• United States




Ransomware protection — what you may be missing

Jul 25, 20166 mins

ransomware moneybag
Credit: Thinkstock

Unless you have been living on a remote island with no internet access, you are no doubt familiar with ransomware.

It is a simple but frightening concept — making all of your files unavailable, and then demanding that you pay to get them back. Ransomware is definitely a growth industry, with a 30% increase in cases in Q1 of 2016 alone, according to Security Intelligence.

We should not be surprised at all by this trend, as it seems to be the nearly perfect crime. It is an easy business to start, with most of the needed tools being available inexpensively on the dark web. Their customer base, those whose files are being held hostage, is highly motivated, since their files are unusable — and since payment is typically being made via Bitcoin, the transactions are difficult or impossible to trace.

While ransomware has hit individuals and industries indiscriminately, it can cause the most trouble in industries like healthcare, where the impact of an infected system can reach far beyond inconvenience. In recent months, the information security world has seen an increase in targeted attacks, focusing on businesses and organizations over individuals. According to Security Week, this is not surprising, given that corporations can afford to pay more, and can ill afford to have their operation shut down by an infection.

In the past few months, I have lost track of the number of articles I have read on the topic of ransomware protection. Sadly, most of the ones I read are remarkably similar, with the same top 10 or so approaches to prevention, including having a good anti-virus package, good backups, and well trained users.

These are all good and appropriate approaches, but if you are engaged like me, you have seen them over and over, causing your eyes to glaze over at some point. As the saying goes, sometimes you can’t see the forest for the trees. We are so used to seeing the top 10 prevention techniques, we sometimes miss the lesser discussed approaches. These are important, because the purveyors of ransomware read the same articles with the common approaches, and can use these as a road map to improve their  techniques.

One of my customers is a large healthcare institution, and one of my major focuses with them has been to take a deep look at approaches to ransomware prevention and recovery. In the process, I have found many things that organizations can do that are not often discussed in the trade press. Since we in the business world need all the help we can get at this point, these can be very important. Consider a few of these:

Test your backups

A good backup can be your ticket to recovery from a ransomware attack without having to write a big check. The problem however is that an untested backup may turn out to be useless when really needed. It possible to go for months without realizing that your backup process is failing.

The only way to make sure they are ready when you need them is to test them. This involves restoring some percentage of your files from backup on a periodic basis, and confirming that the restored files are usable and correct. While testing is a critical aspect of the backup process, it is often overlooked, even by large companies.

Use intrusion prevention

Intrusion Prevention Systems (IPS), that monitor network traffic looking for attempts to exploit vulnerabilities, can be a valuable weapon in the fight against ransomware. It often takes weeks or months for a vendor to release a patch once a new vulnerability is discovered. Even more time can elapse before the patch gets applied to all systems within an organization.

An IPS, which normally sits at the network perimeter (and increasingly, on the internal network as well), can offset some of the danger of unpatched workstations by detecting and filtering out attempts to exploit such vulnerabilities.

IPS technology can be part of a firewall, such as with the Dell Sonicwall products, or as a standalone device, like Trend Micro TippingPoint. IPS is quickly becoming a must-have technology for any business or organization.

Block attachments

Despite the improvements in ransomware technology, in most cases, these programs still depend on a user opening an attachment to an email they receive. As such, user training occupies a key spot on most ransomware prevention checklists, and one I strongly support.

The problem, however, is that even the best trained users can slip up. Companies who use phishing testing/training products such as PhishMe, typically find some percentage of users who fail the test, meaning that some will likely fall for a real phishing message as well. One surprisingly overlooked approach to ransomware is to block all but essential attachment types at the email server.

A good example of the need for attachment blocking is the recently-discovered RAA ransomware variant that is implemented entirely in JavaScript. It is usually spread using a .JS attachment to an email, which can be disguised as a Microsoft Office document. Very few companies really have a need to send or receive .JS attachments, but few attempt to block them, or other file types commonly used as attack vectors.

Use behavioral analysis

Most anti-virus programs can only block malware that has been seen before. The challenge is that hundreds of thousands of new malware variants are seen every day, according to AV-TEST. An alternative approach is to monitor system resources on a workstation, looking for common scenarios used by most malware programs. Since certain behaviors are common to ransomware programs, they can often be spotted and filtered, even though the particular variant has not been seen before. While this approach is still in its infancy, it is growing rapidly, with products such as the Barkley agent.

Bottom line — we need all the help we can get in the war against ransomware. We all need to look beyond the trees, the common tips and recommendations we read about daily, and to the forest of new ideas and techniques that can put us ahead of the bad actors for a change.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author