Ransomware Protection: How to Prevent Ransomware Attacks
We Keep you Connected
Ransomware Protection: How to Prevent Ransomware Attacks
The best way to prevent ransomware is also the best way to prevent any malware infection – to implement security best practices. Of course, if best practices were easy, no ransomwareattacks would occur. All organizations, even the most prepared, will be vulnerable to ransomwareattacks to some degree. The most resilient organizations must not only prevent ransomwareattacks by implementing security to prevent infections from occurring, but also use strategies to limit the damage of successful attacks, alert teams promptly of potential infections, and effectively react to attacks.
Table of Contents
The term ransomware applies to a broad spectrum of attacks and tools that seek to encrypt data and then hold the dataransom in exchange for a decryption key. Over the past couple of years, attackers have evolved their attacks to also include data exfiltration and extortion schemes that threaten public release of the victim’s data unless the ransom demand is paid.. Ransomwareattacks hit the headlines every week, with governments, school districts, healthcare providers, and private companies forced to admit attacks after ransomware disrupts their operations. Healthcare ransomwareattacks have even been linked to patient deaths.
While most attackers typically use ransomware to extort money, some attackers instead use ransomware to camouflage other types of attacks such as:
Recently, ransomware gangs seek to move faster and avoid detections that focus on the encryption process. While these attacks technically no longer count as ransomware, businesses still need to guard against similar attacks that seek to corrupt data after exfiltration or simply extort businesses based on the threat of leaking stolen data. Ransomwarerecovery resources:
Once inside a business, malicious hackers can deploy many types of malware or attack systems in many different ways. For many victims, they only recognize a ransomware attack once their data is encrypted and the ransom notes are found, as in the screen and text messages from the infamous REvil ransomware group below (Sources: Arista Networks and Qualys).
When trying to catch ransomwareattacks earlier in the process, defenders watch for indicators of compromise such as:
Simple ransomwareattacks use semi-automated malware to spread itself through networks and execute the ransomware. Sophisticated attacks use command and control servers, PowerShell commands, and active exploration of the network by attackers in combination with malware and malicious use of standard tools.
Everyone is vulnerable to ransomware.
Regardless of the amount of training, people keep clicking on phishingemails and opening holes in security. Regardless of the quality or quantity of layers of security deployed, zero-day vulnerabilities, deployment mistakes, and human error can create security gaps that attackers will eagerly exploit.
The effective questions that need to be asked should be:
We will explore these questions and provide suggestions for suitable answers in the next sections to follow.
Implementing all possible IT security best practices is beyond the resources of many organizations, but even small organizations can find ways to implement a significant number of best practices at low cost through open-source tools, adopting software-as-a-service (SaaS) products, or by engaging service providers such as:
The smallest organizations with the most limited resources should at least implement effective backups and endpoint protection software. This combination will prevent many types of ransomware infections and allow the company to recover as quickly as possible from those that succeed.
Ransomware prevention requires creating reinforcing layers of security to prevent an attacker or malware from entering the secured spaces of the organization. Key components of this strategy seek to protectdevices, block common infection vectors, minimize human error, and check for gaps in the security.
Many ransomwareattacks launch on the endpoint. Effective endpoint security implements defense in depth to add layers of security to increase the difficulty for ransomwareattacks to launch or to avoid detection.
Before ransomware launches, it must first enter the network. Organizations need to defend against the primary vectors of infection.
Many ransomwareattacks begin with a user falling for email phishing that launches malware or leads to malicious websites. The number of “bad clicks” can be reduced through cybersecurity training for users. While some users may remain a potential source of infection, training can also help security recognize these users that may need additional layers of security to help protect them. Attackers value IT administrator credentials because of their comprehensive access to IT systems. Admins should regularly use non-privileged credentials for everyday tasks such as email, web browsing, etc. Privileged credentials can be term-limited and highly restricted to limit their value and opportunities for compromise. Attackers will quickly take advantage of exposedvulnerabilities in any way they can. Often, the announcement of a securitypatch or a zero-dayvulnerability will be followed with malwareattacks targeting that exposed weakness within a few days and sometimes within a few hours.
IT teams for organizations of all sizes must promptly patch software and hardware vulnerabilities and implement mitigation to protectdevices or software that cannot be patched quickly. Updates for security software and infrastructure with the latest security updates (malware signatures, malicious urls, etc.) must also be prioritized to prevent attacks and organizations should maintain up-to-date asset systems and software lists to know what to update.
The best plans often become unwittingly sabotaged by poor implementation or simple error. Organizations need to regularly check their systemswith vulnerability scans and penetration tests to verify that all layers of the security stack operate as expected without any detected vulnerabilities or misconfigurations.
The best security tools can still be circumvented by human error, misconfigurations, and zero-dayvulnerabilities. However, effective IT design and basic security principles can be put in place to limit the effectiveness and slow the spread of ransomware.
One key tactic in many ransomwareattacks uses data exfiltration to extort companies with the threat of releasing that data to the public or to competitors. The effectiveness of this threat can be blunted significantly by encrypting sensitive data or even all data in the organization. However, encryption keys must also be managed and protected to prevent their theft by the ransomwareattackers.
The damage a ransomware attack can cause for an organization will be limited by the maintenance of disaster recovery solutions such as frequent immutable backups. Most ransomwareattackers will seek to destroy backups and restore points for systems, so at least one version of the backup should be offline or unreachable from the network.
Backup tools and processes should be tested regularly to practice restoration techniques. Organizations should also verify the capacity of the backup provider to operate at scale in the event of a widespread ransomware attack.
In addition to data, backups should periodically capture the full operating system, installed software, and settings in the event that a full system backup is required. Backups should be retained for up to six months to enable the restoration of pre-infection data and operating systems as well as enable forensic investigation of long-term attacks.
In line with least-privileged principles for users, devices can be isolated using segmentation and microsegmentation to create limited size networks in which a network can spread or an attacker can perform lateral movement. By implementing strict policies at the application level, segmentation gateways, firewalls, zero-trust architecture, and software-defined wide area network (SD-WAN) tools can prevent widespread ransomwareattacks.
Using risk assessments, organizations can identify key assets and data for the organization and assign additional protections or alerts on these key assets. Cloud access security brokers (CASBs) provide additional visibility, compliance, datasecurity, and threat protection in securing cloud resources and data against attacks.
Despite the best efforts of securityteams to prevent malware from entering the network, a simple mistake can lead to a ransomware infection. To limit the ability of the ransomware attack to damage the organization, securityteams need to receive alerts regarding malicious activities as well as have the capabilities to recognize those alerts and the capacity to act on them.
Effective security requires the use of security information and event management (SIEM) tools, security operations centers (SOC), managed detection and response (MDR), and attentive security professionals to quickly recognize the alert and be able to take action. These professionals will also need to fine-tune the tools to minimize false alarms that might otherwise waste time and lose critical alerts in the noise of false-positive warnings.
Advanced tools may be configured to take automated action to quarantine infected devices or block malware from executing. However, other attacks may only generate alerts.
Once a ransomware alert has been recognized, the incident response teams will have very little time to react to prevent the ransomware attack from spreading or encrypting the data. We list a number of resources for recovering from a ransomware attack at the top of this article, but the short version is:
The security team should already have specialists assigned or vendors contracted to perform incident response. These teams should develop and practice a playbook for responding to a ransomware attack, so they can respond immediately to an actual event. The incident response team’s reaction can include:
After any detection of ransomware, there needs to be an investigation into the entry point(s), time in the environment, affected system(s), data exfiltrated, and data corrupted. Only once the investigation is complete can the organization confirm the ransomware attack is contained.
Ideally, ransomware reaction best practices will allow the incident response practice to kick into gear and lead to a speedy resolution. For those organizations without incident response plans, the general steps should include:
As noted above, the first steps will be to contain the attack followed by stopping the malware. Once the attack has been controlled, the incident response team will need to perform a forensic investigation of the systems to remove any malware, system back doors, or other traces of the attack to prevent recurrence.
Once the systems are verified as sanitized, the organization can start the process of recovery.
After the successful recovery of systems and data, the organization should do a post-event review to: Ransomwareattackers continue to evolve and develop their skills. Some attacks may be inevitable and unavoidable — especially from determined and skilled attackers. However, the hardening of IT environments to make attacks difficult and tedious can cause active attackers to prioritize easier targets of opportunity.
Faced with the threat of negative publicity – and often unrecoverable data – non-technical executives and board members often ask their securityteams or service providers to explain ransomware and how their organization might prevent ransomwareattacks.
While security professionals can write entire books on ransomware, executives need concise, high-level information that provides the essential information in language free of acronyms, trivia, or technical details they may not understand.
IT executives need to explain that the best protection against ransomwareattacks remains effective preparation. Organizations that limit access within their IT environment, implement effective security tools, monitor alerts for signs of attack, and respond quickly will dramatically reduce the damage from ransomwareattacks.
If enough organizations can harden their environments and limit their damage, the ransomwarebusiness will certainly fade into the background. Ransomware has faded in the past and the current boom of ransomware is simply a resurgence of an old attack method that has gained traction in a target-rich environment.
Skilled attackers will always pivot to a new style of attack designed to extort or steal money, and IT teams will need to adjust their security tactics to address those new threats as they arise. Only strong fundamentals can prepare for the current attacks as well as attacks to come.
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
Catering to All IT Issues So You Can Stay Connected Securely
The Network Company has been based in South Orange County, CA, for over 27 years and provides “Managed IT Services.” We support your company’s network, computers, software, and users; and make sure your system is always running smoothly. Our topmost priority is to ensure that your users and customers get the most from your IT investment.
GET YOUR FREE, NO-OBLIGATION NETWORK HEALTH CHECK! We know you’re so busy running your business that sometimes you may forget to think about the security and health of your computer network. In fact, many business owners do NOT perform regular IT and Security maintenance, leaving the door wide open for spyware, viruses and other malicious threats that can infect their networks. This can lead to the loss of irreplaceable business data and hours of downtime. This is where we can help with Professional IT services, no matter what industry your business is in.
We don’t want this to happen to you! We’re offering you a FREE, no-strings-attached Network Health Check, which includes an inventory of your current environment, along with recommended improvements to keep your network healthy.
What’s the catch? You must be wondering why we are willing to give this away for free. We are simply offering this Network Health Check as a risk-free way to “get to know us” while helping you identify areas of vulnerability.
How does it work? To get your free Network Health Check, simply click here to complete the online request form. After we receive your request, we will contact you to schedule a specialist to perform the assessment.
Following the assessment, you will receive a complimentary recommended action plan and estimate for correcting any existing issues.
