Most ransomware that we’ve seen is usually deployed via some sort of phishing attack. The victim gets an email, they click on an attachment or a link, the ransomware gets loaded, and from there it starts spreading through the network, encrypting as it goes along. Practicing good email hygiene and training users on what to do when they get emails with attachments is a decent first step. But we all know that human beings are fallible, and it’s likely something might slip through.

As we get more complicated and into more technical controls, most ransomware needs to communicate out to some sort of command-and-control server. That’s where it’s going to register it infected a system and get further instructions regarding the keys for decryption and other parts of the attack. You can intercept that by blocking it at a DNS level, or you can sometimes block it by doing some sort of outbound detection for a communication reaching out to a very strange domain name. Almost all of the common ransomwares use domain name generation algorithms, so domains that look like random strings are a good clue that there’s something going on.

Once ransomware has gotten a foothold in and is spreading through the network, things get a little bit trickier. You can try implementing some sort of firewall setup, what’s sometimes referred to as microsegmentation. However, this can mean a lot of administrative overhead for your IT staff to constantly update firewalls and make sure only necessary ports are in place. Read On:

RB Note: User education is the best prevention against these threats. If you get an email from someone you do not know don’t click in it or open any attachments. Period!