Businesses large and small are under threat from increasingly

aggressive and brutal ransomware attacks. Loss of access

to critical files, followed by a demand for payment, can cause
massive disruption to an organization’s productivity.
But what does a typical attack look like? And what security
solutions should be in place to give the best possible defense?
This paper examines commonly used techniques to deliver
ransomware, looks at why attacks are succeeding, and gives nine
security recommendations to help you stay secure. It also highlights
the critical security technologies that every IT setup should include.

A Sophos Whitepaper October 2019

How to Stay Protected Against Ransomware

Ransomware – a brief introduction

Ransomware is still one of the most widespread and damaging threats that internet users
face. Since the infamous CryptoLocker first appeared in 2013, we’ve seen a new era of highly
targeted file-encrypting ransomware variants delivered through spam messages and exploit
kits, extorting money from home users and businesses alike.

The current wave of ransomware families can have their roots traced back to the early
days of Fake AV, through “Locker” variants and finally to the file-encrypting variants that are
prevalent today. Each distinct category of malware has shared a common goal – to extort
money from victims through social engineering and outright intimidation. The demands for
money have grown more forceful and audacious with each iteration with some hackers now
demanding millions.

Despite rumors of the demise of ransomware, it is still very much alive and kicking. A
Sophos survey of 3,100 organizations found that 30% of cyberattack victims had been hit by
ransomware. Additionally, and of concern, nine in 10 respondents said their organization was
running up to date cybersecurity protection at the time of the attack.

Why are ransomware attacks so successful?

Most organizations have at least some form of IT security in place. So why are ransomware
attacks slipping through the net?

1. Hacking is becoming easier while attackers are becoming more sophisticated in

their approach
ÌÌ 'Exploit as a Service' (EaaS) programs that take advantage of vulnerabilities in existing
software products are increasingly accessible. These kits make it simple for less tech-
savvy criminals to initiate, complete, and benefit from a ransomware attack.

A Sophos Whitepaper October 2019 2

How to Stay Protected Against Ransomware

ÌÌ Criminals use skillful social engineering to prompt users to run the ransomware’s
installation routine. They try to trick users into activating the ransomware with
emails that encourage the recipient to click on a link or open a file, for example: “My
organization’s requirements are in the attached file. Please provide me with a quote.”

ÌÌ Producers of ransomware operate in a highly organized fashion. This includes providing

a working decryption tool after the ransom has been paid, although this is by no means
guaranteed.

2. Security problems at affected companies

ÌÌ Systems are often unpatched leaving them unnecessarily vulnerable to threats

ÌÌ Inadequate backup strategy and lack of disaster recovery practice/plan (backups not
offline/off-site)

ÌÌ Updates/patches for operating system and applications are not implemented swiftly
enough or at all

ÌÌ Dangerous user permissions (users work as administrators and/or have more file rights
on network drives than necessary for their tasks)

ÌÌ Lack of user security training (“Which documents may I open and from whom,” “What is
the procedure if a document looks malicious,” “How do I recognize a phishing email?”)

ÌÌ Lack of layered security strategy so attackers often only need to overcome a single
hurdle

ÌÌ Inconsistent or incomplete security policies that leave gaps through which attackers
can enter

ÌÌ Conflicting priorities (“We know that this method is not secure but our people have to
work…”)

ÌÌ Poorly configured IT security (badly regulated external access, e.g. Remote Desktop
Protocol exposed)

A Sophos Whitepaper October 2019 3

How to Stay Protected Against Ransomware

How does a ransomware attack happen?

There are multiple ways that a ransomware attack starts. Common techniques include:

ÌÌ Malicious emails

ÌÌ Poisoned websites redirecting you to exploit kits

ÌÌ Remote Desktop Protocol (RDP) and other remote access holes

Malicious emails
Today’s criminals are crafting emails that are indistinguishable from genuine ones. They are
grammatically correct with no spelling mistakes, and often written in a way that is relevant
to you and your business.

In this example, the zip file appears to contain an ordinary .txt file.

A Sophos Whitepaper October 2019 4

How to Stay Protected Against Ransomware

However, when the file is executed, the ransomware is downloaded and installed onto your
computer. In this example the Trojan horse is actually a JavaScript file disguised as a .txt
file, but there are many other variations on the malicious email approach, such as a Word
document with macros, and shortcut (.lnk) files.

Poisoned websites redirecting you to exploit kits

Another common way to get infected is by visiting a legitimate website that has been
infected with an exploit kit. Even popular websites can be temporarily compromised. Exploit
kits are black market tools that criminals use to exploit known or unknown vulnerabilities
(such as zero-day exploits).

You browse to the hacked website and click on an innocent-looking link, hover over an ad,
or in many cases just look at the page. And that’s enough to download the ransomware file
onto your computer and run it, often with no visible sign until after the damage is done.

RDP
RDP is what allows people to control Windows computers via a full graphical user interface,
over the internet. The millions of internet-connected computers running RDP includes
everything from cloud-hosted servers to Windows desktops used by remote workers, and
each one is a potential gateway into an organization's internal network.

While RDP is an immensely useful tool for organizations, RDP servers are protected by no
more than a username and password, and many of those passwords are bad enough to be
guessed, with a little (sometimes very little) persistence.

6 of 5.2 million exposed RDP ports utilizing a simple and free search engine
For more information on securing you RDP servers, read our white paper RDP Exposed – The
Threat That's Already at Your Door.

A Sophos Whitepaper October 2019 5

How to Stay Protected Against Ransomware

How do ransomware attacks unfold?

After initial exposure, attacks typically fall into two different categories:

‘Fire and forget’

These types of automated attacks target multiple organizations with the hope of securing
a high quantity of smaller ransoms. Think back to WannaCry. Thousands and thousands of
organizations were hit by WannaCry at the same time. These hackers use automated, ‘fire
and forget’ techniques, where the attack is launched and spread to as many computers
as possible. Due to the automation and number of attacks, the attacker is oblivious to the
stages of the attack.

A typical attack of this nature looks like this:

1. Gain entry via

a. Opened attachments/links from mass phishing emails

b. Visiting compromised/poisoned websites (while being secretly redirect to another

IP hosting an exploit kit)

2. This then triggers a download of the ransomware which executes and encrypts files
3. A ransom note is generated demanding payment for files to be unencrypted
4. Wait for the victim to contact them via email or a dark web website
Should the chain break at any stage, the attack automatically ends.

Targeted ransomware
Targeted ransomware is a very manual attack, typically focuses on one victim at a time
and often demands much higher ransom fees. The attackers gain access to the network
and move laterally; identifying high value systems in the process. Strains of this type of
ransomware, overcome challenges as they arise, making them particularly deadly.

A typical targeted ransomware attack looks like this:

1. Gain entry via 3. Attempt to disable /

2. Escalate privileges until
a. Remote file sharing / bypass security software
they are an administrator
management features using highly tailored files
Attackers exploit system
such as (RDP) Failing this, they will attempt
vulnerabilities to gain privilege
levels that let them bypass to breach the security
b. Malware such as Emotet management console and
security software
and Trickbot disable security systems.

4. Spread ransomware that encrypts the

5. Leave a ransom
victim’s files 6. Wait for the victim
note demanding
Hackers use network and host vulnerabilities or to contact them
basic file sharing protocols to compromise other payment for
via email or a dark
systems on the network. They also utilize tools files to be
that companies already use in their networks web website
unencrypted
such as PsExec and PowerShell

To learn more about current news on ransomware attacks across the globe, please visit
Naked Security, Sophos’s award-winning threat news room.

A Sophos Whitepaper October 2019 6

How to Stay Protected Against Ransomware

10 best security practices to apply now

Staying secure against ransomware isn’t just about having the latest security solutions.
Good IT security practices, including regular training for employees, are essential
components of every single security setup. Make sure you’re following these 10 best
practices:

1. Patch early, patch often

Malware that doesn’t come in via a document often relies on security bugs in popular
applications, including Microsoft Office, your browser, Flash, and more. The sooner you patch,
the fewer holes there are to be exploited.

2. Backup regularly and keep a recent backup copy off-line and off-site
There are dozens of ways other than ransomware that files can suddenly vanish, such as
fire, flood, theft, a dropped laptop, or even an accidental delete. Encrypt your backup and you
won’t have to worry about the backup device falling into the wrong hands. Furthermore, a
disaster recovery plan that covers the restoration of data and whole systems.

3. Enable file extensions

The default Windows setting is to have file extensions disabled, meaning you have to rely on
the file thumbnail to identify it. Enabling extensions makes it much easier to spot file types
that wouldn’t commonly be sent to you and your users, such as JavaScript.

4. Open JavaScript (.JS) files in Notepad

Opening a JavaScript file in Notepad blocks it from running any malicious scripts and allows
you to examine the file contents.

5. Don’t enable macros in document attachments received via email

Microsoft deliberately turned off auto-execution of macros by default many years ago as a
security measure. A lot of infections rely on persuading you to turn macros back on, so don’t
do it!

6. Be cautious about unsolicited attachments

The crooks are relying on the dilemma you face knowing that you shouldn’t open a
document until you are sure it’s one you want, but you can’t tell if it’s one you want until you
open it. If in doubt leave it out.

7. Monitor administrator rights

Constantly review admin and domain admin rights. Know who has them and remove those
who do not need them. Don’t stay logged in as an administrator any longer than is strictly
necessary and avoid browsing, opening documents, or other regular work activities while you
have administrator rights.

8. Stay up to date with new security features in your business applications

For example, Office 2016 now includes a control called “Block macros from running in Office
files from the internet,” which helps protect against external malicious content without
stopping you from using macros internally.

A Sophos Whitepaper October 2019 7

How to Stay Protected Against Ransomware

9. Regulate external network access

Don’t leave ports exposed to the world. Lock down your organization’s RDP access and other
management protocols. Furthermore, use two-factor authentication and ensure remote
users authenticate against a VPN.

10. Use strong passwords

It sounds trivial, but it really isn’t. A weak and predictable password can give hackers access
to your entire network in a matter of seconds. We recommend making them impersonal,
at least 12 characters long, using a mix of upper and lower case and adding a sprinkle of
random punctuation Ju5t.LiKETh1s!

How Sophos helps keep you secure

To stop ransomware, you need to have effective and advanced protection in place at every
stage of an attack.

Stopping attacks get into your network

Sophos XG Firewall is packed with technology to help protect your organization from ever-
evolving ransomware attacks. In particular, XG Firewall includes one of the best performing
and most effective IPS engines on the market, and provides a simple and elegant solution to
lockdown your RDP servers.

XG Firewall offers flexible and easy segmentation tools like zones and VLANs to secure your
LAN and reduce the risk of lateral movement, reducing surface area of attack and minimizing
the risk and potential scope of propagation.

Securing your endpoints and protecting your servers

Should hackers somehow access your network, Intercept X uses multiple layers of defense
to stop ransomware in its tracks. Anti-exploit technology stops the delivery of ransomware,
deep learning blocks ransomware before it can run, and CryptoGuard prevents the malicious
encryption of files, rolling them back to their safe state. The endpoint detection and response
(EDR) functionality within Intercept X additionally detects advanced ransomware attacks
that may have gone unnoticed and search for indicators of compromise across your
network.

Furthermore, Sophos Managed Threat Response (MTR) enables 24/7 threat response
actions to be identified and executed utilizing a fusion of machine and machine intelligence.

Educating on phishing techniques

Sophos Phish Threat sends simulated phishing attacks to your organization, testing
preparedness against real world attacks. Emails can be customized to your organization and
industry and have been carefully localized for multiple languages. Detailed feedback lets you
see how many users failed, overall susceptibility to attacks, and more.

A Sophos Whitepaper October 2019 8

How to Stay Protected Against Ransomware

Try Sophos XG Firewall Try Sophos Intercept X

for free at for free at
sophos.com/xg-firewall sophos.com/intercept-x

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is
committed to providing complete security solutions that are simple to deploy, manage, and use that deliver the industry's lowest total
cost of ownership. Sophos offers award winning encryption, endpoint security, web, email, mobile, server and network security backed by
SophosLabs – a global network of threat intelligence centers. Read more at www.sophos.com/products.

United Kingdom and Worldwide Sales North America Sales Australia and New Zealand Sales Asia Sales
Tel: +44 (0)8447 671131 Toll Free: 1-866-866-2802 Tel: +61 2 9409 9100 Tel: +65 62244168
Email: [email protected] Email: [email protected] Email: [email protected] Email: [email protected]

Copyright 2019 Sophos Ltd. All rights reserved.

Registered in England and Wales No. 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK
Sophos is a registered trademark of Sophos Ltd. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

2019-10-01 WP-NA (GH)