Safe practices to protect against ransomware

By tightly monitoring intelligence feeds, McAfee Labs stays ahead of most ransomware campaigns. Staying ahead allows us to detect and stop most ransomware before it can execute. It also means that no Bitcoins will flow into criminals’ pockets.

Good policies and procedures include the following:

• Back up data. Although this seems obvious, far too often there is no backup available or the backup process was never tested and didn’t work. Removable storage is widely available, inexpensive, and simple to use. Home users should create a backup, disconnect the device, and store it in a safe place. For cloud-based backup services, be aware of the chance that the victim’s endpoint could have copied encrypted files to the cloud, too. Some cloud-based backup services offer to restore the most recent versions of files.
• Perform ongoing user-awareness education. Because most ransomware attacks begin with phishing emails, user awareness is critically important and necessary. For every ten emails sent by attackers, statistics have shown that at least one will be successful. Don’t open emails or attachments from unverified or unknown senders.
• Employ antispam. Most ransomware campaigns start with a phishing email that contains a link or a certain type of attachment. In phishing campaigns that pack the ransomware in a .scr file or some other uncommon file format, it is easy to set up a spam rule to block these attachments using McAfee Email Gateway. If .zip files are allowed to pass, scan at least two levels into the .zip file for possible malicious content.
• Protect against polymorphic ransomware. The worst ransomware variants, including CryptoLocker, are polymorphic. This makes it incredibly difficult for traditional antimalware technology to stop them. However, McAfee Threat Intelligence Exchange is specifically designed to stop threats like these by using the newness of files as threat indicators. Recognizing files as new to the environment and combining that with other behavioral detection techniques, McAfee Threat Intelligence Exchange can stop polymorphic ransomware.
• Protect endpoints. Use McAfee VirusScan Enterprise endpoint protection and its advanced features. In many cases, the client is installed with just default features enabled. By implementing some advanced features—for example, “block executable from being run from Temp folder”—more malware can be detected and blocked. Additionally, stay up to date with daily antimalware definition files (DATs). McAfee Labs works around the clock to identify and fight ransomware, but the value of that work is realized only if the latest DATs are deployed.
• Block unwanted or unneeded programs and traffic. Blocking Tor, often used by ransomware to communicate anonymously, is simple with McAfee network security products such as McAfee Network Security Platform and McAfee Next Generation Firewall. Blocking Tor will often block ransomware from getting the public RSA key from the control server, thereby stopping the ransomware encryption process. For customers without McAfee network security products, our Endpoint Intelligence Agent is a good alternative. It runs on the endpoint and identifies malicious outbound traffic and its associated application.
• Keep system patches up to date. Many vulnerabilities commonly abused by ransomware can be patched. Keep up to date with patches to operating systems, Java, Adobe Reader, Flash, and applications. Have a patching procedure in place and verify whether the patches were applied successfully. McAfee Vulnerability Manager can spot vulnerabilities within your trusted network.