loop and knowledge transfer to resolve this. Purple has red and blue teams work for a common cause rather than as adversaries.

All organizations should consider red, blue, and purple teams a must-have regardless of size, industry, or resources.

How To Prevent Ransomware With Insurance

Another defensive move that companies are making to minimize the risk of ransomware is cyber liability insurance. Ransomware insurance is a cyber liability specialty insurance that offers damage protection should an attack occur. It protects businesses and related individuals.

Ransomware insurance is meant to reduce the financial burden of recovery after a ransomware attack—restoring data and dealing with stolen or leaked data. Also, while paying a ransom is frowned upon by security experts and law enforcement, ransomware insurance can cover that cost.

Ransomware Remediation

Remember the “five Ps”—Prior Planning Prevents Poor Performance. Have a plan in case a ransomware attack occurs. With ransomware, prior planning and the plan’s efficacy can determine an attack’s impact. Expedite neutralization and reduce the lifecycle of an attack by considering the following as part of remediation planning.

Remediation | Continuity Planning

A continuity plan plays a critical role in ransomware remediation. It should explain, in detail, what steps to take to resume operations as quickly as possible. The plan should include different responses based on threat levels. And, the plan should be tested regularly to incorporate updates and ensure preparedness.

High Threat Level Ransomware has been successfully deployed and poses a direct threat or suspicious activity points to an immediate threat.
Medium Threat Level Ransomware has been detected on an endpoint, but does not pose an immediate threat, or suspicious activity has been flagged for review to determine if it is a threat.
Low Threat Level Unwanted software, such as adware, has been detected. It can cause issues, including changing browser settings, redirecting search results, and displaying ads. The problem should be addressed, but it does not warrant an accelerated response.

For each threat category, develop an incident response team that will follow remediation guidelines based on the kind of ransomware attack and its severity.

First responses should include:

  • Block all affected user accounts to contain ransomware before it spreads
  • Identify every encrypted file
  • Trace the ransomware infection back to its source
  • Analyze the extent of the damage
  • Consider remediation options

Common Post-Ransomware Attack Mistakes

Review these common mistakes in handling a ransomware incident to help avoid them.

  1. 1. Restarting Infected Devices

    A restart could result in retaliation. Often, ransomware detects attempts to reboot and penalizes victims. These penalties include corrupting the device’s Windows installation so that the system will never boot up again and deleting encrypted files at random. Also, rebooting clears the machine’s memory, eliminating information that could be useful for future analysis. It is best to put the system into hibernation, so all data saved in memory.

  2. 2. Connecting to External Backup Systems and Storage Devices

    This gives the ransomware access to even more content. Only connect to backup systems and storage devices after neutralizing the ransomware.

  3. 3. Communicating on a Network Impacted by Ransomware

    Depending on the strain of ransomware, attackers could intercept communications sent or received on a compromised network. Until remediation is complete, use alternate networks or communication channels.

  4. 4. Never Delete Files During a Ransomware Attack

    Some ransomware includes decryption keys in the infected files. If the file is deleted, the key is too, and the file cannot be decrypted. Also, files can contain information that is helpful for attack analysis.

What to Do after Ransomware Detection

  1. 1. Isolate Systems Impacted by the Ransomware

    Prevent the ransomware from spreading by disconnecting all infected devices from each other, shared storage, and the network—both wired and WiFi. This disconnection must be automated. When an infection is identified, infected files isolated should be automatically isolated, and any suspicious executables removed.

    Also, remember the ransomware may have entered through multiple systems, and some of the ransomware may remain dormant. In the case that ransomware is detected, all connected and networked computers should be scanned.

  2. 2. Identify the Ransomware Strain

    Generally, ransomware can be identified by the message that it presents. Understanding the type of ransomware used in the attack reveals propagation methods and targeted files. Knowing the strain of ransomware can also help select the best options for remediation.

    It is also essential to determine if the ransomware includes persistence mechanisms. In this case, after the ransomware process is stopped, it will reactivate after a period of time or after a reboot. Knowing if the ransomware utilizes persistence mechanisms is critical. Without this knowledge, remediation is undermined.

  3. 3. Trace the Ransomware Attack

    Identifying the entry point of ransomware helps track its spread and, potentially, stop it. The attack can be traced from the last modified user account with information found in audit logs. Work backward, being sure to include remote users and partners to find the point of origin.

  4. 4. Report the Ransomware Attack to the Authorities

    Many compliance regulations require disclosure in the event of a breach. A ransomware attack is considered a breach that must be reported to regulatory and law enforcement agencies. The FBI’s Internet Crime Complaint Center should be alerted immediately, followed by local law enforcement. Disclosures to law enforcement help them track down the individual or group behind the ransomware attack and prevent future attacks.

  5. 5. Assess the Impact of the Ransomware Attack

    Before launching into defensive and corrective action, stop to assess the damage and understand the situation in its entirety. Then, armed with information, make decisions about remediation.

3 Ransomware Recovery Options

Ransomware recovery options come down to three choices.

  1. 1. Pay the ransom

    As noted earlier, this is not recommended by security experts or law enforcement agencies. However, in some circumstances, it is the best of bad options.

  2. 2. Attempt to remove the ransomware

    Some ransomware can be neutralized with a decryptor that has been created using information from prior attacks. For newer ransomware, the likelihood that a decryptor is available diminishes. Even with a decryptor, security experts question if it is even possible to delete the ransomware.

  3. 3. Reinstall from the last clean point

    Starting from a clean point is generally accepted as the best solution to remedy a ransomware attack. However, according to a Forrester survey of IT infrastructure and operations decision makers, 54% responded that their backups are fragmented. Even when backups are pristine, the disruption caused by an organization-wide rollback increases exponentially with users’ numbers. A surgical rollback approach should be taken to reduce the impact and cost of the ransomware attack. Infected machines only should be rolled back to the last point in time before the attack.

Notify Affected Customers After Ransomware Attack

Regardless of how unpleasant it is, sometimes, legal and compliance regulations require that customers be notified about a ransomware attack. If notification is needed, promptly explain the situation and the remediation plans. Expediency and transparency are always the best approaches and give customers confidence that the organization has the matter under control.

How to Prevent Ransomware Recurrence

When the ransomware has been neutralized, and business operations are back to normal, the next round of work begins. A full assessment must be completed to understand how the ransomware entered, was activated, and what it did. This will help prevent future attacks. Red, blue, and purple teams are great resources to help with the ransomware attack analysis.

How To Prevent Ransomware with Monitoring and Maintenance

The prevention best practices outlined previously should drive monitoring and maintenance. These include:

  • Content protection
  • Identity management policies
  • Early threat detection
  • Compute layer security
  • Cybersecurity awareness and training
  • Continuity planning
  • Ransomware insurance

Monitoring and maintenance should encompass both systems and content. Regular monitoring is mandatory, since ransomware does not adhere to a schedule. Smart, continuous backup is also a must and should provide the capability for nuanced rollbacks—by the user and by a specific time—to minimize data and productivity losses.

How To Prevent Ransomware By Being Proactive

A proactive approach to ransomware prevention can significantly reduce the risk of infection. However, in the event of a ransomware attack, planning is the best front-line defense. Effective response procedures expedite containment of the incident, prevent data loss, and streamline the recovery process.

When assessing security as it relates to ransomware, remember content protection and governance. Machines can be replaced. Critical content cannot. Securing content and proving granular access if a rollback is required ensures business continuity after a ransomware attack. The Egnyte platform provides proven content security and data governance solutions to help organizations beat ransomware.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Get started with Egnyte.

Request Demo

Last Updated: 16th November, 2020

Share this Page
Additional Resources
Poor Data Governance Cost Capital One $80M
Poor Data Governance Cost Capital One $80M
Learn from Capital One’s example about why data governance is so important.
Learn More
Anatomy of a Ransomware Attack
Anatomy of a Ransomware Attack
How do ransomware attacks work? Read more in this post.
Read Now
Fundamental Steps to Prevent Ransomware
Fundamental Steps to Prevent Ransomware
Discover how you can protect your business from ransomware attacks.
Learn More
Contents
  1. How Ransomware Works
  2. How To Prevent Ransomware By Minimizing Entry Points
  3. How To Prevent Ransomware That Attacks Profiles
  4. Current Ransomware Threats
  5. Considerations for How To Prevent Ransomware
  6. How to Prevent Ransomware by Protecting Your Content
  7. Preventing Ransomware with Identity Management Policies
  8. How To Prevent Ransomware with Compute Layer Security
  9. How To Prevent Ransomware with Cybersecurity Awareness and Training Programs
  10. How To Prevent Ransomware with Red, Blue, and Purple Teams to Test Security
  11. How To Prevent Ransomware With Insurance
  12. Ransomware Remediation
  13. Common Post-Ransomware Attack Mistakes
  14. What to Do after Ransomware Detection
  15. 3 Ransomware Recovery Options
  16. How To Prevent Ransomware By Being Proactive