Does encryption prevent ransomware
Ransomware attacks have been increasing for the last few years.
And there are lots of questions about ways to prevent ransomware.
Today, we want to answer one of these:
Does encryption prevent ransomware?
Can ransomware encrypt an encrypted drive?
Even if you have encrypted your hard drives, ransomware can still encrypt (re-encrypt them). Encrypting your drives yourself doesn’t prevent ransomware. It simply protects the contents from being read. This would mean an attacker wouldn’t be able to do anything with the files other than make them unusable.
Let’s look at this in a little more detail.
How ransomware works
Ransomware is a kind of malware – malicious software.
It blocks you from accessing your own files or systems and demands that you pay a ransom payment to get a decryption key to be able to use them again.
Cyber criminals have profited immensely from this over the last decade.
Ransomware attacks usually begin on one device in your network and spread to others.
It typically takes time for the attacker to gain the necessary information to spread from one computer to another.
The attackers are in your network long before you actually see the ransom message and your systems become unusable.
The most common way that ransomware enters your network is via phishing.
Often times, the attacker will send an email with an attachment and an explanation as to why you should run the software in the attached file.
Or the attacker may insert a link to a drive-by download – a file that downloads and runs automatically.
As email filtering solutions have become better at preventing these attacks, attackers have found other ways to compromise networks and deploy ransomware.
Phishing is one of the most common.
Since many organizations use RDP or VPNs that employees can remotely connect using their work credentials, attackers can simply get a user’s credentials and find a way in.
Ransomware and already encrypted drives
You may be using Bitlocker to encrypt your files or hard drives already.
However, this does not mean that ransomware can’t infect your device and encrypt the files again.
It’s kind of like the lock on your storage unit.
If you are logged into the device and have access to the files when ransomware is installed, it can access them as well.
When you boot an encrypted disk, for example, the decryption key is kept in memory so files can be accessed.
Any application can access your files, right?
So can ransomware.
Now, if you are using folder or external drive encryption, the ransomware would still be able to double-encrypt the file or drive, it just wouldn’t be able to read the files.
This is good since it can prevent them from being sold on the dark web.
Drive encryption prevents unauthorized parties from reading data off the hard drive while it is off. It won’t prevent ransomware. Just like software can be installed on an encrypted drive, so can ransomware. Ransomware prevention requires layered security controls.
Let’s look at a few of these controls.
Ways to prevent ransomware
Even though ransomware seems like a scary menace, there are actually steps you can take to prevent ransomware in your network.
There’s no silver bullet, but combining multiple security controls in a layered approach will go a long way.
While encryption won’t prevent ransomware, some of these basic methods will help:
How does ransomware spread on a network?
Ransomware can spread across devices on a network in multiple ways. Typically some kind of remote access software or remote code execution solution (like powershell or psexec) is used. The ransomware will usually look for administrative credentials to be able to do this.