Do not repeat the mistakes made by the Benešov hospital or OKD

What actually is ransomware?

Ransomware is one type of malicious software. The name suggests its aim is to get money from the victim by extortion (ransom). Recently, the destructive power of this system was demonstrated in a particularly unpleasant way to the staff of the Benešov hospital… The most familiar behaviour of ransomware is based on gaining control over a computer by encrypting the files located on it, prompting the owner to pay, following which the blackmailer will proceed to decrypt the files to their original state. Protecting yourself against this kind of attack is no trivial matter. However, there are more ways in which ransomware can spread, and therefore protection against ransomware must be performed on multiple levels according to the way it is distributed. First, let us mention the three most frequent ways in which ransomware is spread:
  • human carelessness,
  • known and untreated IT system issues,
  • currently less well-known IT system issues,
  • using outdated methods known to be unsafe.
Let us examine each category in more detail:

The most frequent causes of ransomware spreading

Human carelessness

Downloading software for personal use

Who amongst us has never downloaded some kind of software from the internet that they absolutely had to get, for example to play a film or for another purpose? When it is free, people do not really care all that much about the credibility of the source. Especially if the name of the program seems very credible.

Fraudulent email

Who amongst us checks carefully who sent the email with an attached file and seemingly accurate instructions claiming it is a form that needs to be completed as soon as possible and sent back to the Human Resources department? With the usual corporate graphic design, who will notice the fact the sender’s address does not have the usual suffix… And what if the attacker also spoofs the sender’s email address? The times of funny-looking emails in broken English are long gone. Today’s attacks are targeted and can confuse even experienced users.

Fraudulent phone calls

Who amongst us knows all the staff in the IT department and will be able to resist the apparent importance of a call from the “IT department”? “Allow me to introduce myself; I am new here…; …and since this is urgent, please go to website XY, download the file called fix_xy.exe and install it”.

Known and untreated IT system issues

Working on something when Windows insists on restarting your PC because of some updates? Do you postpone it, possibly even for a week? That is very bad. Once there is a fix for a security issue, it means the issue is so well known the number of potential attacks taking advantage of the issue can be increasing.

Currently less well-known IT system issues

These are issues that are not well known in general, but some people know about them. Especially a potential attacker. What is important is that there is no current fix (patch) for these issues, and nor are there any recommended solutions for how to eliminate them. These issues are quite dangerous because no effective protection against them is available.

Using outdated systems known to be unsafe

The world keeps moving forward, but people can be conservative. A new security method is developed. Weaknesses are found over time, as well as means of breaking through the security system. And so another security method is developed, and in time, that one is defeated as well. Over the course of several years, a wide range of security methods exists, and for compatibility reasons, even the oldest, least secure ones are still supported. The least secure methods should logically be removed, but it is not as simple as that – applications are often left to live on. And this might be the source of an issue. In the IT environment, there are systems that are relatively easy to break through and gain means to infiltrate some of the more modern systems.

How are you to protect yourself effectively?

Staff education

Staff training and practice, done regularly. The longer people go without an incident, the less cautious they are! There are tools to test people’s attention by sending them an email in a format you can customize. The tool then evaluates how many people have opened the mail and how many have read it. It will also offer training in the form of video courses. For example, the SOPHOS family of comprehensive IT protection programs can offer you such options.

Group protection

By group protection, we mean securing an internal, trusted environment in which (only) the relevant users are connected.

Network protection

Network resources protection is provided by next-generation firewalls. Unlike simple firewalls, which are still used in many organizations, these devices provide more complex methods of control, based on a number of solutions. The highest level of checking can be ensured by using what is called a sand box – meaning checking the behaviour of the file in an isolated environment. So if a file passes through a new-generation firewall with a sand box check, it is executed in the firewall manufacturer’s lab, with its behaviour being analysed there. Only then is it either allowed to be downloaded by the user, or downloading it is denied. Once again, the UTM (Universal Threat Management) SOPHOS is a good example.

Mail protection

The protection of mail servers is constantly evolving. Simple systems can check, for example, whether an infected file is included in an email. Modern systems can provide checks on a higher level. In addition to checking the sender’s trustworthiness, modern systems can, for example, check if the email address of a sender can originate from the server that sent the message. In other words, if an email with the sender address could have originated on a server that has nothing to do with the domain.

Individual protection

Individual protection is provided on the end device. The end device means a computer running various operating systems or a portable device, such as a mobile phone or a tablet. As already mentioned, ransomware is not a single type of software with behaviour that is exactly defined, and it can spread in various ways. Therefore, protection against it must be approached more broadly than a simple antivirus protection. The classic antivirus solution is based on scanning files and searching for signs (signatures) that distinguish known viruses. By its nature, it means the signature has to be described first for the program to be able to find the virus. But what about currently unknown and undocumented viruses with their signature missing on the end device? This is where a different method comes in, working in a slightly different way – it evaluates the behaviour of individual programs and software components and it is able to detect non-standard behaviour, prevent it and, ideally, also repair any damage. One of the products providing this level of protection is SOPHOS Intercept X, which is added as additional protection on top of standard antivirus solutions (either from SOPHOS or from other manufacturers).

In conclusion

The topic in question is more complex than what we have described here. The aim of the article was to familiarize you with some of the possible ways of introducing ransomware to your environment and to outline possible preventive measures. If you are interested in SOPHOS solutions, which are capable of providing full protection for your environment against ransomware and other malicious code, we are able not only to deliver and deploy the system for you, but also to manage it expertly. Feel free to contact us; we will be happy to advise you and show you our products in practice.