Ransomware Alert! Follow these steps to secure your system against an ongoing ransomware attack

Credit to Author: Rajiv Singha| Date: Wed, 25 Apr 2018 05:42:11 +0000

Estimated reading time: 4 minutesQuick Heal has detected an ongoing ransomware attack. This post outlines the important steps you must take to protect your computer(s) against this threat. What to do to stay safe from the attack? Most of the steps mentioned below are technical in nature. If you need any assistance, please call us on 1800 121 7377. Ensure all protection levels in your Quick Heal product are ON. Disable Remote Desktop Protocol (RDP) if not used. Instructions on how to do this have been mentioned at the end of this post. Change RDP port to a non-standard port. Click here to know how to do this Configure your Firewall in the following ways: Deny access to Public IPs to important ports (in this case RDP port 3389) Allow access to only IPs which are under your control Use a VPN to access a network, instead of exposing RDP to the Internet. If possible, implement Two Factor Authentication (2FA). Set a lockout policy which hinders guessing of credentials. Create a separate network folder for each user when managing access to shared network folders. Don’t keep shared software in an executable form. Don’t assign administrator privileges to users. Most importantly, don’t stay logged in as an administrator unless it is strictly necessary. Also, avoid browsing, opening documents or other regular work activities while logged in as an administrator. About the ransomware attack Quick Heal has detected a recent ransomware outbreak which uses a Remote Desktop Protocol (RDP) brute force attack. However, we suspect that this attack could also be using other means to spread. These could be: Spam and phishing emails Exploit Kits SMB vulnerabilities like (EternalBlue, etc.) Drive-by-downloads Dropped by other malware What is Remote Desktop Protocol (RDP)? The Remote Desktop protocol is used to connect to another computer over a network remotely. It’s generally used to carry out remote device management. The protocol runs over TCP/UDP port 3389. What is a Brute Force Attack? A brute force attack is a trial-and-error method used to retrieve critical information such as usernames, passwords or any kind of personally identifiable information (PII). A brute force attack is generally carried out through automated scripts. By brute forcing the user credentials to access the RDP on a victim’s machine, attackers are able to uncover usernames and passwords. Once the user credentials are obtained, attackers control the victim’s machine to carry out the intended attack. In most cases, ransomware attacks have been observed as the end result of a Remote Desktop Protocol brute force attack. About the detected ransomware that is spreading through the RDP brute force attack Quick Heal has observed the Dharma ransomware outbreak to have used the RDP brute force attack. Earlier, other ransomware were also observed to have spread through the same mechanism. In this particular scenario, the attacker can take control of the system with administrative privileges. This allows them to install/uninstall any program on the infected computer. Here, we have observed that attackers were uninstalling the security software from the infected machine. And by doing so, they were able to implant a ransomware on it. How Quick Heal protects its users from such attacks Quick Heal products are built with the following multi-layered security layers that help counter such attacks. Anti-Ransomware Specially designed to counter ransomware attacks. This feature detects ransomware by tracking its execution sequence. Firewall Blocks malicious attempts to breach network connections. IDS/IPS Detects RDP brute force attempts and blocks the remote attacker IP for a defined period. Virus Protection Online virus protection service detects the known variants of the ransomware. Behavior-based Detection System Tracks the activity of executable files and blocks malicious files. Back Up and Restore Helps you take regular backups of your data and restore it whenever needed. Important safety measures to keep your computer safe against ransomware attacks It is important to understand that such kinds of attacks are targeted towards victims with weaker security infrastructure. This makes it highly critical for individual users and businesses to strengthen their security perimeter and stand strong against all such attacks. 1. Back up data regularly Back up your important data regularly and keep a recent backup copy offline. Encrypt your backup. If your computer…
http://blogs.quickheal.com/feed/