Question: Recently, my team has been seeing a new wave of attempts to load ransomware into our system. What can we do to stop them or at least limit the systems it can reach?
Akamai: There are a couple different ways to go about doing this.
Most ransomware that we've seen is usually deployed via some sort of phishing attack. The victim gets an email, they click on an attachment or a link, the ransomware gets loaded, and from there it starts spreading through the network, encrypting as it goes along. Practicing good email hygiene and training users on what to do when they get emails with attachments is a decent first step. But we all know that human beings are fallible, and it's likely something might slip through.
As we get more complicated and into more technical controls, most ransomware needs to communicate out to some sort of command-and-control server. That's where it's going to register it infected a system and get further instructions regarding the keys for decryption and other parts of the attack. You can intercept that by blocking it at a DNS level, or you can sometimes block it by doing some sort of outbound detection for a communication reaching out to a very strange domain name. Almost all of the common ransomwares use domain name generation algorithms, so domains that look like random strings are a good clue that there's something going on.
Once ransomware has gotten a foothold in and is spreading through the network, things get a little bit trickier. You can try implementing some sort of firewall setup, what's sometimes referred to as microsegmentation. However, this can mean a lot of administrative overhead for your IT staff to constantly update firewalls and make sure only necessary ports are in place.
Another approach is rolling out something like a zero-trust model, in which rather than endpoints connecting to a network and from there reaching out to other assets, databases, or Web apps, what we're actually communicating with is an application proxy. As a result, ransomware – really any malware – that's going to try to spread isn't going to be able to go anywhere because all of those commands are being intercepted by the proxy, and only the commands that need to be sent to the application are sent through.
Regardless of what kind of preventative strategy you take, the other thing every organization should do is have a really good backup strategy. Knowing that you can restore data and get back up and running after a ransomware attack can be a lifesaver.
What do you advise? Let us know in the Comments section, below.
Do you have questions you'd like answered? Send them to [email protected].