Ransomware is a malicious program that is installed on a workstation or server which then encrypts the files until a sum of money (“ransom”) is paid to the malicious actor who installed the program. At Coalition, we want to help prevent these types of attacks which occur so frequently in our Cyber world today.
Gaining popularity in 2018, many ransomware infections are also installing a “banking trojan” onto the system prior to the ransomware payload. A banking trojan is a type of malicious computer program that grants the malicious actor with access to information on a system. The typical capabilities of banking trojan’s can include harvesting all network passwords from a system, capturing passwords stored by web browsers, intercepting network traffic, stealing banking credentials entered by an end user, capturing credentials and data from email clients, and spreading through a client environment similar to a worm. Many of these trojans are polymorphic in nature, which means constantly changing and very hard to detect and eradicate via typical antivirus methods. Prevention is the best method when dealing with these trojans.
Timeline of ransomware attack
Ransomware - Preventative Measures
- Do not expose Remote Desktop Protocol (RDP) or File Sharing Ports (SMB) to the Internet.
- User training. It is extremely important to train the end user in order to prevent clicking of links and attachments in phishing emails.
- Adding 2-factor authentication (or disabling) any external connection into the environment (RDP, ScreenConnect, LogMeIn, etc.)
- Disable SMBv1 and use SMBv2 if needed
- Disable Windows PowerShell on any endpoint where it is not utilized
- If possible, block foreign IP address traffic on the firewall (inbound and outbound)
- Disable stale accounts in Active Directory
- Do not reuse passwords between user accounts
- Ensure all software is tested before pushing to workstations
- Ensure systems are upgraded as soon as support reaches end of life
- Create and test offsite/cloud backups (create login credentials to the backups utilizing a difficult and hard to guess username and password. Often we find clients using “Admin” with a default password which is extremely easy to guess for a malicious actor).
- Follow the principle of least privilege. Limit the access rights of users to ensure users are not administrators on the systems if not necessary.
As always, Coalition is here to help you on your way. Please reach out to us for additional information!