The Locky malware is an example of ransomware, which extensively used spam campaigns to distribute malicious files that download and execute code capable of encrypting numerous critical file types on both local and networked file stores. Here are the recommended steps for ransomware prevention.
Locky encrypts files by renaming them with a unique decimal filename and assigns them the “.locky” extension. Each directory containing encrypted files contains instructions on how to utilize Bitcoin to pay a ransom for file recovery. The system’s computer background is also changed to contain payment instructions. Recovery of encrypted files is impossible without data backup or acquiring the private key due to the well-implemented, strong encryption. While the payment of the ransom may result in receipt of the valid private key, enabling decryption of the targeted files, the FBI does not recommend the victim pay the ransom.
Recommended Steps for Ransomware Prevention
- Implement an employee awareness and training program. Because end users are targeted, employees and individuals should be made aware of the threat of ransomware and how it is delivered.
- Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mails using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
- Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end-users.
- Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
- Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
- Configure access controls including file, directory, and network share permissions with the least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
- Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files sent via e-mail instead of full Office suite applications.
- Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs including the AppData/LocalAppData folder.
- Implement application whitelisting and only allow systems to execute programs known and permitted by the security policy.
- Categorize data based on organizational value and implement physical/logical separation of networks and data for different organizational units.
If you would like more information about protecting your systems from ransomware, please send us an email.