Preventing Ransomware

Preventing Ransomware

Posted by Peter Bassill on 07/07/2021

The current Ransomware situation is growing at an alarming rate, and yet there are some things that businesses and families can do to protect themselves. In this I am going to go through the steps that we at Hedgehog have implemented, so you can bring your protection up to a level that should be acceptable to most.
In this article, we are going to look at how to stop malware coming into your systems and also how to recover it is does get in.
Preventing Malware at the Door
The first thing you need to do is reconfigure your defences. It is "shields up" time if you have not done it yet. Malware is typically going to come in through three means, email, malicious links and vulnerabilities. So you need to stop the emails and stop the links and fix vulnerabilities. How do we do this?
Preventing Malware with your Firewall

Difficulty Level: High
Your firewall (for the home user, your home broadband router) is your front door to the internet. In the same way you would not allow someone you didn't expect through your physical front door, why would you allow them through your digital front door? 
A good thing to do here is think about the countries you want to accept data from. Countries such as Russia, China, Korea, Nigeria, do you really what data from them? Below we have a series of block lists that you can apply to your firewall to drop all of their traffic.

Russia IP Address block list
China IP Address block list
South Korea IP Address block list
Iran IP Address block list

If there is a block list you can not find, email our support team (support [@] wearehedgehog [.] com) and they add it to this article.  
Preventing Malware with DKIM and DMARC
Difficulty Level: Moderate
There are a lot of guides on the internet on how to configure and secure your email. Simple use your preferred search engine to search for "how to implement DKIM and DMARC" and then the select the guide you like. That will get you set up, but how does this protect you?
So DKIM and DMARC is a little bit of a long game. Once all set up, you can increase or decrease your email security by adjusting your DMARC policy. There are three levels to choose from:
None: this will allow all emails to flow into inboxes.
Quarantine: this will place unknown and threat emails into quarantine. You can adjust the level of aggression on the quarantine setting. The higher the setting, the more unknown and threat marked emails will be placed into quarantine.
Reject: this rejects threat and unknown email based on the aggression level.
At Hedgehog, we run our DMARC settings at Quarantine with an aggression level of 100%.
DNS - Domain Name Services
DNS is the phone book of the internet. It makes those easy to read names turn into IP addresses. There is a lot we can do with DNS to make malware propagation much harder.
For Families
Difficulty Level: Easy
Cloudflare have a great service available for families to protect them from Malware and Adult content. On the home broadband router you need to set your DNS servers to the following entries:
Primary DNS: 1.1.1.3Secondary DNS: 1.0.0.3
If you would like to know more about the Cloudflare for Families project, you can read all about it on their webpage, Cloudflare for Families.
For Business
Difficulty Level: Moderate
For a super long time I have been a massive advocate of running an internal DNS server and applying a daily updated DNS sinkhole. 

A sinkhole is a DNS provider that supplies systems looking for DNS information with false results, allowing an attacker to redirect a system to a potentially malicious destination. DNS sinkholes have also historically been used for non-malicious purposes.
When a computer visits a DNS source to resolve a domain name, the provider will give a result if possible, and if not, it will send the resolution system to a higher-level provider to try again. The higher a DNS Sinkhole is in this chain, the more requests it will receive, the more beneficial effect it will provide.
You can download our dns sinkhole list here.
There are many ways to apply a DNS sinkhole to a business network. You can configure your DNS server to return no records for the url, or you can block on your firewalls or content filters. 
Web filtering
For Families
Difficult Level: Easy
For web filtering, there are two options and personally, in my home, I use both.
On your router
The first is to explore what ever protection there is available on your home broadband router. I have turned on the proxy filters on mine while it is 'ok', it could be a lot lot better.
On your devices
On all of your devices you should have some form of anti-virus/anti-malware protection. Pretty much all of these come with some form of web content control so have an explore and lock these down to what you think is acceptable. I would strongly urge the blocking of paste-bin sites and other simple file sharing sites.
For Business
Difficulty Level: Easy
Using a proxy filter to restrict content that staff can view at work may have been a thing of the past but it could be time to rethink that. Aside from the usually obvious things to block, have you considered blocking paste-bins? The current iterations of rEvil use services such as pastebin.com to provide installer scripts.
This can be hard to achieve for the home user, but for the business user it should be as simple as reviewing the "file sharing" category on your particular proxy filter and selecting block for paste-bins.
End Point Protection (that AV talk)

For Families AND for Business
Difficulty Level: Easy
This applies to both homes and business. Please please please use some form of Anti-Virus / Anti-Malware protection. It is July of 2021 and still I hear people tell me that Mac's done need AV. Yes, they do. The current iterations of ransomware all run on Macs. In fact, they are cross platform and run on Windows, Mac, Android, iOS and Linux. So nothing is safe unless it is protected. 
While free solutions offer a level of protection, a paid for service is better. I personally use Trend Micro's services for my home environment. I trust Trend to keep my family safe. In the business environment, it is a mix of Trend and Intego.
If you have Linux systems, you may be wondering what endpoint solutions are available. You may wish to look at Bitdefender, AVAST or ESET.
Vulnerabilities
For Families AND for Business
Difficulty Level: Moderate to High
For the home user, it can be really quite hard to keep on top of the vulnerabilities. For the business user, it is essential.
My first piece of advise is useful for everyone and that is to enable autoupdates. This was, you do not need to worry about keeping you system up to date as it should happen in the background. 
While autoupdates are great, I would also recommended regularly rebooting your systems. While many of the updates do not require a reboot, some do and occasionally they dont tell you about it. So a weekly reboot will help.
Something that you should at least once a month is run a check for available updates. There are often some "optional" updates such as the Windows 10 21H1 update which will not run automatically. These are really good to run and will keep everything up to date and they often include security updates you would not otherwise get.
While you are doing this, check for updates for your major applications. Things like your web browsers, you office applications and anything by Adobe and Oracle (including Java!). 
Spend an hour each month just making sure your applications and systems are up to date and you will reduce your chances of being hacked significantly.

Checking your exposure

For Families AND for Business
Difficulty Level: Moderate to High
Your exposure if what you have open and available to the internet. You may be surprised with what you find here. 
The first thing you need to know is your external IP address or addresses. You can use a service like whatsmyip.org to tell you what your external IP address is. If you using this, make sure to turn off any VPN service you might be using so you get your raw IP address.
Once you have your IP address, run a vulnerability scan against it and any vulnerabilities that are identified with a Critical or High risk rating you should fix immediately. 
For home and small businesses, we will be re-enabling our free scanning service very shortly. Check back here in a week and there should be a link.
For the small business that wants more in-depth findings and for larger business, we have a vulnerability scanning service available. See our vulnerability scanning service page for more information.
 
Recovery from Ransomware
If you have done all of the above, at some point you will get hit. And if you have not got this part in place it is going to cost significant amounts of money and will probably end up costing you the business. So how to recover from Ransomware? 
Offline Backups!
The old IT mantra of 1 is and 2 is 1 is probably still true. Offline backups will save you when it all goes wrong, but let us be very serious about what an offline backup is.
An offline backup is a daily or weekly dump of all of your data onto a storage device that is NOT connected to a system or the internet. At Hedgehog, we have two 1TB external hard drives. Every day, we take a dump of all of our data and copy it to both of these drives and then place them in a safe.
Need help?
If you need some help with any of this, reach out to the team using the chat function or the any of the contacts forms on our site. Or simple email our team directly at hello@wearehedgehog.com and we will see what we can do to help.

Contact us



  • Worklab, Europort, Gibraltar

  • +350 540 73836

  • hello@wearehedgehog.com