6 Ransomware Protection Strategies You Must Know

How Does a Ransomware Attack Work?

Image source: Wikimedia Commons

A ransomware infection usually occurs in two phases:

1. Ransomware encrypts files or locks the device—encryption involves scrambling files or a file structure until the data is no longer usable. Most ransomware programs use data encryption methods that victims cannot reverse without using a unique decryption key. This method enables attackers to demand ransom in exchange for a key.
2. A ransom note appears on the screen—once the ransomware encrypts the files. A note appears to specify a ransom demand, explaining the sum, mode of transfer, and deadline. Usually, attackers threaten that if victims do not meet the deadline, they will either increase the ransom, delete the files, or prevent any future attempt to decrypt them.

As long as the device is infected with ransomware, attempts to open the encrypted files might result in an error message informing you that the files are invalid, corrupt, or cannot be located.

Dedicated Ransomware Protection Solutions

Dedicated Ransomware Protection Solutions

A dedicated security tool can provide holistic protection against ransomware, both at the network, file system, and application layer. One such solution is Cynet All-in-One, an advanced threat detection and response platform that provides protection against threats, including ransomware, zero-day attacks, advanced persistent threats (APT), and trojans that can evade signature-based security measures.

Cynet provides a multi-layered approach to stop ransomware from executing and encrypting your data:

• Pre-download—applies multiple mechanisms against exploits and fileless malware, which typically serves as a delivery method for the ransomware payload, preventing it from getting to the endpoint in the first place.
• Pre-execution prevention—applies machine-learning-based static analysis to identify ransomware patterns in binary files before they are executed.
• In runtime—employs behavioral analysis to identify ransomware-like behavior, and kills a process if it exhibits such behavior.
• Threat intelligence—uses a live feed comprising over 30 threat intelligence feeds to identify known ransomware.
• Fuzzy detection—employs a fuzzy hashing detection mechanism to detect automated variants of known ransomware.
• Sandbox—runs any loaded file in a sandbox and blocks execution upon identification of ransomware-like behavior.
• Decoy files—plants decoy data files on the hosts and applies a mechanism to ensure these are the first to be encrypted in the case of ransomware. Once Cynet detects that these files are going through encryption, it kills the ransomware process.
• Propagation blocking—identifies the networking activity signature generated by hosts when ransomware is auto-propagating, and isolates the hosts from the network.

Cynet All-in-One provides all these anti-ransomware capabilities and more. 

Learn how Cynet can protect your organization against ransomware and other advanced threats

Windows 10 Ransomware Protection

The Windows operating system now has built-in ransomware protection as part of Windows Security. This was introduced by Microsoft in Windows 10.

Windows 10 ransomware protection works by only allowing approved applications to make changes to the file system. This can prevent ransomware from encrypting files, but can also interfere with the operation of legitimate applications.

This is why ransomware protection is not enabled by default. To use it, you’ll need to enable it and configure it properly so that existing applications can continue functioning.

To enable Windows 10 ransomware protection:

1. Search for Windows Security in the Windows Start menu.
2. In the Windows Security sidebar, select Virus & threat protection and click Manage ransomware protection.
3. Switch the option Controlled folder access to On. This ensures only applications in the Windows Security allowlist can make changes to files on the operating system.

Decryptors

If a computing system is already infected by ransomware, files have been encrypted, and there are no backups, a last resort is to use decryptors.

There are a range of free decryption tools that are able to reverse the encryption by some types of ransomware. Be sure to use a legitimate descriptor from a source like the No More Ransom Project.

If there is a working decryptor for your ransomware, run it, obtain the key, and use it to decrypt the files. Note that depending on the type of ransomware and available system resources, this can take several hours.

A few important notes about using decryptors:

• Identify ransomware type – before using a decryptor, identify the type of ransomware using Crypto Sheriff. You will need to provide the email address, Bitcoin account or web address shown in the ransomware message.
• Many ransomware types have no decryptor – in many cases there will be no working decryptor for the ransomware strain. In this case, consult with a security professional to see if there are additional ways to restore the files.
• Decryptors do not remove the ransomware – note that decryptors are not enough to clean a ransomware attack from your systems. Ransomware can activate secondary malware or delete your data. Make sure your system is clean from ransomware and all malware before using the decryptor.

What Should You Look for in a Ransomware Protection Solution?

An effective ransomware protection solution can detect, contain, and respond to ransomware threats in real time. Here’s what to look for:

• • Behavior-Based Detection – Signature-based detection cannot deal with zero-days or identify threats based on pre-attack indicators. A strong solution should use AI/ML to spot suspicious behaviors (like mass encryption or privilege escalation) before the payload detonates.
  • Endpoint Detection & Response – EDR or XDR capabilities will provide visibility across endpoints, the network, the cloud, etc. This will allow you to track how ransomware entered, what it touched, and how to isolate the threat.

• Real-Time Prevention & Isolation – The tool should be able to prevent execution of malicious code in real time and isolate infected devices from the network to stop lateral movement. The sooner the incident is contained, the less operational impact it will have.

• Ransomware Rollback or File Recovery – Good solutions offer rollback features that can restore files to pre-attack versions. This allows you to eradicate the ransomware completely or gain access to your important data so you don’t have to pay the ransom. Just be sure to mitigate the exploit the ransomware came through, otherwise you might get attacked again!

• Threat Intelligence Integration – Up-to-date threat intel helps you stay protected against new ransomware variants. It also enables better detection and faster response by correlating indicators of compromise (IOCs) with real-world threats.

• Anti-Phishing and Email Protection – Many ransomware attacks begin with phishing. Choose a solution that integrates email security or partners with your email platform to scan attachments, links, and sender behavior.

• Zero Trust and Access Controls – Built-in zero trust enforcement, based on the principle of least privilege and Just-in-Time (JIT) access, minimizes what ransomware can access if it gets in.

• Incident Response – Clear alerts, automated playbooks, and fast SLAs make a big difference during an attack. The faster your team can respond, the less damage ransomware can do.
• MDR – If you don’t have a large internal team, consider solutions with MDR services that can monitor and act on alerts 24/7. This will help contain the attack quickly.

How Big Is the Ransomware Threat?

Ransomware is a global menace, threatening organizations of all sizes and growing in scope and severity. Here are a few statistics that show the magnitude of the threat:

• How many are affected – according to a recent IDC report, 37% of organizations worldwide were the victim of a ransomware attack.
• Critical sectors targeted – The US Cybersecurity and Infrastructure Security Agency (CISA) reported there were ransomware attacks against 14 of 16 critical infrastructure sectors in the US
• Financial losses – according to Cybersecurity Ventures, ransomware-related costs are expected to reach $57 billion in 2025, and this figure is expected to soar to $275 billion annually by 2031.
• Government involvement – Gartner predicts that by 2025, 30% of governments worldwide will have rules or regulations governing ransomware payments.

What are the Most Dangerous Types of Ransomware?

Ryuk

Ryuk ransomware targets large, public-entity Windows systems. It works by encrypting data on an infected system and demanding ransom in Bitcoin. This ransomware appeared in 2018, initially believed to be of North Korean origin, but it is now suspected to be used by Russian criminal groups targeting organizations.

Learn more in our detailed guide to kaseya supply chain attack.

Sodinokibi

REvil/Sodinokibi ransomware encrypts files upon deployment and deletes the ransom request message after infection. The message demands bitcoin, notifying the victim that the demand will double if they do not pay the ransom on time.

REvil is delivered as Ransomware as a Service (RaaS), a model in which code authors develop the ransomware and affiliates spread it to collect the ransom. It was discovered in 2019 and has since become the 4th most distributed ransomware globally, targeting mostly European and American companies.

Netwalker

Netwalker ransomware holds its victim’s data hostage and leaks a sample of the stolen data online, threatening to release all the data to the dark web if the victim does not pay the ransom on time. It was created in 2019 by Circus Spider, a cybercrime group, and later shifted to a RaaS model to operate on a larger scale. It often spreads through phishing emails.

Learn more in our detailed guide to netwalker.

Maze

Maze is a Windows ransomware developed as a variant of ChaCha ransomware. It targets organizations worldwide, demanding a cryptocurrency payment in exchange for the encrypted data, threatening to leak the victim’s confidential data if they refuse to pay.

Maze was discovered in 2019. It is usually distributed through:

• Spam emails, typically through malicious links or attachments like Word or Excel files.
• RDP brute force attacks.
• An exploit kit.
• Through the victim’s client or partner who has already fallen victim to the attack.

Learn more in our detailed guide to maze ransomware.

CryptoWall

CryptoWall ransomware encrypts files and their names and demands a ransom for a decryption key. It typically spreads by phishing and spam emails, hacked websites, malicious ads, or other malware. Cryptowall uses a Trojan horse to deliver malicious payloads. By encrypting file names, CryptoWall increases the pressure on victims, who consequently pay the ransom to get their data back.

Learn more in our detailed guide to wastedlocker.

Locky

Locky ransomware encrypts important files on an infected computer, holding them hostage, delivering a ransom note that demands payment in exchange for the encrypted files. It typically arrived as an email including a Word doc attachment containing the code. Locky was discovered in 2016 and became a significant threat. While Locky is currently out of commission, other variants have emerged.

Learn more in our detailed guide to ragnar locker.

Cerber

Cerber is delivered as RaaS providing attacker licenses that split the ransom between the developer and affiliates. Cerber affiliates can deliver Cerber ransomware to various targets in return for providing the author with 40% of the ransom. The author creates the ransomware in this exchange, and affiliates find targets to distribute it.

Learn more in our detailed guide to lockbit ransomware analysis.

10 Ransomware Protection and Prevention Tips

Here are several ways you can prevent ransomware from striking your organization.

1. Actively manage access – restrict access to known users and known legitimate traffic to safeguard your data and applications from encryption. Strong passwords and multi-factor authentication provide added security to prevent bad actors from accessing your systems.
2. Centralized management – to deal with the complete range of ransomware threats, organizations must use centralized management procedures and systems. Sensitive information should be categorized, assessed, and properly secured wherever it resides.
3. Use anti-malware solutions – block suspicious executable files, and leverage email security solutions to monitor email traffic for malicious messages and block phishing attacks. To address unknown and zero-day malware, including zero-day ransomware, use advanced security technology such as signatureless behavioral analysis.
4. Implement centralized patch management – patch all endpoints when vulnerabilities are identified, including operating systems, mobile devices, applications, cloud resources, software, and IoT.
5. Protect backup repositories – implement the 3-2-1 rule by keeping three copies of your information, storing it on two distinct media types, and keeping one of these media off-site. It is also important to periodically test backups to ensure they are functional and maintain data integrity.
6. Regularly change network credentials for routers, switches, Wi-Fi access points, and critical systems. This helps prevent exploitation due to poor password hygiene.
7. Educate users – Help your end users by providing them with the practice and education they need to protect against ransomware attacks. Consistent communication and awareness training will let everyone in your organization know the threat of ransomware and gain familiarity with security approaches. Ensure that your employees know how to report suspicious behavior and understand the importance of timely reporting.
8. Establish a disaster recovery plan – to ensure they can completely recover data and applications in case of disaster, organizations must create, test, and uphold practices, tools, and procedures for business continuity and disaster recovery (BCDR).
9. Conduct a risk assessment – categorize types of ransomware disasters and create priorities for business continuity and recovery.
10. Create an incident response plan – the plan should clarify what to do in the case of a ransomware attack, including determining data sensitivity and disconnecting affected systems from the network to contain the attack.

Related content: Read our guide to linux ransomware.

Learn More About Ransomware Protection

Ransomware Removal: Recovering Your Files and Cleaning Up Infected Systems

Ransomware Prevention: 4-Step Plan to Stop Ransomware Attacks in their Tracks

FTCode Ransomware: Distribution, Anatomy and Protection

Ransomware Detection: Common Signs and 3 Detection Techniques

See Additional Guides on Key Data Security Topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of data security.

EDR Tools

Authored by Cynet

• [Guide] EDR Security: Protecting the Network From Endpoint Threats
• [Guide] 10 Reasons Your Business Needs Endpoint Protection Software
• [Announcement] Cynet MITRE ATT&CK Results 
• [Product] Cynet All-In-One Cybersecurity Platform 

Endpoint Security

Authored by Cynet

• [Guide] Endpoint Security
• [Guide] What Is Endpoint Management? MDM, EMM, and UEM
• [Ebook] 2024 Cybersecurity Planning Checklist 
• [Product] Cynet All-In-One Cybersecurity Platform 

Endpoint protection

Authored by Cynet

• [Guide] Top 6 Endpoint Protection Platforms and How to Choose
• [Guide] Endpoint Protection: The Basics and 4 Key Technologies
• [Product] Cynet All-In-One Cybersecurity Platform