Ransomware is a particular form of endpoint malware that suddenly or surreptitiously encrypts some or all of the data on a victim's computer and demands payment for restoration or keys to decrypt it.
Ransomware is most often targeted against endpoint computer systems, such as Windows or Mac OS laptop or desktop systems. Most ransomware aims to capture high-value data, encrypt it in place, and remove the original data, thus opening an opportunity for a ransom demand in order for a user to get their data back. While it is possible for ransomware to encrypt data on shared file systems or server platforms, the most common pattern of ransomware is to operate on a single endpoint system. It is very rare for the infection to be on a server system itself.
The most common way that endpoints become infected by ransomware is through their end users. End users are often tricked into running ransomware on their local computer after opening an attachment or link that they received via email. These emails and their links and attachments look legitimate and are often difficult to detect until the recipient has taken action and activated the ransomware. These emails may appear to have been sent by a known or trusted third party who would not normally raise suspicion. The attachments within the email may appear as normal Word documents, spreadsheets, PDFs, or any other standard file type that would be expected via email.
In This Article
Because ransomware can become harmful before it has the chance to be detected, Alert Logic® strongly encourages all customers to implement security protection in a layered approach. This will help prevent or mitigate the impact of malware such as ransomware. Customers can take these following steps to help keep their systems safe from ransomware attacks.
All endpoints should have some form of endpoint security designed to protect against ransomware. These include anti-malware or antivirus software. Most antivirus solutions today have signatures for preventing many ransomware variants and frequently release signature updates to keep current with the latest threats. Further, behavior-based HIPS (Host Intrusion Prevention System) software can be deployed on endpoints for even greater security protection against emerging threats for which antivirus signatures have not been created.
Application whitelisting software is another viable option for protecting endpoints in tightly controlled environments. If your employees are already using closely managed systems for other reasons, such as compliance or loss reduction, these same controls that prevent unauthorized modification or installation of unapproved software can be effective in blocking ransomware.
As ransomware is commonly distributed via email, email security processes or filtering may help to prevent users from receiving emails with suspicious links or attachments. Email security protocols can also notify users of potentially malicious content and block attached files containing malicious payloads.
Windows Domain group policies have become popular methods of ransomware prevention. Setting up group policies can prevent executables from running in many of your directories.
Ransomware often takes the form of malicious Microsoft Office documents housing embedded malware. Typically, these kinds of malicious documents will have macros that execute their harmful code. By default, Microsoft Office does not let the macros run automatically, but the system does give users the option to enable macros in order to see the content in the document. Disabling macros in Microsoft Office is a viable way to keep end users from innocently opening malicious ransomware. Macros in Microsoft Office can be disabled in various ways: completely, from non-signed or non-trusted sources within the Microsoft Office applications, or throughout the enterprise using group policy.
NOTE: Disabling macros within Microsoft Office will only help to prevent ransomware that comes in the form of Microsoft Office documents. There are several other file types and forms that ransomware can take.
Most ransomware today is distributed through either email spam delivered to untrained users, or as personally crafted messages to specific users. This distribution technique works so well because it exploits the natural curiosity of end users rather than a computer system. One of the strongest lines of defense against ransomware infection is user education and awareness. Training your employees to treat emails with links and attachments as suspicious is key to ransomware prevention.
While endpoint security should be your primary protection against ransomware, a network intrusion detection system (IDS) is helpful where endpoint protection has failed. Network detection can quickly detect an infection before all files are encrypted or in blocking the spread or reach of the ransomware to other clients or shared data repositories. Detection and fast response to mitigate the effects of the infection are not the same as prevention, however. Detecting suspicious traffic generated from a ransomware infection means that an infection is already in progress.
For Windows systems, Alert Logic recommends ingesting PowerShell logs. Alert Logic has various security content that can help detect indicators of ransomware within your environment.
In order to mitigate the harm caused by ransomware, you are encouraged to maintain endpoints and network intrusion detection such as Alert Logic ActiveWatch™. It is also important to maintain backups of all data and to follow best practices for testing recovery processes and services periodically.
While Alert Logic does not recommend paying ransom demands, this is a response option that victims have taken against the seizure of their data. Financially engaging with criminal actors is extremely unpredictable. In some cases, payment results in restoration of all or some data. In many other cases, however, data is lost despite payment.
Rather than pay a ransom, it is highly recommended that customers contact Alert Logic. Our Security Operations Center can guide you through a response plan and help you take action to contain any active ransomware activity. If you find yourself affected by ransomware, remediation activities may include identifying the command-and-control (C2) communications through Alert Logic detection and analysis services, blocking communications to and from the affected systems, restoring affected systems from backup, and quarantining the ransomware automation using endpoint protection software.
Recovering data after ransomware has infected an endpoint will be much easier if you back up your data. Ensure that backups are made to systems that are only available through the backup process, or that long-term backups are protected by being offline during normal business. Good backups can enable almost complete recovery of data assets, even in the worst case.
It may also be possible to recover data using decryption tools for the specific ransomware automation, if available.
What to Do When You're Infected by Ransomware
While Alert Logic does not provide primary detection and committed coverage for ransomware attacks, our products will detect ransomware incidents under some conditions. We provide coverage for most aggressive ransomware variants with a discernible pattern of network activity. Alert Logic partners can provide assistance with mitigation, response, and recovery actions.
Alert Logic ActiveWatch and Alert Logic ActiveWatch Premier™ customers can contact our Security Operations Center at 877.484.8383 (Option 2) if they feel that their data has been compromised by ransomware so that quick action can be taken to mitigate any harmful effects.
If you receive an incident for ransomware from Alert Logic, it is likely that the infection is already active in your environment. Quick action can help to contain propagation to other endpoints. Review your endpoint protection logs and have them available to you as you engage with the Security Operations Center to contain the outbreak. It is extremely important that you take immediate steps to isolate the affected endpoints from accessing the rest of the network.
ActiveWatch and ActiveWatch Premier customers victimized by ransomware that did not receive an alert or escalation from Alert Logic should contact the Security Operations Center immediately. ActiveWatch and ActiveWatch Premier services may provide a basis for beginning an investigation. While the ransomware may not be covered directly by our detection capabilities, we can still provide you with guidance regarding containment and remediation.
How Alert Logic Can Help
Alert Logic provides network and data center focused security services, as well as endpoint protection, which is typically the first line of defense against ransomware.
Alert Logic services can identify the presence of, reduce the risk of, and mitigate the spread of ransomware. The Alert Logic network IDS with ActiveWatch™ may identify outbound C2 communications of ransomware software or related network activity, only after it has become active. This includes general types of ransomware communications, for those ransomware types that communicate on the network prior to doing damage (not all do), and the propagation of malware in an organization in large-scale incident. Quick action can help to contain the damage.
Alert Logic log management may expose long-term activity after a successful attack and may help to document the breadth and depth of an incident. This may be useful in investigating, remediating, or preventing reinfection.
Cloud Defender is a protection suite focused on computing infrastructure and includes multiple technologies that allow customers visibility into their network, system, and application layers from multiple vantage points. The suite delivers a platform for monitoring log, packet, and application data for suspicious activity that may lead to the discovery of ransomware attacks against an organization. Further, the Security Operations Center notifies customers within the shortest time frame possible to assist with remediation. Alert Logic has specific detection capabilities for specific types of ransomware, based on observable behaviors.