Ransomware is quickly becoming the number one threat for nearly all organizations. Over the last few years, ransomware attacks have skyrocketed with COVID fueling the number of incidents levied on various organizations. In 2020, ransomware attacks rose 485% and payouts also hit a record high, reaching an average of $312,000 in 2020.
This trend isn’t stopping in 2021, either. The banking industry alone saw a 1318% increase in ransomware attacks in the beginning of 2021. This evidence alone should demonstrate why any cybersecurity leader should have a plan of attack for defending and responding against ransomware.
Ransomware attacks and methods are evolving
Not only has ransomware risen in frequency, it has also evolved in more dangerous ways. Double and triple extortion ransomware attacks are becoming more of a norm. Before, an organization could pay a ransom in hopes of receiving a decryption key to unlock their files, but attackers are now threatening to also leak the data unless an additional ransom is paid. Triple extortion attacks take an even further step, launching a Denial of Service attack on an already inflicted victim, asking for a ransom for the DDoS attack to stop.
Further contributing to the proliferation of these attacks is Ransomware as a Service (RaaS), a lucrative and burgeoning business model that makes launching targeted ransomware attacks extremely easy. This service has become so threatening that HBO’s Last Week Tonight with John Oliver dedicated an entire section to it.
These advancements have created an environment where ransomware attacks are profitable, successful, and easy to deploy, hurting small to mid-sized organizations most. These attackers don’t discriminate and a report showed that 71% of attacks targeted small business, likely because attackers know these companies don’t often have the resources or support to effectively respond to or recover from an advanced ransomware attack. Consequences can be significant.
How organizations can protect themselves from ransomware
Fortunately, there are a number of ways to ensure you aren’t leaving yourself completely vulnerable. Here are ten straight off the bat that if you’re not already doing, you should be considering:
1. Maintain back-ups separately
This is arguably one of the most important actions you can take that directly protects against ransomware. If your organization is hit with a ransomware attack, having a back-up means you can recover quickly and may not even worry about having to pay a ransom because you can recover your data without needing a decryption key.
As you’re creating and setting up your back-ups, remember to make sure it’s not accessible by your systems. Back up your data either to an entirely separate cloud service or an external hard drive. Ransomware is designed to find back-ups and infect them too so keeping your backups completely isolated will ensure they aren’t infected.
2. Train your employees
Most ransomware attacks make their way through an organization’s employees via techniques like phishing, brute force attacks, andr social engineering. As you build out your organization’s security posture, security awareness training (SAT) programs, inclusive of regular simulations and tests, should become mandatory. Until you have an SAT program in place, you can provide your employees general training and awareness on ransomware attacks.
Advice includes not clicking on links in emails from unknown senders, knowing how to spot spoofed or impersonation emails or web pages, and not downloading malicious links. They should also be provided with a set of instructions in order to report or escalate the threat to the IT department.
3. Secure your accounts
Protecting your accounts can stop an attacker from compromising an account with elevated permissions and infecting your network with ransomware. One of the best ways to protect these accounts is to use strong passwords and to leverage two-factor authentication (2FA or MFA) whenever possible.
Passwords just aren’t as strong as they used to be so 2FA can help block many automated attacks and even targeted attacks. O365 has MFA built-in and even eliminates the need for passwords altogether — providing a better experience for your employees while improving security.
4. Layer your Protection Controls
You should prioritize some fundamental security practices, tools, and processes that not only defend against ransomware but many common attacks as well. This should should cover at least the following areas:
- Email: Most attacks start with an email. Advanced fraud and phishing protection capabilities will drastically reduce the amount of successful attacks.
- Endpoint: At the end of the day, an attacker needs to gain access to an endpoint to complete their objective. A NGAV solution aka EPP is the minimum bar to cross.
- Active Directory: In order to get access to more machines, networks and information, the attacker will need to escalate their privileges. Hardening and protecting your AD can cripple their advances.
- Network: While cloud, SaaS, and remote working has eroded the traditional perimeter, if you still have offices, then a firewall and associated network protection is still mandatory.
By leveraging these tools and controls, you’re protecting your company from more than just ransomware.
5. Disable Macros
There are a few defaults you can maintain on your devices and network to prevent certain files or actions from being leveraged against your organization. For example, hackers can embed malicious code within macros inside files, such as excel sheets. If you don’t disable them from running, they’ll infect your computer as soon as the file is opened. Disabling them as a default is an easy way to protect your device and network from malicious files.
6. Restrict Files and Programs
A child can only grab what they can reach. You can limit what your users can access on your systems by leveraging configurations on your AD. Group Policy Object restrictions and whitelisting refer to methods that prevent certain users in groups from running specific types of programs, accessing specific folders or parts of your network or taking certain types of actions. In whitelisting’s case, you’re specifying which types of files or programs can run on your network, meaning no ransomware or malware is even allowed to run on your environment.
They’re highly limiting actions but there are available whitelist resources that do the work for you, meaning it’s something you can set up in 5 minutes or less.
7. Keep a maintained patch management schedule
Hackers often make their way into an organization via vulnerable software or devices by exploiting known vulnerabilities. These devices and software often release fixes for these vulnerabilities in the form of security updates but that means it’s up to organizations to ensure these updates are installed.
To keep secure, your best method is to keep auto-updating for as many tools, devices, and software as possible, maintain a weekly patch management schedule to manually update your software, and to have a process in place for updating major platforms or software to ensure operational readiness.
Don’t get in the habit of delaying software updates, it’s a simple fix for a lot of security.
8. Leverage network segmentation
You can drastically limit the impact of a ransomware attack by limiting where the attacker can go. One of the most effective ways to do this is to leverage network segmentation.
Even if several workstations are compromised, if your file servers and data warehouses are in a different network segment, then your critical and sensitive data may remain untouched. This means you may still be able to serve your customers even if an attacker has compromised your organization, limiting the external-facing damage that can be done.
With the right kind of network segmentation policies, you can also set up triggers and actions to further enhance protection such as locking your critical files or further segmented networks in case of a compromise or attack.
Think about your most valuable data and start there.
9. Apply the principle of least privilege for your entire organization
To reduce the amount of risk your employees pose to your organization, you have to limit their access to critical and sensitive files. That way, if they are compromised, an attacker only has access to that user’s files and not the rest of the company. The principle of least privilege is helpful here — setup user accounts, permissions, and responsibilities based on what they need and nothing more. Furthermore, admin accounts should be given out very sparingly and escalated privileges should only be provided on an as-needed basis, rather than by type of employee.
The less access your employees have to critical assets and permissions, the better.
10. Enable 24x7 security monitoring
If your network does get infected with ransomware, how quickly you respond will dictate the extent of the damage. If you catch a ransomware attack quickly enough, you may be able to leverage backups to get back to an uninfected state or you may be able to prevent the ransomware from infecting business-critical data.
Tools like endpoint detection and response, event management, and monitoring tools can give you the insight and data needed to know when you’re being attacked and take the right moves to reduce the amount of damage done. Having more time to detect an attack early can stop an attacker from getting the data they need to further extort your organization. Remember that attacks can come at any time, so you need to be able to respond 24x7l.
A strong security posture will help defend against ransomware
Unfortunately, there is no one solution, process, or tool that will completely protect your organization against ransomware. However many of the options recommended here are part of an overall cybersecurity strategy that prioritizes the lifetime of a malicious attack. This means focusing on protection as much as detection, responding, recovery, and identification.
As you consider the types of tools and solutions your organization needs to cover the spectrum of all kinds of attacks, it’s important to remember to prioritize tools and processes that cover a wide variety of scenarios. Many attacks, like ransomware, prey on the organizations that have easy ways in so make sure your bases are covered and consider leveraging a partner like SolCyber who has the experience and a curated set of technology to help your organization build out a strong security posture and better resilience to ransomware.