Defending Against

Ransomware
Table of Contents
Introduction 3

How Ransomware Is Delivered to a User’s Computer 3

E-mail attachments containing malware or malicious macros 4

Drive-by Downloads, Redirects and Exploits 5

Infected media and malvertising 6

Stages of Ransomware Infection 6

1. Break-in 6

2. Execution 6

3. Encryption key generation 7

4. Data encryption 7

5. Extortion 7

Measures to Apply Immediately 8

How Netwrix Can Limit the Damage from Ransomware 10

Identify and close your security gaps. 10

Prevent or limit the reach of ransomware. 12

Spot ransomware attacks in their early stages. 14

Stop ransomware in its tracks and minimize the damage. 16

Minimize business downtime. 18

Minimize Your Risk of Ransomware Attacks with the Netwrix Solution 20

About Netwrix 21

Next Steps 21
Introduction
Ransomware is one of the fastest growing classes of malicious software. In recent years, ransomware
has evolved from a simple lock screen with a ransom demand into far more dangerous variants.

One is crypto-ransomware, which stealthily encrypts all of the documents, spreadsheets, pictures, vid-
eos and other files it can reach, including not only those on endpoint devices but also those on servers
and cloud-based file-sharing systems. Then it demands a ransom to unlock the encrypted files, usually
in hard-to-trace digital currencies. The ransom amount varies, from $150–$500 for an individual to many
thousands of dollars for an organization. But the ransom itself is dwarfed by the other costs: In 2022, the
average cost of a ransomware attack, excluding any ransom payment, was $4.54 million. That includes
expenses such as forensic investigations, notifying affected customers and providing them with credit
monitoring services, regulatory fines, and revenue losses due to downtime and reputation damage.

While ransomware has been around for years, advances in encryption and other technologies have
enabled attacks to become more common and more damaging each year. In addition, ransomware as
a service (RaaS) is on the rise, making it simpler for malefactors to operate.

How Ransomware Is Delivered

to a User’s Computer
There are several common ways that ransomware is delivered to a user’s computer, including:

ƒ Malicious e-mail attachments

ƒ Drive-by downloads, redirects and exploits

ƒ Infected media and malvertising

Introduction 3
E-mail attachments containing malware
or malicious macros

Malware can be delivered to users through e-mail attachments, often disguised as legitimate documents
or files. When the user opens the attachment, the malware is installed on their computer.

The email often purports to be from a known entity, such as a bank or colleague, and has an atten-
tion-grabbing subject line, such as “Dear Valued Customer”, “Undelivered Mail Returned to Sender” or “In-
vitation to connect on LinkedIn.”

Targeted
e-mail message

E-mail
attachment Link to page

Malicious

MS Word document Captcha enables

with VBA macro download of page

W ZIP

ZIP

Infection and
Download
and execute

Figure 1. Methods of ransomware delivery via e-mail

How Ransomware Is Delivered to a User’s Computer 4

The names of the attachments are chosen to disguise their true nature. In particular, the name often in-
cludes a common extension such as “.doc” or “.xls”, so if display of file extensions is disabled in the system
settings, the user will think the file is a Word or Excel document. For example, the full file name might be “Pa-
per.doc.exe” but the user will see only “Paper.doc” and be misled into thinking the file is harmless.

Or the attachment might actually be a .doc file but include malicious macros. If a user opens such a docu-
ment and macros are enabled in Microsoft Office (which they are by default), malware installation begins au-
tomatically. If macros have been disabled, the user will see blocks of garbled text and a note such as, “Enable
macro if the data encoding is incorrect.” If the user enables macros, the malware will then infect the system.

Drive-by Downloads, Redirects and Exploits

Users can also inadvertently become victims simply by visiting a compromised web page — for example,
by downloading malicious code via banner ads in Adobe Flash after multiple malicious redirects, as illus-
trated in Figure 2.

These “drive-by downloads” usually exploit a security flaw or other vulnerability in the browser, app or
operating system, often because the software has not been kept up to date with patches. For example,
CryptoWall uses the Angler, Neutrino and Nuclear exploit kits to load. It can exploit vulnerabilities in web
browsers, Java and PDFs, but the most common vulnerabilities are in Flash.

MALICIOUS AD COMPROMISED ANGLER

WEBSITE WEBPAGE

1 A user visits
a legitimate website. 2 A malicious ad
redirects the user to 3 Another redirect leads
the user to an
a compromised website. Angler-hosting webpage.
OUTDATED

YOUR PC

FLASH JAVA

5 Angler exploits the

vulnerability and drops 4 Angler scans the user’s browser
for security holes.
malware on the system.

How Ransomware Is Delivered to a User’s Computer 5

Infected media and malvertising

Ransomware can also be delivered through infected disks or USB drives or via malvertising, which is the
use of online advertising to spread malware. When the user inserts the infected media or clicks a link in
an online ad, the malware is installed on their computer. However, some ransomware, such as Wanna-
Cry, uses exploits to move aggressively within the network without the involvement of the end user on the
target system.

Stages of Ransomware Infection

Ransomware infection typically consists of the following steps:

1. Break-in
A user unintentionally opens malicious code propagated by one of the methods described above, there-
by releasing a ransomware client.

2. Execution
The malware copies itself into various locations in the system, such as the appdata, startup, rootdrive
or WINDOWS folders, usually with a random name like “mrxpcvh.exe”. Then it edits the registry so it will
start automatically after every system reboot. The malware may also try to evade detection and prevent
removal by disabling security software or modifying system settings. It will also try to propagate itself to
other devices on the same network.

Stages of Ransomware Infection 6

3. Encryption key generation
The ransomware client builds an SSL connection with a command and control (C&C) server and gen-
erates a public-private key pair to encrypt its victim’s files. The client might use the Tor network to
anonymize the traffic and make tracing the crime more difficult. Some ransomware can generate a key
pair locally on the infected machine; in that case, the user’s machine does not need to be connected to
internet for the malware to encrypt the files.

4. Data encryption
Using the victim’s access rights, the ransomware scans all available physical and cloud-based drives for
files and encrypts them with the key. Ransomware uses strong encryption modes such as RSA-2048,
which virtually eliminates the possibility of the user discovering the key to decrypt the files.

5. Extortion
The malware displays a ransom note with instructions for how the victim can pay a ransom to unlock
the encrypted data. If the victim agrees to pay the ransom, they will be instructed on how to make the
payment. However, there is no guarantee that the attackers will actually provide the victim with the
decryption key. In some cases, victims have paid the ransom but never received the decryption key.

Stages of Ransomware Infection 7

Measures to Apply Immediately
Analysis of reported ransomware attacks reveals several reasons why the attacks were successful:

ƒ Systems were weakly protected or their protection was poorly configured.

ƒ Employees had little or no cybersecurity education, so they would click on almost anything.

ƒ The organizations were using outdated software and equipment that left numerous security holes
to be exploited.

Decoding files encrypted by ransomware can take months or even years, if it is possible at all. Therefore,
it is critical to take steps to prevent infection and be prepared to restore from backup if prevention fails.
Vital best practices include the following:

ƒ Back up your systems regularly and keep a recent backup off site. If you suffer a ransomware
attack, you can restore your files from the backup. To protect your backups, encrypt them and store
them outside your network (for example, on cloud storage).

ƒ Limit access to shared folders. If you use a shared network folder, create a separate network share
for each user. Since malware spreads using its victim’s access rights, track use of network shares
to make sure that access is restricted to the fewest users and systems possible. Otherwise, the
infection of one computer can lead to the encryption of all documents in all folders on the network.

ƒ Restrict user permissions to “Read” whenever possible. Without full control rights, ransomware
cannot access and encrypt files.

ƒ Install the latest patches and updates. Updating your operating systems and applications helps
protect against drive-by download attacks that exploit software vulnerabilities. Pay particular atten-
tion to Adobe Flash, Microsoft Silverlight and web browsers.

ƒ Configure Group Policy properly:

ƒ Block macros from running in Office files from the internet.

ƒ Block executable extensions. Use the Software Restriction Policy to block script execution and
launch attempts by files that have been extracted from compressed formats.

ƒ Block AutoPlay to disable software execution from removable media.

ƒ Blacklist all applications from running on workstations and granularly whitelist only trusted
ones using the Application Control Group Policy.

Measures to Apply Immediately 8

 ƒ Blacklist Tor IP addresses. Some malware uses the Tor network for command-and-control purpos-
es. By blocking Tor IP addresses, you can prevent some ransomware from fully installing.

ƒ Properly configure your web filter, firewall and antivirus software to block access to malicious
websites and to scan all files that are downloaded.

ƒ Educate all your employees, including executives, about how to spot phishing emails. Help
them enable display of file extensions and teach them to be wary of the common malware exten-
sions, including .exe, .com, .js, .wbs, .hta, .bat and .cmd.

ƒ Set .JS files to open with Notepad by default. This protects against JavaScript-borne malware.

Measures to Apply Immediately 9

How Netwrix Can Limit the Damage
from Ransomware
Analysis of reported ransomware attacks reveals several reasons why the attacks were successful:

Identify and close your security gaps

Ransomware has become a very common and harmful cyber threat - and it is constantly improving in
sophistication. It is now easy for even non-technical cybercriminals to launch attacks using “ransom-
ware-as-a-service” offered on the dark web. While it is not possible to completely prevent users from
accidentally clicking on malicious links or opening malicious attachments, it is possible to reduce the
risks and potential harm by identifying and addressing vulnerabilities in your security systems with the
appropriate tools.

Identify and mitigate your IT risks.

Identify vulnerabilities in your IT environment, such as excessive user permissions, potentially malicious
files, and files and folders that are accessible to everyone. By mitigating these critical security weakness-
es, you reduce the risk of ransomware exploiting them.

How Netwrix Can Limit the Damage from Ransomware 10

Know where your critical data is located and how secure it is.

Know exactly what sensitive, regulated and business-critical data you have, and make sure it’s stored
only in secure locations and that only the right users have access to it. Determine which files can be
safely deleted or archived to reduce your attack surface area in case of a ransomware attack.

Establish and maintain secure system configurations.

Avoid being a soft target by making sure that your systems always remain in a secure and compliant
state. Regularly check for deviations from your known-good baselines, such as outdated or vulnerable
software and accounts with weak passwords (especially RDP accounts), and correct them promptly.

How Netwrix Can Limit the Damage from Ransomware 11

Prevent or limit the reach of ransomware.
One way to reduce the risk of ransomware infiltrating your network is to strengthen your defenses, such
as protecting privileged accounts and enforcing least privilege. It is also important to secure your Group
Policy to further protect against ransomware.

Prevent users from running ransomware executables and malicious scripts.

Keep business users from running non-sanctioned applications — including ransomware executables
— without impacting their productivity. Enforce least privilege by removing Local Administrator rights
and granting users only the permissions they need on their machines, and implement allow and deny
lists to prevent them from executing unknown files or malicious code.

How Netwrix Can Limit the Damage from Ransomware 12

Replace standing privileged accounts with just-in-time elevated access.

Ransomware attacks launched from a privileged account can cause significant damage in a short amount
of time, so work toward a zero standing privilege (ZSP) approach: Replace standing privileged accounts
with temporary accounts that provide admins with just enough access to perform the task at hand and
remove them immediately when the task is complete.

Maintain least privilege.

Allowing users to keep privileges that they never use gives attackers unnecessary opportunities to ex-
ploit. Continuously watch for excessive access rights and promptly remove them to limit the damage a
ransomware infection could do.

How Netwrix Can Limit the Damage from Ransomware 13

Spot ransomware attacks in their early stages.
IT security professionals advise adopting an “assume breach” approach, which means being prepared if
ransomware is able to bypass your defenses. In the event of a successful attack, it is essential to quickly
detect the incident and minimize the impact to avoid disruption to your business. The right security solu-
tions can help you detect and prevent ransomware attacks and protect your organization’s reputation.

Get alerted to suspicious activity.

The earlier you can figure out that something anomalous is happening in your environment, the better
you can block or contain the damage. Implement an early warning system that can detect a ransomware
attack in progress and provide the details you need to investigate it quickly.

How Netwrix Can Limit the Damage from Ransomware 14

Spot attackers trying to gain more access to your data.

Ransomware often attempts to gain access to more data before beginning the encryption process.
Thwart attempts at privilege escalation with detailed information about all changes to file, folder and
share permissions; delegation of access rights; and changes to security group membership.

How Netwrix Can Limit the Damage from Ransomware 15

Stop ransomware in its tracks and minimize
the damage.
Rapid response is key to minimizing the damage caused by ransomware attacks, which can be catastrophic
for a business. By reducing the time to respond to attacks, minimizing business downtime, and facilitating
the quick recovery of important data, you can play a heroic role in protecting your organization.

Respond to ransomware faster than humanly possible.

Once ransomware has been unleashed, every second counts. It’s vital to have a solution that can re-
spond automatically to the threat: disable the compromised account, close the SMB session, end the
RDP session or execute your own custom script. By blocking malicious activity instantly, you can help
ensure business continuity, reduce reputational damage and limit financial losses.

How Netwrix Can Limit the Damage from Ransomware 16

Make more informed decisions in less time.

If cases where automated response is not a viable option, you need to quickly get to the bottom of a
ransomware incident so you can formulate the best response as fast as possible. The right tool will help
you understand exactly where the attack started, how it unfolded and what was affected.

Block ransomware attacks that leverage trusted applications.

Attackers can try to slip ransomware into your network by altering trusted software products. Leverage
a trustworthy repository of verified files to ensure your users don’t activate malware by executing an
altered application.

How Netwrix Can Limit the Damage from Ransomware 17

Minimize business downtime.

Improve your ability to recover from ransomware attacks by having detailed information about the attack.
By returning to a secure state and incorporating lessons learned into your data security plan, you can
minimize the time it takes to recover from a ransomware incident.

Understand the value and sensitivity of the affected data to plan your recovery process.

Formulate an effective ransomware recovery plan that prioritizes the restoration of your most busi-
ness-critical data using a clear inventory of what files were affected and how.

How Netwrix Can Limit the Damage from Ransomware 18

Revert improper AD changes to get back to a secure state.

Revert your IT environment to a secure state faster and more easily with the ability to roll back unwant-
ed changes to your Active Directory, including new objects and backdoors that might have been created
during a ransomware attack.

How Netwrix Can Limit the Damage from Ransomware 19

Minimize Your Risk of Ransomware
Attacks with the Netwrix Solution

Identify and remediate vulnerabilities before they are

exploited

Protect privileged accounts and enforce least privilege

to limit the spread of ransomware

Detect ransomware activity in its early stages

Take immediate action to stop ransomware and

minimize the damage

Minimize business downtime with an informed

recovery strategy

Request One-to-One Demo

20
 About Netwrix
Netwrix makes data security easy. Since 2006, Netwrix solutions have been simplifying the lives of secu-
rity professionals by enabling them to identify and protect sensitive data to reduce the risk of a breach,
and to detect, respond to and recover from attacks, limiting their impact. More than 13,000 organizations
worldwide rely on Netwrix solutions to strengthen their security and compliance posture across all three
primary attack vectors: data, identity and infrastructure.

For more information, visit www.netwrix.com.

Next Steps
See Netwrix products — Check out the full portfolio of Netwrix products: netwrix.com/products

Get a live demo — Take a personalized product tour with a Netwrix expert: netwrix.com/livedemo

Request a quote — Receive pricing information: netwrix.com/buy

Corporate Headquarters: netwrix.com/social

6160 Warren Parkway, Suite 100 Frisco, TX, US 75034
Phone: 1-949-407-5125 Toll-free: 888-638-9749 EMEA: +44 (0) 203-588-3023
21