A network administrator is responsible for maintaining the security of the company network and keep the data safe. Ransomware software may delete or restrict access to important information within a company. To keep the computer network safe, administrators may use content filtering proxies to restrict access to dangerous websites and resources.
What You’ll Learn
What is ransomware?
Ransomware is a kind of malicious software that is developed to lock data of a user computer typically by encryption. The attacker demands a ransom to release them back and decrypt data.
To avoid the cybercriminal identity usually, this ransom is demanded in virtual currencies like bitcoin. Often, after the encryption of data, it provides instructions regarding how to pay and to get the decrypted data back.
Ransomware use several types of methods to spread such as infected software and websites, download links, infected external storage devices, email attachments, and remote desktop protocols.
As an example, one of the current trends in the world is work at home by remotely accessing the company network. If the computer network is not well managed, it may open doors for ransomware attacks.back to menu ↑
How to use proxies for ransomware protection?
A proxy or a proxy server is a computer with a set of rules to act as a gateway between a local network such as between the internet and local area network of a company. Proxies can increase security by blocking access to malicious sites and enforcing company policies for appropriate web sites which user can access by filtering web traffic and content.
As a solution to protect devices that are connected to the company network and to prevent the spreading of ransomware, it is to block all proxies except the proxies approved for traffic out of the company network and to allow VPN connections which are initiated inside the company network to go to approved endpoints.
You may find below several examples of how filtering proxies may be used to protect against ransomware.
Using WatchGuard Firebox
The WebBlocker function of the WatchGuard Firebox allows to control which web sites are available for network users and enable HTTP and HTTPS proxy policies to protect web traffic. WebBlocker uses cloud service which containing 130 security categories.
Besides the unauthenticated download links, email attachments are the primary source for spreading ransomware. One example is email attachment with compressed files having an executable file inside it.
NoSpamProxy can be configured so that it can identify malicious attachments with emails, detect and filter by file names or sizes and eventually remove the hazardous attachments or completely rejects the particular email.back to menu ↑
Are public proxies safe?
I have emphasized many times on this blog that public proxies or open proxies are NOT safe and you should not allow them to be used in the company computer network.
It is true that many outside proxies or VPN services are malicious. By allowing all of the traffic through their services these proxies try to act as a man in the middle attack (MITM). In other words, the attacker sits between two parties who believe that they are communicating with each other through a private network. The attacker alters the messages and injects new ones to the victim parties.
An excellent example to understand the safety of the public proxies is spreading of ransomware called Cerber. It uses public proxy called TOR2Web which provided user IP anonymity together with Google redirection services. In most incidents, users receive an email regarding a failure of DHL or FedEx shipment. Once the user gets curious and opens the attachment Cerber ransomware will spread to the computer.back to menu ↑
How to be safe against ransomware?
Files encrypted by ransomware can be recovered, but it is better to prevent the attacks before they occur. If you are the system administrator of a company network you should implement or plan the followings:
- Immediate response plan – Create a response plan including what kind of steps to follow for a ransomware attack.
- Backups – creating multiple backups is good because during an attack a backup also may become encrypted. Also, a routine test of backups to ensure the operational status is important.
- Antivirus/anti-spam solutions – to scan the emails containing suspicious attachments or links and to filter spam emails. Also, it is worthy to include a warning banner to the external emails indicating that links and attachments may harm the computer.
- Keeping all systems up to date and patched – all network devices including hardware to the mobile devices should be kept up to date and patched. Beside that software restriction policy like preventing the execution of files in temporary locations which are known as common ransomware locations. If there is a possibility, implementation of a centralized patch management system is also important.
- Restrictions for internet access – preventing users to visit blacklisted sites and limited the access to personal emails and social media sites which may become common ransomware access points. Trusted add blocking software also important.
- Network segmentation and least privilege – according to the organizational values and policies company network can be segregated and provide the least privilege to each segmentation.
- Monitoring parties with remote access to the company network – ensure they are practicing best cybersecurity policies.
Further, the end users of the company network should be instructed on:
- How to identify suspicious emails and prevent opening them, best web browsing practices so that not to visit untrusted websites and links.
- Browser security – not to have untrusted add-on’s and close the browser when not using it.
- How to report malicious activities and initial steps to follow during the attack.
It is important to have your own proxy or VPN services to the company network as the trusty of third-party services is questionable. A good plan to prevent attacks and recovering should be implemented in advanced and may include the use of content filtering proxies. Beside that employee knowledge and training on cybersecurity is also important as ransomware use emails download links as carriers.