How to Prevent and Prepare for Ransomware Attacks
June 2, 2020 By Patrick Brown
In today’s complex and ever evolving organization, it is not possible to guarantee perfect ransomware protection measures. Even the most carefully planned and executed strategy this week may not hold up to the attacks we see next week. However, there are still many preventative and exposure mitigation measures that everyone should put in place to minimize the risk and damage of a ransomware attack.
In this article we’ll cover everything you need to know about preventing and preparing for a ransomware attack.
If you’re just catching up on our ransomware series, be sure to check out our previous posts:
- The Definitive Guide to Ransomware
- What is Ransomware?
- How Does Ransomware Spread?
- How to Report Ransomware
- Recent Ransomware Attacks and Examples
How to Prevent Ransomware Attacks
While your organization may not be able to employ all of the measures detailed in this post, commit to implementing as many as possible and make a plan to implement the others over time to maximize return on investment. Working toward a defense in depth strategy by employing multiple similar prevention and protection methods allows more opportunities for malicious content to be intercepted and impact to be reduced.
The first step in preventing ransomware attacks is a commitment to cyber hygiene and best practices. Protecting your network and data can range from educating your employees on how to spot malicious content to incorporating best practices like multi-factor authentication and the principle of least privilege. With many companies moving to a long-term remote workforce, now is the time to implement changes and tighten your cybersecurity efforts.
Before you get started, consider rating your current efforts with a few questions:
- Is your data properly backed up and versioned?
- Where are your backups stored?
- Do you have an incident response plan in place?
- Do your employees know what to do in case of a ransomware attack?
- Are your employees updated on current social engineering tactics?
- When was the last time your network was tested internally for vulnerabilities?
- What programs do you approve to run on your network? Do you have any guidelines that mark or flag programs as unsafe?
- How long could you run your business if your network was rendered unusable in the case of a ransomware attack?
Protection Against Ransomware Attacks
Your protection against ransomware attacks is three-fold: preventing malicious content from getting delivered to your organization, preventing malicious content from running on your organization’s devices, and educating your workforce on how to identify malicious content. Without any of these steps, you’re opening up vulnerabilities in your ransomware protection plan. Consider starting with one suggestion in each section if you’re just getting started.
Step 1: Prevent malicious content from getting delivered to you and your team:
Email filtering: With the right email gateway, you can block malicious emails before they get delivered. The right filtering should scan every email and attachment that is sent to your organization and either pass them off as safe to deliver or flag them as malicious, preventing them from delivery.
Malicious website blocking: Add an additional layer of security to your organization’s devices with malicious website blocking. Prevent access to known malicious IP addresses and ranges.
Multi-factor authentication: Require multi-factor authentication to prevent weak or compromised passwords from allowing hackers into your network.
Disable RDP: Only enable remote access such as RDP if absolutely necessary, and ensure it is properly configured and software is frequently updated.
Step 2: Prevent malicious content from running on devices:
Operating system and software updates: Always require that updates for both operating systems and any software occur in a timely manner. Updates include patches for security holes or vulnerabilities--waiting to update can leave your network and devices unsecure. Attackers take advantage of those vulnerabilities.
Microsoft Office macros: Disable Microsoft Office macros company wide, and prevent users from re-enabling them. Malware can be embedded in the code and the action of opening the document will run the macro and initiate the ransomware.
Antivirus or anti-malware software: Consider your options and implement an antivirus or anti-malware software for your organization. The right option will have an updated list of new malicious software and can scan incoming documents or webpages and prevent employees from clicking or downloading a would-be attack.
Step 3: Educate users on how to identify malicious content and what to do in the case of a breach or attack:
Phishing and social engineering awareness training: Most ransomware attacks are caused by clicking a link or attachment in an email. Institute regular training for your entire organization and require attendance. Phishing techniques and new social engineering practices are implemented constantly--be sure your team is up-to-date so they can keep the company protected from malicious attacks.
Exposure Mitigation for Ransomware Attacks
Preparing a plan to prevent a ransomware attack should also include steps to mitigate exposure. Consider these options:
Incident response plan: Develop an incident response plan and routinely test it to ensure it’s up-to-date and can withstand a serious attack. Only 4% of organizations that have a cybersecurity task force have developed or are developing an incident response plan. Make sure yours is in place before an attack occurs so your employees know what to do. If you need help getting started, read our post: How to Report Ransomware.
Backups with versioning: Require company-wide backups. If your network is attacked, data will likely be locked up and rendered unusable. Mitigate your risk by instituting a back-up process for all files. If your system is attacked, only recent files should be unavailable. Make sure to disconnect backups from devices and your network--if they are continually connected (such as cloud backups) malware can infect backups.
Principle of least privilege: Employ the principle of least privilege--users have the minimum amount of access to perform their roles and no more. This includes local and remote administrator access and access to remote shared drives, local files, and cloud servers.
Protect credentials and segregate networks: Employ steps to prevent lateral movement--the spread of ransomware from the original impacted device on a network to other devices--by protecting credentials and deploying good authentication practices. It’s also important to segregate networks which don’t need to communicate with each other, like guest networks, employee networks, and infrastructure networks.
Ransomware insurance: In the case of a ransomware attack, part of your preparation should include understanding the full scope of costs--from legal expenses to rebuilding your network, the financial consequences can be high. Consider ransomware insurance as part of your preparation.
Learn more about ransomware and what you should do in case of an attack by reading the rest of our series: