{"id":44001,"date":"2021-11-18T00:00:00","date_gmt":"2021-11-18T00:00:00","guid":{"rendered":"urn:uuid:e81e939e-3677-dc02-91e2-d844bf209821"},"modified":"2021-11-18T00:00:00","modified_gmt":"2021-11-18T00:00:00","slug":"a-guide-to-ransomware-prevention-and-response","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/a-guide-to-ransomware-prevention-and-response\/","title":{"rendered":"A Guide to Ransomware: Prevention and Response"},"content":{"rendered":"

<\/p>\n

<\/div>\n

It seems like every day there\u2019s a new story about a ransomware attack. And while ransomware is certainly costly to the victim, the impact can trickle into society. One recent example is the ransomware attack against one of the largest gas pipelines in the United States<\/a>, causing panic and raising the average gas price on the east coast. An increase in the scale of costly attacks led to the US government announcing they would treat ransomware attacks as a similar level of priority to terrorism.<\/a><\/p>\n

As developers, you must do everything you can to protect yourselves and your products from ransomware attacks. To do so, let\u2019s first look at what ransomware is, where it comes from, and how a typical attack may look. Then, we\u2019ll explore some tactics for a strong recovery plan.<\/p>\n

What is Ransomware?<\/span><\/b><\/p>\n

A quick refresh: ransomware is a type of malware that infects the host system, locks down essential data and hardware, and then requires a ransom before a user can re-access their data. A regular attack will generally follow four steps. Let\u2019s break down the different steps that a typical ransomware attack executes.<\/p>\n

Research<\/span><\/p>\n

Attackers research the best platforms to attack and look for any accessible information on a potential target. These attackers use sites like social media and company websites to gather information on their prey. With this, they create a library of information they can use to look as legitimate as possible. The attackers do most of this work by hand to achieve the highest success rate they can.<\/p>\n

Landing<\/span><\/p>\n

A landing is how and where a ransomware attack finds its victims. A vast majority of ransomware attacks land through email, specifically through phishing emails. Phishing emails are when attackers send a seemingly legitimate email to their targets, hoping they will click a link and give up crucial information.<\/p>\n

These emails are getting smarter and more personalized. Long gone are the days when identifying phishing emails meant avoiding those that were promising you 10 million dollars if you click on the red button below. Now they can gain information when you input information into very realistic-looking and targeted login forms or questionnaires. Once you fill something out on a link like this, that\u2019s when the attackers have genuinely landed.<\/p>\n

Exploring<\/span><\/p>\n

A typical ransomware attack then, unbeknownst to you, explores your file system. These programs use various probing APIs to gain information on what is available in their victim’s system. Probing can often be done by hand because the attackers have already acquired access through the previous step. This allows the program or attacker to look for backups and copies of important files to ensure that it locks down any backups you may have, therefore making it more likely the victim will pay the ransom.<\/p>\n

Locking<\/span><\/p>\n

Locking is when the attack locks down and blocks access to files and hardware, requiring some form of payment before releasing the data. This locking method encrypts any important data found. This is done so the victim can\u2019t access it without complicated keys to which they don\u2019t have access. Often, paying the ransom doesn\u2019t help, because the attackers will keep the data after the payment.<\/p>\n

Attacks are extremely dangerous and effective because it\u2019s extremely difficult to get rid of them once the virus takes hold of its host system. An attack may look as simple as logging on to your computer and giving system permission to an application that looks familiar. Next thing you know, you have a screen telling you to pay a fee to a Bitcoin wallet and a timer before you permanently lose your data and your computer. But let\u2019s not fear! There are many ways to protect yourselves from these attacks and ensure that critical data is safe.<\/p>\n

How to Prevent an Attack<\/span><\/p>\n

Several steps can be taken to prevent an attack, but there are two areas that you\u2019ll want to pay close attention to: technical infrastructure maintenance and developing team diligence. Your technical infrastructure refers to technical steps you can take to make sure that your devices are secure. For example, ensure that you update your security products regularly and perform periodic scans. Similarly, be sure to implement application safelisting on your endpoints to block all unknown and unwanted applications.<\/p>\n

As developers, you must avoid attacks as early and often as possible. When working with the core systems of any project, you have a high level of access to essential data. Best practices for developers include:<\/p>\n