Ransomware Protection: How to Prevent Ransomware Attacks

We Keep you Connected

Ransomware Protection: How to Prevent Ransomware Attacks

The best way to prevent ransomware is also the best way to prevent any malware infection – to implement security best practices. Of course, if best practices were easy, no ransomware attacks would occur.
All organizations, even the most prepared, will be vulnerable to ransomware attacks to some degree. The most resilient organizations must not only prevent ransomware attacks by implementing security to prevent infections from occurring, but also use strategies to limit the damage of successful attacks, alert teams promptly of potential infections, and effectively react to attacks.
Table of Contents
The term ransomware applies to a broad spectrum of attacks and tools that seek to encrypt data and then hold the data ransom in exchange for a decryption key. Over the past couple of years, attackers have evolved their attacks to also include data exfiltration and extortion schemes that threaten public release of the victim’s data unless the ransom demand is paid.. Ransomware attacks hit the headlines every week, with governments, school districts, healthcare providers, and private companies forced to admit attacks after ransomware disrupts their operations. Healthcare ransomware attacks have even been linked to patient deaths.
While most attackers typically use ransomware to extort money, some attackers instead use ransomware to camouflage other types of attacks such as:
Recently, ransomware gangs seek to move faster and avoid detections that focus on the encryption process. While these attacks technically no longer count as ransomware, businesses still need to guard against similar attacks that seek to corrupt data after exfiltration or simply extort businesses based on the threat of leaking stolen data.
Ransomware recovery resources:
Once inside a business, malicious hackers can deploy many types of malware or attack systems in many different ways. For many victims, they only recognize a ransomware attack once their data is encrypted and the ransom notes are found, as in the screen and text messages from the infamous REvil ransomware group below (Sources: Arista Networks and Qualys). When trying to catch ransomware attacks earlier in the process, defenders watch for indicators of compromise such as:
Simple ransomware attacks use semi-automated malware to spread itself through networks and execute the ransomware. Sophisticated attacks use command and control servers, PowerShell commands, and active exploration of the network by attackers in combination with malware and malicious use of standard tools.

Everyone is vulnerable to ransomware.
Regardless of the amount of training, people keep clicking on phishing emails and opening holes in security. Regardless of the quality or quantity of layers of security deployed, zero-day vulnerabilities, deployment mistakes, and human error can create security gaps that attackers will eagerly exploit.
The effective questions that need to be asked should be:
We will explore these questions and provide suggestions for suitable answers in the next sections to follow.
Implementing all possible IT security best practices is beyond the resources of many organizations, but even small organizations can find ways to implement a significant number of best practices at low cost through open-source tools, adopting software-as-a-service (SaaS) products, or by engaging service providers such as:
The smallest organizations with the most limited resources should at least implement effective backups and endpoint protection software. This combination will prevent many types of ransomware infections and allow the company to recover as quickly as possible from those that succeed.

Ransomware prevention requires creating reinforcing layers of security to prevent an attacker or malware from entering the secured spaces of the organization. Key components of this strategy seek to protect devices, block common infection vectors, minimize human error, and check for gaps in the security.
Many ransomware attacks launch on the endpoint. Effective endpoint security implements defense in depth to add layers of security to increase the difficulty for ransomware attacks to launch or to avoid detection.
Before ransomware launches, it must first enter the network. Organizations need to defend against the primary vectors of infection.
Many ransomware attacks begin with a user falling for email phishing that launches malware or leads to malicious websites. The number of “bad clicks” can be reduced through cybersecurity training for users. While some users may remain a potential source of infection, training can also help security recognize these users that may need additional layers of security to help protect them.
Attackers value IT administrator credentials because of their comprehensive access to IT systems. Admins should regularly use non-privileged credentials for everyday tasks such as email, web browsing, etc. Privileged credentials can be term-limited and highly restricted to limit their value and opportunities for compromise.
Attackers will quickly take advantage of exposed vulnerabilities in any way they can. Often, the announcement of a security patch or a zero-day vulnerability will be followed with malware attacks targeting that exposed weakness within a few days and sometimes within a few hours.
IT teams for organizations of all sizes must promptly patch software and hardware vulnerabilities and implement mitigation to protect devices or software that cannot be patched quickly. Updates for security software and infrastructure with the latest security updates (malware signatures, malicious urls, etc.) must also be prioritized to prevent attacks and organizations should maintain up-to-date asset systems and software lists to know what to update.
The best plans often become unwittingly sabotaged by poor implementation or simple error. Organizations need to regularly check their systems with vulnerability scans and penetration tests to verify that all layers of the security stack operate as expected without any detected vulnerabilities or misconfigurations.
The best security tools can still be circumvented by human error, misconfigurations, and zero-day vulnerabilities. However, effective IT design and basic security principles can be put in place to limit the effectiveness and slow the spread of ransomware.
One key tactic in many ransomware attacks uses data exfiltration to extort companies with the threat of releasing that data to the public or to competitors. The effectiveness of this threat can be blunted significantly by encrypting sensitive data or even all data in the organization. However, encryption keys must also be managed and protected to prevent their theft by the ransomware attackers.
The damage a ransomware attack can cause for an organization will be limited by the maintenance of disaster recovery solutions such as frequent immutable backups. Most ransomware attackers will seek to destroy backups and restore points for systems, so at least one version of the backup should be offline or unreachable from the network.
Backup tools and processes should be tested regularly to practice restoration techniques. Organizations should also verify the capacity of the backup provider to operate at scale in the event of a widespread ransomware attack.
In addition to data, backups should periodically capture the full operating system, installed software, and settings in the event that a full system backup is required. Backups should be retained for up to six months to enable the restoration of pre-infection data and operating systems as well as enable forensic investigation of long-term attacks.
In line with least-privileged principles for users, devices can be isolated using segmentation and microsegmentation to create limited size networks in which a network can spread or an attacker can perform lateral movement. By implementing strict policies at the application level, segmentation gateways, firewalls, zero-trust architecture, and software-defined wide area network (SD-WAN) tools can prevent widespread ransomware attacks.
Using risk assessments, organizations can identify key assets and data for the organization and assign additional protections or alerts on these key assets.
Cloud access security brokers (CASBs) provide additional visibility, compliance, data security, and threat protection in securing cloud resources and data against attacks.
Despite the best efforts of security teams to prevent malware from entering the network, a simple mistake can lead to a ransomware infection. To limit the ability of the ransomware attack to damage the organization, security teams need to receive alerts regarding malicious activities as well as have the capabilities to recognize those alerts and the capacity to act on them.
Effective security requires the use of security information and event management (SIEM) tools, security operations centers (SOC), managed detection and response (MDR), and attentive security professionals to quickly recognize the alert and be able to take action. These professionals will also need to fine-tune the tools to minimize false alarms that might otherwise waste time and lose critical alerts in the noise of false-positive warnings.
Advanced tools may be configured to take automated action to quarantine infected devices or block malware from executing. However, other attacks may only generate alerts.
Once a ransomware alert has been recognized, the incident response teams will have very little time to react to prevent the ransomware attack from spreading or encrypting the data. We list a number of resources for recovering from a ransomware attack at the top of this article, but the short version is:
The security team should already have specialists assigned or vendors contracted to perform incident response. These teams should develop and practice a playbook for responding to a ransomware attack, so they can respond immediately to an actual event. The incident response team’s reaction can include:
After any detection of ransomware, there needs to be an investigation into the entry point(s), time in the environment, affected system(s), data exfiltrated, and data corrupted. Only once the investigation is complete can the organization confirm the ransomware attack is contained.
Ideally, ransomware reaction best practices will allow the incident response practice to kick into gear and lead to a speedy resolution. For those organizations without incident response plans, the general steps should include:
As noted above, the first steps will be to contain the attack followed by stopping the malware. Once the attack has been controlled, the incident response team will need to perform a forensic investigation of the systems to remove any malware, system back doors, or other traces of the attack to prevent recurrence.
Once the systems are verified as sanitized, the organization can start the process of recovery.
After the successful recovery of systems and data, the organization should do a post-event review to:
Ransomware attackers continue to evolve and develop their skills. Some attacks may be inevitable and unavoidable — especially from determined and skilled attackers. However, the hardening of IT environments to make attacks difficult and tedious can cause active attackers to prioritize easier targets of opportunity.
Faced with the threat of negative publicity – and often unrecoverable data – non-technical executives and board members often ask their security teams or service providers to explain ransomware and how their organization might prevent ransomware attacks.
While security professionals can write entire books on ransomware, executives need concise, high-level information that provides the essential information in language free of acronyms, trivia, or technical details they may not understand.
IT executives need to explain that the best protection against ransomware attacks remains effective preparation. Organizations that limit access within their IT environment, implement effective security tools, monitor alerts for signs of attack, and respond quickly will dramatically reduce the damage from ransomware attacks.
If enough organizations can harden their environments and limit their damage, the ransomware business will certainly fade into the background. Ransomware has faded in the past and the current boom of ransomware is simply a resurgence of an old attack method that has gained traction in a target-rich environment.
Skilled attackers will always pivot to a new style of attack designed to extort or steal money, and IT teams will need to adjust their security tactics to address those new threats as they arise. Only strong fundamentals can prepare for the current attacks as well as attacks to come.

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.
Advertise with TechnologyAdvice on eSecurity Planet and our other IT-focused platforms.
Property of TechnologyAdvice.
© 2022 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.