What Is Ransomware?

While most viruses and malware try to steal your data, ransomware holds your files hostage by encrypting them and only providing the key when their ransom has been paid. Infection usually starts when someone tries to open an attachment from an email that contains malicious code.

The virus proceeds to silently encrypt everything on the local PC, and any network drives that may be mapped to it. If the ransomware is even more sophisticated it can begin to look for other avenues to move deeper into the network, such as open RDP ports, or unsecured network shares.

Ever since the early 2000’s the spread of ransomware has grown significantly. Not only do these types of attacks continue to get more expensive, but they also grow in their complexity. Some of the most dangerous ransomware can avoid the most popular antivirus software and even hide when it’s being studied in a sandbox environment.

A ransomware attack can cost the victim anywhere from a few hundred, to tens of thousands of dollars to decrypt and recover their files from the attacker. This payment is usually demanded in the form of a cryptocurrency such as Bitcoin or Monero.

In most cases recovering any encrypted files without the decryption key is impossible. That’s why it’s much easier to position your network to not get infected in the first place.

How To Prevent Ransomware Infection

Network security is best implemented in layers, and preventing ransomware is no different. The more of these security practices you have in place, the most you mitigate your risk of ransomware infection.

Patch And Update Your Devices

It’s easy to fall behind on patches and updates, but this lapse in security awareness can prove to be disastrous if not corrected. Ensure your servers, PCs, and network storage devices are patched and up to date at least once a month.

Keep an ear out for any recently discovered zero-days or emergency security patches that might need to be installed ahead of schedule. Keeping a strict patching schedule is an easy way to win half the battle when it comes to preventing ransomware. Larger organizations can benefit from automated patch deployment using several patch management tools.

Secure Your Ports And Services From Ransomware

One of the most popular attack vectors for ransomware has been vulnerable to remote desktop services. If devices on your network utilize the remote desktop protocol to gain access externally, you’ll want to ensure you’re using best practices.

Only allow remote desktop over a Virtual Private Network (VPN). In the past, it was enough to use remote desktop services with a nonstandard port and a strong password. Today, this is not enough to keep your network secure. Attackers are now using sophisticated port scanning tools to find services over non-standard ports and then running powerful brute force attacks to gain access.

Critical vulnerabilities such as BlueKeep are continuing to be discovered, leaving networks vulnerable to wormable ransomware attacks. If you must use remote desktop services, ensure that it is only accessible from inside a VPN, or from a list of whitelisted IP addresses. This will also help with your online privacy when using public networks.

Consider using nonstandard ports for specific services. While this isn’t foolproof, it does add an extra layer of obscurity that will cut down on bots that are probing networks looking for opportunities to cause trouble.

Stopping Ransomware In Your Email

Email is the number one attack vector when it comes to getting infected systems with ransomware. Oftentimes attackers will use well-crafted emails disguising their malware was an invoice, word document, or “encrypted” message.

The victim will click on the word document which usually prompts them to continue to a link to see the rest of the document. This link performs a drive-by download and begins the spread of ransomware.

There are dozens of different methods attackers could use to trick their victims into downloading and executing their ransomware. Email filtering is critical when it comes to weeding out some of the low hanging fruit.

A common way for ransomware to spread is through malicious macros embedded in word documents. Most enterprise firewalls now have preconfigured macro filtering which will not only scan a document but also analyze if it contains any malicious macros.

Denying all documents that contain macros and whitelisting only specific domains is a simple way to completely cut out an entire avenue of attack. Other products such as Vipre Email Security can detect and remove links that it finds are malicious before a user has a chance to click on it.

Other best practices such as running your email through a blacklist service, and restricting specific extensions such as .exe, .bat, and .jar, will also aid in fighting both ransomware and other viruses as well.

Another major part of email security is educating your team on best practices, and the identification of dangerous emails. We’ll touch more on education later.

Restricting Access To Prevent Ransomware

If ransomware does find itself on someone’s computer, there are a few restrictions you can put in place to help isolate and stop the execution and spread of ransomware if it does get downloaded on a PC in the network.

Ensure users do not have administrator privileges. When local users have unrestricted access to their PCs this gives the ransomware full rein to not only infect the local PC but begin probing outward and infecting other shares on the network.

Most ransomware will try to take specific actions before beginning file encryption. Locking down a user’s access to local shadow copies, software installations, and having a moderately strict UAC in place could be enough to stop the full execution of most ransomware.

Ensuring your network is segmented by security groups and subnets will also limit the scope of the damage if ransomware does manage to execute on a PC in your network.

Most ransomware takes advantage of these weak environments and doesn’t have the ability to perform privilege escalation. Having thorough local and domain restrictions in place could prevent the entire network from becoming compromised.

An often overlooked method of stopping ransomware is restricting what can run from the AppData and Temp folders. A large number of ransomware attacks leverage the AppData and Temp folders to infect a network. Under group policy you can and should restrict what types of files are allowed to run from these folders.

Blocking files likes .exe, .bat, and .js from running inside these folders can stop even the trickiest ransomware in its tracks, even if it does get past the firewall and local antivirus.

Restricting the AppData folder is a powerful move against the threat of ransomware, but does come with its inconveniences. You’ll often find yourself whitelisting legitimate applications such as LogMeIn or GoToMeeting, as there are a host of real programs that use the AppData folder.

All of these security policies can be pushed out via a login script, or group policy.

Prevent Ransomware Downtime With Backups

Even with the best network & device security practices in place, there will come a time where threats will slip through the cracks, and that might require files and programs to be recovered from a recent backup. Incremental backups should already be a core part of any business network to avoid downtime.

While solid backups won’t necessarily prevent the spread of ransomware, they will certainly give you peace of mind and act as an insurance policy if anything does go wrong. Just make sure you’re following best practices when it comes to backing up critical data on your network.

Make sure your backups are kept off-site or in cloud storage. In the event of a disaster, whether that be ransomware, an earthquake, or break-in, you’ll want copies of your files to be kept off-premises.

Having an off-premise backup solution gives you the flexibility to initiate a restore even if the entire office is down, or needs to be relocated. Off-site backups might take time to recover from depending on your internet speed, and the amount of data you have.

Off-site backups are an excellent solution especially when paired with a more readily available recovery method that is located on-site.

There are a number of online backup solutions you can choose from, here are a few of our favorites.

Keep incremental backups on hand for quick deployment. When you’re recovering from a disaster or ransomware attack you’re not just protecting your data, you’re saving the company from potential downtime.

Depending on the size of your organization, an hour of downtime could cost tens of thousands of dollars. Ransomware has crippled entire local governments that did not have a proper backup policy in place. Security software like StorageCraft’s ShadowProtect can take ‘snapshots’ of your network and recover to any point in time that you specify. Having the power to restore your network from an hour before a disaster, pays for itself on day one.

Keep your backs secured. There’s no point in investing your time and money into a backup solution if it gets compromised along with everything else during a ransomware attack. An external drive plugged into a server will get encrypted data just as fast as anything else on the network.

Backups should be performed ideally from a separate machine, isolated from all other traffic in the environment. This protects your backups but still gives you quick access to mount virtual drives on the fly.

The second component of this is ensuring your backups are encrypted and write-locked. This not only prevents accidental changes to backed up data but also stops ransomware from encrypting the backups if the isolated PC was somehow compromised.

The Best Ransomware Protection Software

With all of these security policies and recovery measures in place, you’ll still want to rely on proactive real-time security software that can monitor your network and stop ransomware in its tracks. Here’s a quick summary of our top picks for ransomware protection.

Our methodology for selecting a ransomware protection tool 

We reviewed the market for ransomware protection systems and analyzed tools based on the following criteria:

  • Constant system security monitoring
  • File protection
  • Alerts that spot unusual activity surrounding file encryption
  • A system that implements automated remediation to shut down encryption activity
  • Protection for vital system files
  • A free trial or a demo that provides an opportunity for a cost-free assessment
  • Value for money from a package that provides security monitoring at a reasonable price

With these selection criteria in mind, we identified some useful systems that you should consider in order to protect your system against ransomware.

  • SolarWinds Security Event Manager EDITOR’S CHOICE The best holistic ransomware prevention software for businesses. Feature reporting, auditing, and customizable alert templates. It comes with a 30-day free trial.
  • SpinOne (FREE TRIAL) A cloud-based service that integrates into the most popular SaaS platform to provide data loss prevention and ransomware protection systems. Access a 15-day free trial.
  • ThreatLocker (GET DEMO) This security platform removes the need to back up data by blocking all software from running unless it is specifically whitelisted. Register for the free demo.
  • ManageEngine Vulnerability Manager Plus (FREE TRIAL) Spot the exploits that ransomware uses to infect your system and fix them before any malware hits your system with this package of security tools. Runs on Windows Server.
  • CrowdStrike Falcon Prevent This device-based next-generation anti-virus protects from a range of malware types, including ransomware. Available for Windows, macOS, and Linux.
  • Malwarebytes Endpoint antivirus protection with built-in ransomware protection.
  • Kaspersky Anti-Ransomware Tool Free standalone installer. Available for both home and business protection.

1. SolarWinds Security Event Manager (FREE TRIAL)

SolarWinds Security Event Manager (SEM) is one of the best overall security tools to prevent ransomware for medium to large-sized environments. Event Security Manager delivers enterprise-level network security at small business prices. Pricing starts at $2525 (£2019) but you can get a 30-day fully functional trial for free to make sure it’s the right fit for you.

The dashboard of Security Event Manager monitors and alerts you to a number of security-related events on your network and works proactively to keep devices on the network secure and up to date. While this program has dozens of features that make it a powerful security tool, we’ll focus primarily on its anti-ransomware properties for this article.

Key Features

  • File integrity monitoring
  • System security monitoring through log analysis
  • Threat detection
  • Automated response
  • Compliance reporting

Community-backed intelligence and threat-based detection. Security Event Manager (SEM) leverages a number of sources to always have the latest information on evolving threats and the latest evolutions of ransomware. The SEM platform is constantly updated with real-time analytics, attack vectors, and malicious command and control servers to ensure nothing slips through the cracks.

Deep dive and perform forensic analysis with detailed logging. Easily sift and sort through your network logs to customize and improve ransomware threat-based detection. Compile logs from servers, applications, and other network storage devices with customizable search functions and visualization features.

Automatically detect and stop ransomware behavior. When an account becomes compromised it can be difficult to identify that account and disable its access. With SEM’s activity monitor, you can set predefined thresholds that can either alert you or take specific action against that account. Quickly identify and stop an account when it is behaving maliciously, changing file extensions, or attempting privilege escalation inside your network.

SEM operates in a Windows environment and can be installed on Windows Server 2012-2016. SolarWinds offer a 30-day free trial for SEM.

Pros:

  • Is easy to deploy – features numerous done-for-you templates, dashboards, and monitors
  • Provides automated ransomware protection with artificial intelligence
  • Over 700 pre-configured alerts, correlation rules, and detection templates provide instant insights upon install
  • Threat response rules are easy to build and use intelligent reporting to reduce false positives
  • Built-in reporting and dashboard features help you track issues and document performance over time

Cons:

  • Feature dense – requires time to fully explore all features

2. SpinOne Ransomware Protection (FREE TRIAL)

Spin.ai SpinOne specializes in data protection for SaaS platforms. It specifically integrates with Google Workspace (G Suite), Microsoft 365, and Salesforce. The tool watches activity in data storage systems, scanning API connections for malware activity and tracking user behavior for malicious human activity. The service also provides a backup and recovery function, so you will never be tempted to pay a ransom.

EDITOR’S CHOICE

SolarWinds Security Event Manager has hundreds of out-of-the-box correlation rules which can alert you to suspicious behaviors in real-time. You can also set up new rules with thanks to the normalization of log data. The dashboard gives you a command center for identifying potential network vulnerabilities.

Start 30-day Free Trial: solarwinds.com/security-event-manager

OS: Windows 10 and later, Windows Server 2012 and later, Cloud-based: Hypervisor, AWS and MS Azure

The SpinOne backup system automatically creates a repository for your files and hosts them on AWS, GCP, or Azure. You can also choose to get a second copy stored on a local device in your offices. The tool takes full and incremental file-level backups. However, it scans all files constantly and blocks the movement of an updated file to backup if ransomware activity is detected.

Key Features:

  • Ransomware scanning
  • Backup and recovery
  • Technicians and cybersecurity analysts
  • Recovery guarantee

Cloud file stores won’t execute code, so you don’t have to worry about ransomware operating directly within your file servers. Instead, these SaaS storage systems can be compromised through remote application access that is facilitated through APIs. On identifying a damaged file, SpinOne immediately disconnects all API access and isolates the damaged files.

After notifying you of a ransomware attack, the system investigates the source of the ransomware by tracking through its file access logs. After providing a full report on the attack, the SpinOne service deletes the damaged files and replaces them with clean copies taken from the backup repository.

The SpinOne service is available in three editions: SpinOne for Microsoft 365, SpinOne for G Suite, and SpinOne for Salesforce. The Salesforce service has fewer facilities in the plan, with just a backup and recovery system., The other two plans offer user behavior tracking, compliance auditing, risk assessments, and data loss prevention as well as ransomware and malware scanning. You can access any of these plans with a 15-day free trial.

  • Ransomware and malware scanning

  • File monitoring for sensitive data protection

  • A 2-hour disaster recovery promise

  • Data backup and recovery

  • Only protects specific cloud platforms, not all

SpinOne Ransomware Protection Access 15-day FREE Trial

3. Threat Locker (ACCESS FREE DEMO)

ThreatLocker simplifies the strategy needed to deal with ransomware – it blocks all software from running. No matter what programs get onto your endpoints, they can’t run. The platform lets you set up an “allow list,” which is ThreatLocker’s name for a whitelist. Software on that list will be allowed to execute, so as long as you don’t whitelist ransomware, your endpoints are completely protected without the need to back up data.

Thanks to the block on execution, system managers don’t have to worry about users installing their own preferred software and any type of malware is disabled by the strategy. There is a possibility that malware will sneak onto your endpoints disguised as another, legitimate program. For example, a piece of ransomware can be made with the name word.exe on its containing file. However, ThreatLocker can tell the difference between a real program and a fake by looking at attributes of the executable file, such as size.

  • Blocks all software by default
  • Allows named software to run
  • Controls resource access by permitted software

Endpoint software producers charge a fee for every installation, so license management is important. If you bought five licenses for a piece of software, you need to make surer that only five copies are installed on your site. With the Allowlisting feature of ThreatLocker, you can see how many endpoints have each piece of software. You install it yourself and you approve it on a per-device basis. So, other users who work on endpoints on which you didn’t install that package can’t have it. If they try to install it themselves, it won’t work, and if a piece of ransomware masquerades as that legal software, it won’t run.

The entire ThreatLocker platform has a range of components that enable you to focus your system security on protecting access to applications rather than to devices. This is a necessary move nowadays because many of the applications that businesses use are SaaS packages that are hosted on cloud servers. So, for businesses that entirely use SaaS applications, focusing security on local devices is useless. With the ThreatLocker system, you can secure access to any application anywhere.

The ThreatLocker approach to dealing with ransomware and managing distributed teams is difficult to understand. The best way to learn the ThreatLocker concepts is to access a demo of the system.

  • Suitable for hybrid networks

  • Implements a Zero Trust Architecture (ZTA)

  • Creates a virtual network

  • Doesn’t include a full access rights manager

ThreatLocker Access FREE Demo

4. ManageEngine Vulnerability Manager Plus (FREE TRIAL)

Head off disasters by closing down exploits with ManageEngine Vulnerability Manager Plus before ransomware producers discover them. This is a vulnerability scanner with a bundled-in patch manager and it can even spot zero-day weaknesses and close them.

You cannot predict what system weakness the next wave of ransomware will use to get into your system, so harden everything against any possible attack with this software package. The Vulnerability Manager Plus package runs on Windows Server but it reaches across your network to scan all of your devices running Windows, macOS, and Linux. The scanning cycle occurs every 90 minutes and it looks through the software inventory of each device, looking for unauthorized packages and software that has been flagged as end-of-life.

  • Vulnerability scanning
  • Patch management
  • System hardening
  • Web server risk assessment

All current and authorized software and OSs are scanned for risk. This involves checking their patch statuses and looking at their configurations. If patches are available, Vulnerability Manager Plus triggers the patch manager that is part of the bundle. Software and hardware misconfigurations and highlighted for action and the system can even generate scripts to realign device and software interactions to remove entry points for malware and intruders.

Web assets are particularly exposed to potential attacks and so the vulnerability risk assessment service in this ManageEngine system pays close attention to current assets, looking for the opportunities that hackers could use to infect websites or attack your services.

ManageEngine provides a Free edition of Vulnerability Manager Plus, which is limited to protecting 25 devices. The paid versions are offered for a 30-day free trial.

  • Can spot security weaknesses even before they are publicized

  • Includes systems to detect and close down exploits

  • Provides an automated patch manager in the suite

  • Logs all discoveries and actions for compliance reporting

  • Doesn’t extend to cloud platforms

ManageEngine Vulnerability Manager Plus Access 30-day FREE Trial

5. CrowdStrike Falcon Prevent

CrowdStrike Falcon Prevent is a next-generation anti-virus system that installs on endpoints. The package is available for Windows, macOS, and Linux. The Falcon brand is a family of cybersecurity products that work in combination with Falcon Prevent. The Falcon Prevent system is the base product in the range and it acts as an endpoint agent for other Falcon systems, which are all cloud-based.

The Falcon Prevent system is able to detect a range of malware, including ransomware. The detection system in the tool is anomaly based. This means that the package establishes a baseline of normal activity per user on the device and then looks for activity that doesn’t fit into that pattern. This anomalous behavior is then flagged for further investigation.

  • Can spot fileless and malware-free attacks
  • Looks for unusual activities
  • Updated by the Falcon platform
  • Continues working if the device is offline

Ransomware detection. The system gets Indicators of Attack (IoAs) from the Falcon platform and this guides threat detection. The tool will establish a baseline of normal activity and then look for different activity. Those unusual events are compared to IoAs.

Ransomware blocking. Unexpected downloads are blocked by isolating the file and drawing the user’s attention to the new file. Quarantine files can be released manually.

Ransomware response. If suspicious activity is identified, Prevent will kill its processes.

Ransomware remediation. The Prevent system cleans up after a confirmed attack by removing all files related to the blocked malware.

You can start with a 15-day free trial.

  • Fast response, thanks to threat intelligence

  • Flexible approach with anomaly detection that can block zero-day attacks

  • Also identifies intruder activity

  • Can link together suites of malware for detection and remediation

  • Only acts once ransomware is already installed and triggered

6. Malwarebytes Anti Ransomware Software

Malwarebytes (MBAM) first found its way to market by providing quality consumer-grade malware protection for individual workstations. Fast forward a few years and Malwarebytes is now bringing that same level of quality ransomware protection to the business environment with its business-grade anti-malware program. While Malwarebytes offers an umbrella of network protection services, we’ll just focus on its ransomware defense capabilities.

In the early days of Malwarebytes ransomware prevention software was available as a beta standalone product. This technology is now a core feature built directly into Malwarebytes Premium which is available on Android, Windows, and Apple platforms. Malwarebytes Premium starts at $39.99 (£31.99) a year per device for consumers and $119.97 (£95.96) a year for 3 devices for small businesses. You can get a full breakdown of their business pricing here. Overall it’s an excellent internet security package.

  • Protects Windows, macOS, iOS, and Android
  • Constant endpoint security monitoring
  • AI-based threat detection
  • Creates restore points for system rollback

Real-time ransomware prevention. MBAM monitors each endpoint live to detect ransomware activity. This includes recognizing remote code execution, malicious changes to the registry, and rouge encryption on the machine.

Ransomware detection and machine learning. Threat profiles built from machine learning help to proactively identify and stop ransomware before it can spread. This technology keeps you ahead of ransomware variants that traditionally avoid known malware fingerprinting.

Ransomware recovery options. Malwarebytes utilizes it’s Ransomware Rollback Technology to create a local cache of your systems and data files. This cache is protected and can be reactivated in the event ransomware does get through.

7. Kaspersky Anti Ransomware Tool

Kaspersky’s Anti Ransomware Tool (KART) has recently been revamped and made free to anyone who would like to try it. Their premium solutions offer both home and business users automatic patch management, software support, and 20+ other threat detection technologies. KART is currently priced at $39.00 (£31.99) for 3 home devices and $53.99 (£43.19) for 3 devices in a business environment. Kasperksy’s anti-ransomware tool is compatible with Windows OS environments.

  • Provides high-level insights of threats and asset heath from devices across the entire network

  • Identifies both malicious processes and behavior

  • Offers botnet protection as well as protection from browser-based threats

  • Offers a free version

  • Would like to see a longer trial of the full product for testing

  • Offered in free and paid versions

  • Runs on Windows

  • Blocks unauthorized encryption

Blocking encryption at the source. Much like the other security tools, KART can detect and block both local remote executions of ransomware. It can detect when files encryption is being attempted and stop that process from finishing.

Works in conjunction with other tools. KART has the unique ability to run along with other antivirus software. While most antivirus tools will fight each other and cause problems, KART can seemingly run side-by-side other existing security endpoints.

Detects more than just ransomware. In addition to ransomware attacks, KART can detect illicit crypto-mining, adware infections, and risk-ware objects on endpoint PCs.

They offer a free download for home use.

  • Completely free

  • Simple installation – little configuration needed

  • Great for small businesses and home user

  • Not the best option for enterprise networks

See also: The Best Ransomware Protection Tools

Conclusion

It’s clear that the ransomware threat is here to stay, and is only getting more advanced as time goes on. The good news is that there are now more software tools and device security measures you can deploy right now to help keep your network safe.

All of the tools mentioned above are available as free trials, so try out a few and see which ransomware protection is right for you.

Have you experienced a ransomware attack before? Were you able to recover? Let a comment about your experience in the comment section below.