What is ransomware, how to deal with them and how to protect yourself?

News | 07.12.2021

In this article, we will tell what is it ransomware, how to detect ransomware programs, and how and by what means to protect against them.

Ransomware attacks are on the rise. Ransomware attacks nearly doubled in the first half of 2021, according to a recent study, with Eastern European countries being the most targeted countries, accounting for approximately 55% of infections.

endpoints threats trends report

What is ransomware?

Ransomware is a type of malware that, once launched, encrypts the victim's files, databases or applications and holds them for ransom. Once infected, the victim will be presented with a message informing them that they can decrypt their files on the condition that they pay a ransom - usually in cryptocurrency.

The latest versions of the ransomware use a "triple extortion" technique, which involves obtaining a copy of the victim's data before starting the encryption process. The attackers will then threaten to release the data if the victim refuses to pay the ransom. Thus, attackers create "digital hostages" for themselves.

From this article, you can learn about another popular way of "making money" for cyber fraudsters - cryptojacking. This is hidden cryptocurrency mining using your computing power. Details on link.

Why is it so hard to detect ransomware?

At first, as with most types of malware, ransomware attacks usually take place through some form of social engineering, and in most cases, organizations only become aware of an attack after all data has been encrypted.

The problem with detecting social engineering attacks is that they are inherently harmless (click-download-run) and tend to hunt all users, regardless of their status with the company.

Secondly, once a target is infected, the ransomware script will try to spread to as many different systems as possible, making it difficult to contain.

If that’s not enough, over the past five years we have witnessed the proliferation of strains known as “fileless ransomware” that are even harder to detect because they do not install any files on the victim's device. Fileless ransomware attacks typically use Microsoft Windows PowerShell, which gives attackers access to virtually everything in a Windows environment.

What are the most common ransomware infections?

As mentioned, most ransomware attacks use some form of social engineering such as phishing. An attacker usually masquerades as a trusted entity in order to trick the victim into downloading a malicious application.

However, there are many other ways to get infected. For example, in some cases, the victim will be redirected to a malicious website that prompts them to install ransomware. Alternatively, the website could present a fake login screen that an attacker would use to collect credentials and then use those credentials to launch an attack from within the target organization.

Some forms of ransomware are built into the applications and plugins that victims install. Although less common, there are cases where the ransomware is stored on a removable drive that is automatically launched when the victim plugs the drive into their device.

Finally, we are starting to see an increase in ransomware attacks that use the Remote Desktop Protocol (RDP) to execute a script.

Best practices for detecting ransomware

Most companies already use security software solutions such as anti-virus software, spam filters and sandboxes. However, many types of ransomware are capable of bypassing such solutions these days. While there may not be a magic bullet when it comes to detecting and preventing ransomware attacks, there are some best practices that organizations should follow, including:

1.Cybersecurity training for employees

Since employees are the weakest link in this scenario, the obvious first step is to ensure that all employees can detect potentially malicious emails, which includes checking for the following:

  • Emails containing suspicious file attachments or links to external sites.
  • Emails are sent from public email domains like Gmail, Hotmail, Yahoo, and so on.
  • Emails sent from addresses that appear legitimate at first glance, but upon closer inspection, are actually fake. A simple example would be something like
  • Letters with poor spelling and grammar.
  • Emails that create a sense of urgency.

All employees should also be vigilant when visiting suspicious websites, downloading untrusted applications, or using portable drives that they do not own.

By the way, even a letter from the tax office can be forged. The Softprom team conducted a study - how well our tax authorities are protected. Spoiler - very bad. Details on the link

2.Threshold Alerting

A known method for preventing the spread of ransomware is the "threshold warning" method. It includes detecting and responding to events that meet a predetermined threshold condition. For example, if X files were encrypted within a given period of time, a custom script could be executed that could:

  • Disable user account;
  • Stop a certain process;
  • Change your firewall settings;
  • Backing up data from critical systems;
  • Shut down or isolate a specific endpoint or server.

Some sophisticated real-time auditing solutions provide script templates that are used in real-time after the threshold conditions are met.

3.Monitor suspicious network traffic as one of the ways to fight ransomware

Most strains ransomware uses Command and Control (C&C) servers to communicate with vulnerable systems, which can include sending commands, storing keys, retrieving data, monitoring organizational responses, and more. It is recommended that you use an Intrusion Prevention System (IPS) to find suspicious network traffic and block such messages in real-time.

4.Use traps (Honeypots)

Traps are another effective way to detect ransomware attacks. Basically, the trap acts as a decoy, posing as legitimate file storage. No employee will have access to the data stored in the trap, so any activity on the files that occur in the trap should be considered malicious.

For to know how bait traps work you can by clicking on the link. If you read too lazy - at the end of the article there is a colorful video - a cartoon about the storming of the fortress, explaining the basic principles.

This concludes our detailed overview of how to protect against ransomware and, as usual, at the end, we offer an option to protect against many of the above threats - the solution LepideAuditor - a powerful tool for calculating and neutralizing all insider threats.

You can use LepideAuditor for instant auditing of configuration changes to Active Directory, Group Policy, Exchange Server, Windows file systems, and NetApp Filer. The solution enables you to detect the spread of ransomware attacks on your network with real-time alerts and thresholds.

On this link some more details about LepideAuditor, how a solution can help you harden the protection of your infrastructure.