That is sadly not the case anymore, because as the virus has grown more successful and more profitable to the writers, most of the ransomware variants can now traverse network drives and UNC paths, encrypting anything that they can actually touch and access with the level of permissions granted to the user account under which the malware is executing. The results, as you can tell from recent news reports about ransomware, can wreak havoc.
Strategies for dealing with ransomware
There are two basic solutions to the ransomware problem, one simple and one that will probably tear your team apart during the implementation. (Technically, there are three, but I don’t count actually paying the ransom as a solution because there are no blanket immunities offered in paying the ransom and surely the price will continue to increase as attacks and infestations become more successful.)
Regular and consistent backups along with tested and verified restores. The only way not to feel held hostage because of a ransomware attack is to have the next best viable alternative – to not pay it, because you have full and recent backups of all of your data that have also been tested through consistent, regular restore procedures to make sure that the backups actually worked.
Then, along with vigilant monitoring (many technologists report success with using file monitoring screening to detect large numbers of files being changed in sequence, especially if those files have not been touched otherwise in a while) and ensuring you have appropriate file and folder permissions set, you can simply detect an outbreak quickly and then restore any encrypted data from your backups. This way, you do not have to pay the ransom and the only data at risk of potential irreversible encryption is the data from initial infection to
Application whitelisting. Essentially the only way to definitively protect against a ransomware attack and invasion – or any other malware infestation for that matter – from even taking hold is to implement application whitelisting. Whitelisting involves computing checksums and other “digital fingerprints” for applications that you deem permitted to run on your systems, and then basically cutting everything else out and disallowing the code from executing at all.
Sounds great, right? No exploits can run if they are not already whitelisted, so not only does this approach protect you from current threats, but it also acts as a prophylactic for future malware as well – even though you would still do well to have edge and endpoint security, having a known good list of applications and then black-holing everything else would be a significant step up in security.
Aye, but therein lies the rub: If you took the superset of all of the regularly used applications you have by all of your users as well as their varying versions and patch levels, you might very well have thousands of programs – and to use the built-in software whitelisting functions within Windows, you would need to create a signature for all of them. Every single one of them. There are various automated solutions available, but they all have a cost as well for the licensing as well as the administration time.
Sign up for CIO Asia eNewsletters.