Issue link: https://insights.oneneck.com/i/1093615
CHAPTER 2 Implementing Best Practices to Reduce Ransomware Risks 13 These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited. » Enforce the principle of least privilege and eliminate user "privilege creep" to limit an attacker's ability to escalate privileges. » Regularly back up critical systems and data, and periodically test backups to ensure they can be restored and are good. Also encrypt your backups and maintain them offline or on a separate backup network. » Assess and practice your incident response capabilities, and monitor and measure the overall effectiveness of your security posture on an ongoing and continual basis. Most ransomware relies on a robust C2 communications infra- structure, for example, to transmit encryption keys and payment messages. By preventing an attacker from connecting with ran- somware that has infected its network, an organization can stop a successful ransomware attack. If, for example, the attacker is unable to send encryption keys to an infected endpoint or instruct a victim on how to send a ransom payment, the ransomware attack will fail. As Table 2-1 shows, the most common ransom- ware variants today rely heavily on DNS for C2 communications. In some cases, a Tor (The Onion Router) browser is also used for C2 communications. TABLE 2-1 C2 communications in ransomware. Name * Encryption Key Payment Message Locky DNS DNS TeslaCrypt DNS DNS CryptoWall DNS DNS TorrentLocker DNS DNS PadCrypt DNS DNS, Tor CTB-Locker DNS, Tor DNS FAKBEN DNS DNS, Tor PayCrypt DNS DNS KeyRanger DNS, Tor DNS *Top variants as of March 2016