Ransomware is an order of malware and is separated into many families. It operates, as suggested, by removing access to your computer by either locking your workstation or encrypting your files, only offering to return the system to your control should you pay the ransom.
There are two main ways in which ransomware works – the most common contemporary method is to encrypt your important files (either on your hard disk or network drive) making them unreadable to normal programs; less commonly, the malware will lock your workstation so that you can’t even log in.
There are a number of ways that you can be infected. Chiefly, it is by running an authentic looking executable attached to an email, most commonly themed as a shipping notice from a delivery company. Slightly less common (but not with any lesser real threat) is via a link to an apparently genuine website – known as a ‘drive-by download’ – that is either a fake version of a real website, or a real website that has been compromised where a pop-up asks you to install some software. Thirdly, a compromised website (or html email) may silently install the malware on your computer using a vulnerability exposed in your operating system that hasn’t been prevented due to not installed vendor recommended software patches. A fourth route may be via bundled software – for example, downloading ‘Chrome.exe’ from somewhere other than Google might install malware.
Ransomware effectively relies on fear – a warning message that your computer has been infected (and that you may have been indulging in illegal activities) may prompt a panicked action to pay the ransom or run another executable, leading your system to become further infected with other viruses.
A security appliance (such as Watchguard devices) if configured correctly will help prevent a malware infection by preventing software from connecting to its control server – the software requires this connection to store the decryption key on the criminal’s server. In addition, the appliance will prevent connections to websites based on categorisation or reputation.
AV software will attempt to protect your system from ransomware (and other viruses) by recognising the files on your system before they are run.
As mentioned earlier, some malware can install itself by using known vulnerabilities in your computer operating system. The software providers will likely know about these vulnerabilities and have released a security patch to prevent attempted exploitation. Ensuring that your systems are up-to-date with the latest vendor releases are a key method to reduce ransomware incidents.
Ensure that users do not have rights to install software – this is easily controlled within the enterprise environment, but can be done at home as well – if a user does not have rights to install software, the chances for the ransomware to be installed correctly diminish. Additionally, prevent macros from running within Microsoft products by default, only allowing them to run if the source is trusted. Control Removable Media Access
Whilst this is not as common a route for infection, consider preventing removable media devices from being used where possible. Detailed information can be found on the UK Government’s National Cyber Security Centre.
Important files should be backed up regularly, preferably using the 3-2-1 rule. That is, 3 copies of the files on 2 different devices and at least 1 copy offsite. Additionally, periodically check that backups have worked and that a restore process will complete successfully. Backup files should not be routinely accessible by the machines which are at risk (for example, users’ desktops). Should the systems be affected by the ransomware, once the operating system has been reinstalled, the un-encrypted data can be restored.
This may go hand in hand with controlling code execution and takes it further – ensure that all rights to network shares are reviewed and the principle that if access is not required it is not allowed is maintained.