Chances are you know someone, or some organization, who has suffered a ransomware attack – it could be your local police department, a small business, big hospital, or someone in your family.
If you haven’t been hit by ransomware personally, you’re either very lucky, or you’ve taken some proactive steps to protect your computers and files.
If you do get infected with ransomware, unless you’ve got back-ups, or the crooks made some kind of cryptographic mistake, you’re left with either paying or losing your locked up files forever.
Prevention is far better than a cure. So here are 8 tips to protect yourself against ransomware.
1. Back up your files regularly and keep a recent backup off-site.
The only backup you’ll ever regret is one you left for “another day.” Backups can protect your data against more than just ransomware: theft, fire, flood or accidental deletion all have the same effect. Make sure you encrypt the backed up data so only you can restore it.
2. Don’t enable macros.
A lot of ransomware is distributed in Office documents that trick users into enabling macros. Microsoft has just released a new tool in Office 2016 that can limit the functionality of macros by preventing you from enabling them on documents downloaded from the internet.
3. Consider installing Microsoft Office viewers.
They allow you to see what a Word or Excel document looks like without macros. The viewers don’t support macros so you can’t enable them by mistake, either.
4. Be very careful about opening unsolicited attachments.
Most Windows ransomware in recent months has been embedded in documents distributed as email attachments.
5. Don’t give yourself more login power than necessary.
Don’t stay logged in as an administrator any longer than necessary. Avoid browsing, opening documents or other regular work activities while logged in as administrator.
6. Patch, patch, patch.
Malware that doesn’t come in via document macros often relies on bugs in software and applications. When you apply security patches, you give the cybercriminals fewer options for infecting you with ransomware.
7. Train and retrain employees in your business.
Your users can be your weakest link if you don’t train them how to avoid booby-trapped documents and malicious emails.
8. Segment the company network.
Separate functional areas with a firewall, e.g., the client and server networks, so systems and services can only be accessed if really necessary.
Further reading
Experts from Sophos have put together a comprehensive, free guide on how to stay protected against ransomware, including practical advice you can follow to secure yourself and your business in both the short term and down the road.
Image of businessman with umbrella courtesy of Shutterstock.com.
cindelicato
Establish a bitcoin wallet – just incase you ever need one.
Paul Ducklin
I like your thinking, and it’s good advice…but it doesn’t quite belong under the headline “tips for *preventing* ransomware”.
Mind you, neither does backup, but backup is still important as part of your overall resilience. So I’m accepting this as an honorary tip :-)
Anonymous
Don’t forgot to backup your wallet as well though. The Locky ransomware encrypts wallet.dat.
Https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/
Kyle Saia
Paul i don’t normally disagree with you, but in this case i do. Backups are a critical part of all things computing. Plus if you can roll your system back to before the attack, as far as I’m concerned, you have prevented the attack.
This is why any Tech worth a fast food salary will go on and on about backups (as you do).
Robert Gray
Kyle, Paul’s remarks were directed toward bitcion as being off-topic not toward the backup process per se.
DennyBoBenny
I don’t like your thinking, and it’s horrible advice. If you have good backups you don’t need a bitcoin wallet to pay off these low life crooks. Bitcoin should be shut down…the only thing it’s good for is enabling crooks to rob people, companies, and organizations, and get away scot-free by covering their tracks.
mike@cloudmike.net
FBI recommends that you don’t ever deal with criminals directly and paying a ransom doesn’t guarantee that you will get your data back. The best thing you can do is keep your system up to date, and backed up and leverage cloud solution providers like dropbox and google drive. Refrain from opening unsolicited emails with attachments or clicking on links within emails as they can redirect you to websites that can exploit outdated software on your computer.
Paul Ducklin
Actually, the FBI is realistic enough to remind people that they may have no choice but to pay…comments that have led to people accusing them of recommending people to pay up (which they never did). In a rather twisted irony, if you pay up you probably *will* get your data back, and it’s that, ahhh, “reliability” that has helped the ransomware, errr, “industry” get where it is. As you say, though, it’s better not to pay, and a good backup is a much more reliable and broadly-useful recovery technique :-)
gadget37
Are you sure an offsite backup is helpful against ransomware? Isn’t it just as good to keep a disconnected backup?
Robert Gray
Simply disconnecting your backup doesn’t protect you from fire and theft. On the other hand, the probability that both your computer location and an external site will burn or be burglarized at the same time is quite small.
anon@anon.com
Don’t forget though, that theft isn’t the only risk.. What about the drive not spinning back up when you plug it in? if you are just using a single mechanical hard drive then you have to consider the operation of it as well.
sigfuss1
I ask the same question. On the cheap… Why not use a large external HD and backup to that every day or whatever and have the power supply of the HD on a timer? Shoot holes in that theory please.
Laurence Marks
> 3. Consider installing Microsoft Office viewers.
>They allow you to see what a Word or Excel document looks like without macros. The viewers don’t support macros so you can’t enable them by mistake, either.
Not sufficient to simply install them. You need to make them the default application for the MS Office filetypes to cover for that important-looking late-night email you’re going to check before toddling off to bed.
Paul Ducklin
I changed it to “using”, which keeps the tip nice and short but avoids the suggestion that just doing the install is enough.
James Mac
9. Keep in with the tech community, because there are ways to defeat ransomware. A few small registry hacks may be sufficient to fool the ransomware into not installing.
This, for example, is one way of stopping Locky.
Paul Ducklin
True. “Immunisations” like this can work well…but they can also give a false sense of security because they only work against one particular variant. Also, immuninisations can be mutually exclusive, so that immunising against malware X unavoidably un-immunises you against malware Y. (This was very common in the early days of viruses, when lots of malware used a “magic marker” at the end of a file to avoid infecting it twice…and you could only have one marker at the end of the file at a time…)
Tom sheaiker
Great tips!
If you have an Active Directory domain, you can setup Group Policy (GPOs) to prevent ransomware:
http://www.sysadmit.com/2015/04/windows-gpo-para-prevenir-cryptolocker.html
Lizzz Russell
The answer is so OBVIOUSLY SIMPLE. Do not surf, read email, or download on work computers. Use a separate computer with a live CD and memory stick for those tasks and live happily ever after.
Paul Ducklin
The problem is that most businesses these days rely on email as a necessary communications tool to deal with customers, suppliers, prospects, the council, the tax office, colleagues and the world in general. The idea of “not reading email on work computers” is as good as impossible.
And anyway, in the “live CD plus memory stick” scenario, you’re still at risk. OK, so you get hit and your files get scrambled on the memory stick… your live CD means you can quickly reboot without the malware present, but your files are still scrambled.
Stavian
@Lizzz Russell, thats really not the answer at all. Its more around user education then what endpoint provides.
Michael Theroux
And the number one tip not listed here? Stop using Microsoft. Simple.
Paul Ducklin
That doesn’t *prevent* ransomware. It merely makes it less likely, largely on market share grounds. There’s no magic smoke in non-Windows OSes that make them untouchable by this sort of attack.
Indeed, ransomware exists and has been seen in the wild for at least OS X, Android, Linux desktops and Linux servers as well as Windows. For example:
https://nakedsecurity.sophos.com/ransomware-meets-linux
https://nakedsecurity.sophos.com/php-ransomware-attacks
https://nakedsecurity.sophos.com/ransomware-arrives-on-the-mac
https://nakedsecurity.sophos.com/android-police-warning-ransomware
So your tip will sort-of work… just don’t trick yourself into thinking it’s because of any extrafantastic superduper anti-ransomware resilience that the main non-Windows operating systems have, or because Linus is cleverer than the OS guys at Microsoft, or because Tim Cook is a hoopy frood :-)
Lizzz Russell
Dear Paul,
I understand what you are saying, but please consider that there are many, many businesses that could, in fact, separate email and browsing from work data by using a second computer on a segmented network.
I have repaired well over 20,000 computers over the years. Most of the data disasters I have seen are all the result of opening email, downloads, and browsing, in that order.
redwolfe_98
one of the “tips” was to use a limited-user account, with limited privileges.. would that stop ransomware from encrypting files? (or is that just generic advice which really wouldn’t help, in any way, when it comes to stopping ransomware?)
Paul Ducklin
The problem is that most ransomware encrypts any file it can find to which it has write access. Depending on the ransomware, this may include files on attached removable drives, mapped network drives, and even on network shares that aren’t yet explicitly mapped but are nevertheless visible and writable. In other words, the more powerful the account you use for day-to-day work, the more powerful the access rights you hand over to any ransomware that is launched under your account, and the more widespread the damage will be. If you’re logged in as a regular local user you will probably trash your own data. If you are logged in as a domain admin you may end up trashing everything on the network.
I added a sentence to clarify this…thanks for asking the question.
Steve
I might be being a bit naive here but do all crypto/ransomware /malware need a connection to the dark Web before they encrypt files? If so could you set up a rule in your router /firewall to block all onion traffic?Maybe stopping the malware “ringing home and generating keys”?
Paul Ducklin
Not all. Some samples call home for a key and then encrypt. Other samples send the key home when they can, but don’t rely on the call-home to get started. This puts you on the horns of a dilemma…
Blocking call-homes will prevent some malware from encrypting up front. Blocking call-homes will prevent other malware from decrypting afterwards.
Tough call :-(
Steven
Half of these tips though just aren’t practical in the working world.
What about encrypting your file server?
Paul Ducklin
Which four of them are impractical? One of them merely says, “Be careful with this,” so it can’t be that. Another says, “Patch,” which some people don’t *like* doing but it’s certainly practicable these days (indeed, it can even be automated) unless you go out of your way to make it difficult, so it can’t be that one. A third simply says, “Consider doing that,” which is hardly impractical – it’s merely a suggestion. That leaves five items, of which you say four are impractical…
threedo
I think he means to the non-tech or organizational user, these tips may not offer the value they intended.
For example… people in organizations who rely on desktop departments to keep their systems up to date or backed up may or may not have something in place. SImply reading the tip does them no good as its something they either don’t manage or may not be familiar with.
Paul Ducklin
I think the author of the article was hoping that the desktop department folks might be the ones reading the tips :-)
threedo
Encryption is practical?
Steven
2,3,7 and 8. I’m not saying they wouldn’t be nice and all would be implemented in an ideal world. Just saying that generally in my experience the practicality of implementing these items are difficult.
And you didn’t address encrypting the file server?
Richard
Off-topic, but I’m looking at the picture at the top of this article, showing a lethal health and safety risk.
If I’m out and about during a thunderstorm, I am not going to be holding a lightning conductor in my hand.