Protecting your network from ransomware

Are you set up to block ransomware from jumping from one machine to your network?

Ransomware is moving away from targeting consumers and toward targeting businesses. The reasoning is quite simple: Consumers only have so much money. Businesses, on the other hand, have much deeper pockets — not to mention business-critical systems and files. Losing access to those files isn’t merely annoying — it can destroy a business.

Compared with consumers, businesses also have a larger attack surface and more potential entry points into the system. The larger an organization is, the more opportunity an attacker has to get into the system. All it takes is one person to open a malicious file and infect a company’s entire fileshare with ransomware.

This presents a big challenge for the internal security teams of companies. As the old adage goes, you can lead a horse to water, but you cannot make it drink. This holds true for IT security teams trying to educate their coworkers and make sure that they follow traditional IT best practices. 

Outside of the human risk, there is the task of defending the wall. IT security is the last line of defense in protecting the corporate network. Once ransomware has entered a device, it can spider across and encrypt any drive that it is attached by USB or through the cloud, an external drive or a mapped network server. If you think about it, it could be a CEO or a janitor who compromises a hospital, allowing all of their patient files to be encrypted and held hostage.

So you can see how the stakes are high for both the good guys and the bad guys. What can you do? Often you will find that implemented endpoint protection solutions offer some level of protection against ransomware in a business environment.

Kaspersky Endpoint Security uses a module called System Watcher to monitor all changes that occur on an endpoint. In the case of ransomware, it can detect the process of file encryption by a foreign service, stop the process, and roll back any damage. This is a powerful proactive detection capability that enables us not only to protect but also to quickly remediate against numerous variants of ransomware. Kaspersky Endpoint Security also employs Automatic Exploit Prevention, which helps protect the endpoint from exploits targeting both known and unknown vulnerabilities on a machine. It is critical to stopping the ransomware from entering the system in the first place.

To protect fileshares, Kaspersky Security for Windows Servers utilizes new technology to complement the technologies in Kaspersky Endpoint Security. Anti-Cryptor is similar to System Watcher; it monitors fileshare access looking for encryption processes from remote clients. If it detects encryption action, it can remediate immediately. Additionally, Anti-Cryptor engages Host Blocker to stop all connections from the ransomware-infected endpoint.

At Kaspersky Lab, we help ease the burden for our sysadmin friends. Our approach protects both workstations and the file server itself, but we leave the rights to the people who manage the network — we’re just here to make their jobs easier.

Tips