Defense against ransomware attacks

The harsh truth is that whatever the step you have taken to prevent virus attacks, there can be still a chance your system can be infected with viruses Malware virus or ransomware, now it is important to check what actions need to be taken to mitigate these attacks generally three things need to be done in the event of attack detection to mitigate the damage of the virus attacks.

Prevent the spread of viruses or Malware

In the event of attack detection, the first thing that needs to be done to stop the infection of other devices is simply disconnecting the infected devices from the network; however, it is unlikely that the administrators will detect the event of an Attack before it has spread beyond a single device. However, if the infection has happened, “one part of a wide-area network that WAN connection needs to be disconnected immediately”, and if the infection is on the subnetwork should be disconnected immediately. If there are servers with sensitive data connected with the infected devices, the servers also should be disconnected as soon as possible to prevent the loss of sensitive data.

Remove the Malware virus

If the device is isolated from the network, the next step is to remove the Malware or virus. For this purpose, an antivirus program can be used. It is doubtful that if the virus cannot be removed, there will be no other choice but to format the machine and restore it using the backups. If the device is free of attacks now, a full system scan needs to be done before connecting it back to the network.

examples of antivirus programs:- Kaspersky, Avira, Avast, Norton

The above image shows the interface of the Avira antivirus program. While providing antivirus protection these programs provide some other features such as performance optimization. Generally, these types of antivirus programs keep a database of known viruses, if found a match of an existing file is with the database, that file will be quarantined until action is taken.

Finding out how the infection was started.

Finally, you need to check how the Malware on the ransom virus got onto your systems. It can be done by checking whether the users have opened any email attachments or downloaded anything with virus infections. Furthermore, internet resources need to be addressed to remove the attacks that happen to the systems by referring to the documentation.

And also, there are best practices that need to be followed to prevent the organization's data from being attacked

•  Making regular backups- and keeping the systems up to date is the best way to recover a system from a ransomware attack. hear the administrators can perform making regular backups of highly critical files, and it is required to ensure you create offline backups that keep separate in a different physical location

    if using a windows system, backups can be done via Control Panel>system and maintenance> Backup and Restore







It can be seen that here you can set up the backup or you can restore them from a previous backup

· If using a Linux system, there are lot of tools that can be used to get a backup

o Ex :- Dejadup , Grsync , TimeShift

Or simply you can create a backup of your whole Linux file system using


sudo tar czf /backup.tar.gz --exclude=/backup.tar.gz --exclude=/dev --exclude=/mnt --exclude=/proc --exclude=/sys --exclude=/tmp --exclude=/lost+found / command. This will create an archive of backup.

• Prevent Malware running on the devices- here is required to allow to use only trusted application running on the systems, and also strong anti-malware products need to be used, and also a security education training needs to be given to the people of the organizations

• Prevent Malware from delivering to the devices- here, the users must allow only the file types that users would expect to receive. and also, websites that are open to Malware need to be blocked

•  Providing security awareness training to the working people in an organization is also highly important. By training the workers will be able to avoid being a victim of ransomware and other types of attacks. Therefore, this can be called a better practice because the attack will be prevented before it happens.

• Patching the running applications is also a best practice. Because the developers will regularly issue patches for the applications to protect them from attacks.

• Ensuring the email servers is also crucial by adding a few more security layers.

•   Add allow and deny rules to the servers and set up timeouts for the sessions
• Add client control rules depending on the sender and the receiver.
• Add authentication to email servers.

•  Using a smart hosting system.

In smear hosting, different servers will be used for specific tasks. The server which has the best connection and security will work on firewall implementation. Another server should run DNS management, And the third one should work on email parameters checking. This a more advanced security procedure but the organizations will have to focus on the Capex when implementing these kinds of systems.

Thus, there are a lot of actions that can be taken to protect the systems being vulnerable to ransomware attacks. But the methods will be different depending on the system required to secure. And more the effort that an organization push, more the security gain on the data and information. However, organizations have to put some kind of Capex to enhance additional security procedures. And as network security learners, it is required to have a perfect understanding of how to apply these security procedures once you are joined an organization.