Ransomware attacks have been increasing for the last few years.
And there are lots of questions about ways to prevent ransomware.
Today, we want to answer one of these:
Does encryption prevent ransomware?
Can ransomware encrypt an encrypted drive?
Even if you have encrypted your hard drives, ransomware can still encrypt (re-encrypt them). Encrypting your drives yourself doesn’t prevent ransomware. It simply protects the contents from being read. This would mean an attacker wouldn’t be able to do anything with the files other than make them unusable.
Let’s look at this in a little more detail.
How ransomware works
Ransomware is a kind of malware – malicious software.
It blocks you from accessing your own files or systems and demands that you pay a ransom payment to get a decryption key to be able to use them again.
Cyber criminals have profited immensely from this over the last decade.
Ransomware attacks usually begin on one device in your network and spread to others.
It typically takes time for the attacker to gain the necessary information to spread from one computer to another.
The attackers are in your network long before you actually see the ransom message and your systems become unusable.
The most common way that ransomware enters your network is via phishing.
Often times, the attacker will send an email with an attachment and an explanation as to why you should run the software in the attached file.
Or the attacker may insert a link to a drive-by download – a file that downloads and runs automatically.
As email filtering solutions have become better at preventing these attacks, attackers have found other ways to compromise networks and deploy ransomware.
Phishing is one of the most common.
Since many organizations use RDP or VPNs that employees can remotely connect using their work credentials, attackers can simply get a user’s credentials and find a way in.
Ransomware and already encrypted drives
You may be using Bitlocker to encrypt your files or hard drives already.
However, this does not mean that ransomware can’t infect your device and encrypt the files again.
It’s kind of like the lock on your storage unit.
If you are logged into the device and have access to the files when ransomware is installed, it can access them as well.
When you boot an encrypted disk, for example, the decryption key is kept in memory so files can be accessed.
Any application can access your files, right?
So can ransomware.
Now, if you are using folder or external drive encryption, the ransomware would still be able to double-encrypt the file or drive, it just wouldn’t be able to read the files.
This is good since it can prevent them from being sold on the dark web.
Drive encryption prevents unauthorized parties from reading data off the hard drive while it is off. It won’t prevent ransomware. Just like software can be installed on an encrypted drive, so can ransomware. Ransomware prevention requires layered security controls.
Let’s look at a few of these controls.
Ways to prevent ransomware
Even though ransomware seems like a scary menace, there are actually steps you can take to prevent ransomware in your network.
There’s no silver bullet, but combining multiple security controls in a layered approach will go a long way.
While encryption won’t prevent ransomware, some of these basic methods will help:
Network segmentation is one of best ways to prevent ransomware from spreading on your network.
How does ransomware spread on a network?
Ransomware can spread across devices on a network in multiple ways. Typically some kind of remote access software or remote code execution solution (like powershell or psexec) is used. The ransomware will usually look for administrative credentials to be able to do this.
If you have a flat network, when ransomware breaks out, it can spread quite rapidly and take down your entire network.
Segmenting can slow or contain it.
Multi Factor Authentication (MFA)
Requiring multi-factor authentication on administrative accounts can help in reducing the risk of ransomware.
Administrators should consider using MFA before initiating remote sessions or logging into critical systems.
It is very easy for an attacker to harvest credentials from computers across your network.
If you have implemented controlled use of administrative access, having administrators use MFA is a great security control.
Patching & updates
Applying patching and updates are one of the most critical security processes you can take to avoid ransomware.
Take the WannaCry ransomware outbreak from 2017 as an example.
Microsoft released a patch for the vulnerability two months before the outbreak.
They even released a patch for unsupported systems – something they rarely do.
The majority of ransomware attacks can be prevented by simply keeping your computers updated.
There’s no silver bullet for preventing malware outbreaks.
Encryption won’t prevent ransomware.
It will ensure you that the attackers can’t read your data, but they can still lock it from you.
Instead, you must take a layered approach to information security.
It’s the only way to actually prevent ransomware.