Yes, you can protect yourself against ransomware (e.g. CryptoLocker and others), but you have to prepare ahead of time.
In order to protect yourself from ransomware, you need to do these things well to deal with ransomware:
- Protect your systems, guest systems and networks from the ransomware malware getting into your environment.
- Detect the presence of it.
- Respond/recover in the event it still gets in.
- Remove all copies of the malware.
Often we hear from people that have implemented and deployed "fill in the blank" next generation firewall and they believe they are protected, well, that's a yes and no. You can be protected, but only if you adhere to best practices security principles and allow/enable all the protective capabilities of a next generation firewall and that no traffic bypasses the firewall (including mobile users, USB sticks, etc.). Installing a next generation firewall in and of itself will NOT protect you from ransomware.
Lets first understand a little about how ransomware works:
- You have to get the malware onto a computer or server.
- It has to run on a computer.
- It then encrypts files it has access to with your credentials/access rights (including network shares!). It may also lock the computer.
- It then notifies you of the financial demands and you have limited time to respond.
- No response and no recovery files means the files are effectively gone or are essentially corrupted (not readable).
So, you need to:
- Keep it from getting on your computer.
- You need to notice it's demands (can be challenging if someone is out on vacation and the clock is ticking).
- You then either need to pay or restore your files from some point before they were encrypted.
The best work around is strict protection to prevent the ransomware from getting into your environment. The easiest ways for it to get in your environment are Email and or web downloads. USB sticks and existing botnets can also be used.
Strong protection means:
- Email has multiple layers of AV protection in place.
- Email has zero-day protection methods in place including very frequent updates and some kind of sandbox solutions to test attachments and links for bad behavior.
- Network firewalls have strong UTM including AV, IPS and zero day protections along with enabling frequent dynamic updates.
- NOTE: Firewalls can only inspect what they see, encrypted traffic is a great way to blind normal firewalls and on average over 30% of traffic is encrypted.
- Due to the above, you need to seriously consider decryption in devices that are capable of doing it.
- Allowing personal Email access is a great and common way to circumvent the protections of strong corporate Email protection.
- Strong/current endpoint protection with central management is essential (however, any endpoint without protection can still harm network shares for everyone).
- Reviewing access control and folder share access of network shares (whatever you can see, ransomware can potentially too!).
- Keeping firewalls, email servers, IPS solutions and endpoints all up to date with patches and updates.
- You must control all devices that join your wired/wireless networks (NAC is a great way to address this).
- Making sure that USB and other removable devices are strongly controlled.
- Making sure that there are no botnets already present that can be used to install ransomware.
NOTE: Keep in mind that most firewalls at best are inspecting 60% of the traffic assuming you implemented policies correctly. Firewall policy review by professionals is mandatory to make sure all policies have active protection set, decryption is in place where desired/needed and that strong policies are in place to restrict network access to applications that can circumvent corporate protections (e.g. Skype).
Time is of the essence with detection. Granted the goal is to extort a payment, so in most cases someone will be notified. However, I've heard cases of people being on vacation or otherwise unable or unwilling (scared) to report the problem.
Bottomline, it's not inconceivable that it will not be detected before the payment date. There are solutions that can romp through desktops, servers and/or network shares to look for the remnants of ransomware after it has done the encryption. Due to the possibility of not detecting it soon enough and the business loss of file access and recovery points, detection while not a deterrent, is good to have. Since ransomware usually communicates outbound to get a unique private key it can be possible to detect the outbound request. However, detection in the case of ransomware has limited use except making sure somebody notices and rallying the recovery team quicker.
Two Choices after the fact
Once ransomware has encrypted the files, you have only two realistic choices:
- Recover files from before the event occurred and files were encrypted
- Pay the ransomware
You don't have a third option of reverse engineering the encryption key in time for all the serious ransomware out there.
Regardless, it's good practice to have multiple backups. NOTE: You need to keep those backups or at least additional backups off of network shares or shares mounted with the same credentials. Even cloud backups that are on mounted drives are susceptible. You need backups that are secure and you need frequent enough backups to allow minimal loss of changes.
If ransomware appeared, you still have to scan and remove it from all systems and file servers. Removal is a necessary step of recovery and prevent additional incidents from the same infection.
The best strategy for ransomware and malware of any kind is to protect as much as you can. Even if it isn't ransomware, malware can silently exfiltrate your most sensitive or valuable data. Detection without strong protection means the loss or theft still happens. Protection is of utmost importance. I also believe that ransomware will mutate and become more persistent, it's not hard to imagine that we could see multiple demands from the same infection to extort money once a day. It's just a matter of mutations to sleeper zombies. That's just too time consuming and disruptive for time sensitive files, enhanced protection is necessary.