Ransomware infection can be roughly divided into three stages: entry, spread, and encryption. Since the development of ransomware, encryption methods and complexity continue to evolve. Once enterprise data is encrypted by ransomware, cracking the key becomes an impractical method. The only way to save the encrypted data is to back up the data or pay a high ransom. The fundamental way to solve the problem is to catch and remove the ransomware at the initial stage of infection, which is the stage of "entering" and "spreading", in order to effectively avoid the risk.

Before distributing ransomware, hackers first need to enter the corporate intranet. Hackers usually scan each IP to attack until they find a device with security vulnerabilities. After breaking through the intranet, they can control the terminal device, using it as a jump server, and then gradually obtain higher-privileged accounts, invade the enterprise AD, break into the Domain controller, so that the ransomware can be transplanted horizontally, spreading, and infecting the entire local network. Therefore, to block ransomware from the internet, you can use the following methods to make it less possible for hackers to take advantage:

1. Turn off the remote desktop function

The Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that allows users to remotely connect to a computer with other devices. Hackers can use the same channel to gain access to the computer by using leaked RDP certificates or simply cracking the targeted computer. When the hacker enters the computer, he can do anything, including changing the password, installing malicious programs, burying backdoor programs, etc. Most companies do not have comprehensive policies on passwords, making the password strength insufficient, and hackers can easily enter the network and cause damage. Therefore, RDP has become one of the main channels for hackers to invade. Turning off RDP will bring a certain degree of inconvenience, but it can be very effective in reducing the chance of hacking.

2. Comprehensive IT Asset Management

Security vulnerabilities in software and Windows OS are also the main ways for hackers to invade the intranet. In 2017, WannaCry, a well-known ransomware, raged 150 countries, causing more than $4 billion dollars losses, through a Windows OS vulnerability which Microsoft had released two months ago. Therefore, it is necessary to ensure that all devices in the enterprise are updated to the OS version in the first time, no pirated software is used and all software is updated to the latest version.

3. Minimize account permissions

In order to prevent hackers from installing malicious software to the intranet, the permissions of the local account should be minimized and the AD account should be managed to avoid giving unnecessary permissions.

4. Use of anti-virus software and update of virus signature

Although it is difficult to detect ransomware through anti-virus software, malicious programs such as backdoor programs can be intercepted and removed by anti-virus software. Therefore, the anti-virus software should be maintained at the latest version and the virus signature provided by it should be kept up to date in order to completely prevent hackers from gaining access to the intranet through malicious programs.

5. Establish a good information security awareness

Hackers often use fake websites and phishing emails to induce employees to download malicious programs to attack the intranet. The behavior of employees is the most difficult factor to control. Poor usage habits and security awareness can easily cause intranet infringement. Therefore, establishing a sound information security education system and cultivating employees' good information security awareness is also a link that needs attention.

How UPAS prevents ransomware

UPAS specialized in intranet management. We provide many measures to effectively block ransomware from the internet. UPAS adopt zero-trust architecture to minimize the impact of security vulnerabilities, and can instantly detect anomalies in multiple links when hackers launch targeted infiltrations.