Can encryption protect against ransomware?

Ransomware is a growing cybersecurity threat that encrypts a victim’s files and demands payment for the decryption key. As ransomware attacks become more prevalent, many organizations are looking to encryption as a way to protect their data. But can encryption really provide protection against ransomware? Here we’ll examine the role encryption can play in ransomware defense and its limitations.

What is ransomware and how does it work?

Ransomware is a type of malicious software (malware) that encrypts an organization’s files and holds the encryption keys hostage until a ransom is paid. Once installed, it will silently encrypt files on the network, preventing access. When complete, the attackers will reveal themselves and demand payment in cryptocurrency to receive the decryption key. If organizations don’t pay, they risk permanently losing access to their data.

Modern ransomware uses strong encryption algorithms, such as AES and RSA, to encrypt files. Attackers generate a new symmetric encryption key for each file. They encrypt the symmetric keys using a public asymmetric key that only the attackers possess the private key for. This makes decryption virtually impossible without the private key, which is why organizations often have no choice but to pay the ransom.

Does encryption prevent ransomware infections?

Encryption does not prevent ransomware from infecting systems. Ransomware uses various vectors to gain an initial foothold, such as:

  • Phishing emails with malicious attachments or links
  • Drive-by downloads from compromised websites
  • Brute force attacks on Remote Desktop Protocol (RDP)
  • Software vulnerabilities that enable remote code execution

Encryption does not protect against any of these infection vectors. Ransomware can still be installed, spread, and execute its file encryption routine regardless of whether data at rest is encrypted.

However, encryption can be used to protect backups and other data copies, making it more difficult for ransomware to find and encrypt everything. But encryption alone will not prevent a ransomware attack.

Can encryption prevent file encryption by ransomware?

If ransomware is able to run on a system, encryption is largely ineffective at preventing the actual file encryption. Most ransomware is designed to search for and encrypt any files that it can access. This includes files protected by local encryption.

Some key reasons encryption fails to protect files:

  • The ransomware runs with the user’s privileges, so any files the user can access, the ransomware can encrypt.
  • Most local file encryption just encrypts the contents, not the file names. Ransomware can still find and encrypt these files.
  • Various files need to be left unencrypted for the OS to run, and ransomware can access and encrypt these.

In essence, the ransomware has the same access as the user or system processes. With that access, it can encrypt anything it’s able to find. Typical local encryption won’t be able to differentiate legitimate access from ransomware and will decrypt files for both.

What are the limitations of encryption against ransomware?

Encryption has several key limitations when dealing with ransomware:

  • File discovery: Most local encryption doesn’t hide file names or directory structures from unauthorized access. Ransomware can still find and encrypt these files even if it can’t read the contents.
  • Access control: Local encryption tools rely on access control already implemented in the operating system. If a user or process has access to view or modify a file, encryption won’t block that.
  • Keys: Encryption keys are necessarily stored locally on the system so authorized users can decrypt files. Ransomware may be able to access and exfiltrate these keys during its encryption routine.
  • Unencrypted attack surface: Not all files can be encrypted and still allow the system to run. The bootloader, partition tables, system files, program binaries, etc. will be unencrypted and can potentially be corrupted.
  • Zero-day exploits: Encryption doesn’t protect against zero-day vulnerabilities that allow unauthorized access to systems and data.

Due to these limitations, most security experts view encryption as just one part of a defense-in-depth strategy against ransomware. It needs to be used together with access controls, patching, backups, endpoint detection and response (EDR), and other measures.

What role can encryption play in ransomware defense?

While encryption has limits in directly preventing ransomware encryption, it still has an important role to play as part of a layered defense:

  • Network traffic encryption – Encrypt network traffic to prevent reconnaissance and lateral movement by ransomware. Use IPsec, TLS, SSH, etc. to encrypt connections.
  • Email encryption – Encrypt email in transit and at rest to prevent phishing-based infections.
  • File servers – Encrypt files on file servers and other centralized storage to make exfiltration harder.
  • Backups – Maintain encrypted offline backups that ransomware can’t access to enable recovery after an attack.
  • Desktop encryption – Use full disk encryption or encrypted containers on end-user systems to protect offline machines.
  • Removable media – Encrypt USB drives, external hard drives, CDs/DVDs, and other removable media that could spread ransomware.

Encryption makes exfiltration of data and encryption of all backup copies significantly more difficult for attackers. When implemented with other controls, it can provide defense in depth against ransomware campaigns.

Should organizations pay the ransom?

If hit with a ransomware attack, organizations face a difficult decision of whether or not to pay. There are compelling arguments on both sides:

Reasons to pay the ransom:

  • Decryption is the only way to recover encrypted data.
  • Ransom demands are often relatively low compared to the value of the data.
  • Many ransomware groups honor decryption agreements.
  • Downtime and recovery without paying could cost more than the ransom.

Reasons not to pay the ransom:

  • No guarantee encrypted data will be recovered.
  • Paying encourages and funds criminal activity.
  • Organization appears vulnerable and may be targeted again.
  • Other options like backups may be available for recovery.

There are decent arguments on both sides, and each organization will need to make the decision based on their specific circumstances. With strong backups and other protections in place, the argument for not paying strengthens. But in the absence of other recovery options, paying the ransom may be the only way to resume operations.

Should ransom payments be made illegal?

Some advocate for outlawing ransom payments on the grounds that it encourages ransomware attacks. However, there are several considerations around outlawing payments:

  • It could result in more data being lost if organizations have no option to recover data after an attack.
  • If victims know they’ll be breaking the law by paying, more attacks may go unreported.
  • Without potential for payment, ransomware groups may sell or expose exfiltrated data instead.
  • Groups could operate out of jurisdictions where payments are still legal.
  • A ban could be difficult to enforce in practice.

That said, there are benefits to banning ransom payments:

  • It reduces the financial incentive behind ransomware campaigns.
  • Those caught paying could face criminal penalties, strengthening deterrence.
  • It formalizes discouragement of payments among private organizations.
  • Law enforcement has more leverage to disrupt ransomware operations.

Overall there are good points on both sides of this issue. Banning payments would likely reduce the overall level of ransomware, but at the potential cost of more data loss. Organizations may also try to workaround bans by not reporting attacks. Each country proposing a ban needs to carefully weigh the trade-offs involved.

How can organizations improve ransomware resilience?

Organizations can take several steps to enhance ransomware resilience, including:

  • Employee training – Train staff on cyber risks and how to identify potential phishing attempts or other social engineering.
  • Least privilege – Follow the principle of least privilege access for users and processes.
  • Segmentation – Use proper network segmentation to contain potential infections.
  • Endpoint protection – Deploy anti-malware and EDR solutions to endpoints and servers.
  • Backups – Maintain offline, encrypted backups that ransomware cannot access.
  • Vulnerability management – Aggressively patch vulnerabilities and misconfigurations that enable ransomware.
  • Incident response – Have an incident response plan in place for detection, containment, and recovery.

Building organizational resilience against ransomware requires defense in depth across people, processes, and technology controls. Encryption plays a supporting role as part of this larger security strategy.

Conclusion

Encryption alone cannot fully protect against ransomware, but it remains an important component of an overall defense strategy. By encrypting backups, removable media, network traffic, and select data at rest, organizations can make it more difficult for ransomware campaigns to succeed but encryption remains just one part of the solution. Organizations still need to utilize best practices like least privilege access, vulnerability management, and effective backups to have robust protection against ransomware outbreaks.