Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Ask The Experts

7/29/2019
10:00 AM
Akamai Staff
Akamai Staff
Edge Ask The Experts
50%
50%

How Can We Stop Ransomware From Spreading?

Here's how to stop them - or at least limit the systems it can reach.

Question: Recently, my team has been seeing a new wave of attempts to load ransomware into our system. What can we do to stop them or at least limit the systems it can reach?

Akamai: There are a couple different ways to go about doing this. 

Most ransomware that we've seen is usually deployed via some sort of phishing attack. The victim gets an email, they click on an attachment or a link, the ransomware gets loaded, and from there it starts spreading through the network, encrypting as it goes along. Practicing good email hygiene and training users on what to do when they get emails with attachments is a decent first step. But we all know that human beings are fallible, and it's likely something might slip through.

As we get more complicated and into more technical controls, most ransomware needs to communicate out to some sort of command-and-control server. That's where it's going to register it infected a system and get further instructions regarding the keys for decryption and other parts of the attack. You can intercept that by blocking it at a DNS level, or you can sometimes block it by doing some sort of outbound detection for a communication reaching out to a very strange domain name. Almost all of the common ransomwares use domain name generation algorithms, so domains that look like random strings are a good clue that there's something going on.

Once ransomware has gotten a foothold in and is spreading through the network, things get a little bit trickier. You can try implementing some sort of firewall setup, what's sometimes referred to as microsegmentation. However, this can mean a lot of administrative overhead for your IT staff to constantly update firewalls and make sure only necessary ports are in place.

Another approach is rolling out something like a zero-trust model, in which rather than endpoints connecting to a network and from there reaching out to other assets, databases, or Web apps, what we're actually communicating with is an application proxy. As a result, ransomware – really any malware – that's going to try to spread isn't going to be able to go anywhere because all of those commands are being intercepted by the proxy, and only the commands that need to be sent to the application are sent through.

Regardless of what kind of preventative strategy you take, the other thing every organization should do is have a really good backup strategy. Knowing that you can restore data and get back up and running after a ransomware attack can be a lifesaver.

What do you advise? Let us know in the Comments section, below.

 Do you have questions you'd like answered? Send them to [email protected].

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Edge Cartoon Contest: You Better Watch Out ...
Flash Poll