Of all the malicious threats in circulation, ransomware is the one capable of driving any PC user to the depths of despair. Initially targeting individual PC users, ransomware is now hitting much bigger targets, often bringing government agencies, hospitals, and businesses to their knees. If organizations want to avoid a ransomware infection, they have to make sure no malicious code reaches their networks. However, knowing how to reduce the damage as much as the situation allows when disaster strikes is just as crucial. How should businesses react to an already ongoing ransomware infection, though?
Where to Look
To spread malware, cybercriminals examine targeted PCs searching for weak spots to exploit. Ransomware attacks usually deploy three infection vectors – malicious email or malvertising, drive-by downloads, or remote access. Therefore, if your organization has just fallen victim to such an attack, the chances are that it has come from one of those three routes and each of them should undergo a thorough examination.
Note! Regardless of which way a ransomware attack has used to sneak into your organization's network, you should always find where it started from – was it one or more networked PCs and has it already made any lateral movement. If so, the cryptovirus may already have spread over a significant portion of the network. You must:
- Detach any infected computer(s) from the network and turn off all network adapters.
- Replace the infected hard drives with new ones to ensure clean OS installation.
- Perform a thorough network checkup to fix potential weaknesses.
- Apply the necessary OS and software patches and adopt a multi-pronged security policy to provide greater protection against future attacks.
The Spam Affect
The distribution of ransomware by embedding its code in email attachments is as widely used a method now as it has always been. So, unless your organization has set up a robust filtering system capable of blocking suspicious attachments, it may be highly susceptible to a ransomware infection. The same goes for web browsing as the lack of a proper filter may lead employees to potentially dangerous, malware-ridden sites. To reduce the risk of triggering an infection this way, set up a system of mail filters and proxy blockers.
To initiate a drive-by attack, the malware actors inject malicious code directly onto a website. All a successful attack needs is a non-educated employee using an out-of-date web browser. The latter is very likely to contain an unpatched security hole, and the malware will undoubtedly take advantage of that circumstance. That's why patching the browser on a regular basis is key to maintaining safe browsing.
Cases of ransomware attacking PCs running the Remote Desktop Protocol Microsoft service have become increasingly common recently. The notorious CMB Dharma ransomware plagued PC users with an open 3389 port for months by exploiting this vulnerability alone. Contrary to spam-based distribution, RDP-tailored infections are much more straightforward to carry out. They rely on a brute-force attack against the server's login credentials. If successful, the actor behind the attack gains administrator rights, including the right to disable endpoint protection before smuggling the ransomware through the RDP hole. The number of PCs running Microsoft's RDP ranges between 2 and 3 million every day. All of them are potential targets of a ransomware attack unless adequately protected. Such protection techniques require employees to use a Virtual Private Network (VPN) and apply a Two-Factor Authentication (2FA) every time they need remote access to the organization's computer network.