We have compiled a list of security measures to implement to either prevent ransomware or limit the damage. Organizations need not implement all of these in order to prevent ransomware. However, these are various strategies that can be implemented depending on the company. Security measures such as "application whitelisting" will prevent most malicious software on its own. Overall, most of these strategies are best practice and should be implemented as part of a larger security framework such as SANS Critical Controls.
- Endpoint Protection – Application Whitelisting & antivirus. If application whitelisting is fully implemented, this will stop most malicious software on the computer. Application Whitelisting is a much stronger security measure than antivirus.
- File Backups – Regularly store backups of important files. Test the restore process to confirm backups are viable.
- Block Suspicious Email Attachments: .exe, .jar, .scr, .bat, .aru, .cmd, .vbs, .7z,.ex, .ex_, .ex1, .pif, .application, .gadget, .com, .hta, .cpl, .msc, .vb, .vbe, .js, .jse, .ws, .wsf, .wsc, .wsh, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .scf, .lnk, .inf, .reg, .docm, .dotm, .xlsm, .xltm, .xlam, .pptm, .potm, .ppam, .ppsm, .sldm, .msi, .msp, .mst
- Remove Unneeded Software – Remove flash & java if not needed
- Computer Patches – Operating System, Flash, Java
- Web Filtering
a. HTTP and HTTPS traffic need to be filtered through a proxy
b. Block website categories that are not needed (including uncategorized) or deploy website whitelisting.
c. Block unneeded plugins such as java, flash – only permit on needed websites
d. Block countries on the OFAC list. This is a good start, but it not inclusive of all locations that malware may originate from. This all depends on your business. https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx
- User Profile Protection - Block/Whitelist execution of programs in the user profile folders.
- Block/Whitelist Office Macros - Only allow signed macros by authorized sources.
- Egress Filtering on Firewall – Only permit needed traffic outbound
- Network Share Permissions – Restrict access to network shares to a need to know basis.
- Intrusion Prevention System (IPS)
- Network Segmentation
- Vaccines – Ransomware will not encrypt the same machine with multiple encryption keys. In order to do this, the keys are stored in the registry. There are several programs that will create these “vaccines”.