Much of the ransomware rhetoric these days comes from the action movie school of cyber security thinking. Let’s fight back against attackers, let’s trace them through cyberspace and steal back the ransom, let’s (gasp) levee political sanctions. While these responses make good stories, they don’t do much to stop any ransomware attack or even to greatly discourage attackers. There are two flaws with these dramatic approaches: they are responses, not proactive protections; and they miss the forest for the trees, concerned with specific attack parameters rather than general indicators.
Successful approaches to prevent ransomware are sadly less dramatic and make for boring tales. They sidestep the spy-vs-spy approaches of identifying bad guys and isolating specific tactics and attack vectors. They are based on the essential features of malware attacks and basic system security practices. They are about as exciting as brushing your teeth, and similarly effective.
There are two essential features to a successful ransomware attack: 1) The bad guy gets in. 2) The bad guy encrypts your data. So, let’s think about things that prevent any bad guy from getting in and from encrypting your data.
Most bad guys get in by stealing credentials, generally through phishing. Stolen credentials are largely useless if a system has implemented multi-factor authentication. The credential is only one required factor, the attacker would need access to another (often the user’s cell phone) to gain access using that credential. This ups the difficulty of attack significantly, requiring close access to the compromised user, and relying on the theft of the phone going unnoticed for sufficient time to mount the attack. This is the stuff of a good spy movie, but not the game of an attacker-for-profit. Multi-factor authentication products are easy to find and relatively cheap. Anyone concerned about ransomware can reduce the odds of being attacked by taking this baby step toward securing their systems.
To encrypt your data, bad guys need to execute an unauthorized command on your system, a command that is not generally expected to be called. Any end point protection system that is not signature-based would prevent any command of that type from executing, regardless of the attacker’s particular tactics. So, the second step to reduce the odds of being a victim of ransomware is to install a behavior-based end point protection system. There are several on the market, and though slightly more complicated to implement than multi-factor authentication, they are well within the reach of most consumers.
Data protection, in particular data backup and self-healing data distribution mechanisms is the third thing to consider when protecting yourself from ransomware. These protections enable an enterprise to continue operation even if part of the data is compromised by a data attack. However, they are more complex than the two protections discussed above and can impact daily operations. They certainly should be seriously considered by high-risk enterprises with critical requirements for uninterrupted operation but may not make sense for many enterprises.
Once we start thinking about protecting against ransomware as a good system management problem and not as the plot of an action movie, it becomes clear that there are some simple protections to employ to greatly reduce your risk of being a victim of ransomware. They are not guarantees, but they do make the attacker’s job harder. And unless you are a very special target worth the attention of a very persistent adversary, the attacker will move on to easier prey.