Cybercriminals continue to extort ransom from businesses, large and small. Attackers encrypt valuable information and then demand payment for the decryption key.
Protecting against ransomware requires a solid prevention plan, including robust network and endpoint protection, employee training, and a well-defined disaster recovery strategy.
Detection
Ransomware prevention and response are essential. Detection is also crucial and can help avert a costly data breach. Think of it like a sheep farmer who puts up a fence to protect his flock from wolves. It also uses an air horn to scare them away.
Most ransomware attacks result from phishing emails or other introductory cyber attack vectors, such as unsecured browsers. Ransomware solutions that offer threat detection based on various indicators can help identify the infection vector and the variant of malware that is infecting systems.
Once the malware has successfully entered a network, it can begin its work encrypting data. It can be detected with a variety of tools, including signature-based detection. It involves a library of malicious software “signatures” that can be compared against files entering or running on the system to identify the presence of malware.
Another way to detect ransomware is to use behavioral analysis. This technology identifies certain behavior traits unique to crypto-ransomware, such as suspicious setup and system restore capability deactivating. Then, using policies such as software restriction or MDM, these tools can prevent the launch of unauthorized software that could lead to a ransomware infection.
Prevention
In the battle against ransomware, prevention is vital. The adage, “An ounce of prevention is worth a pound of cure,” certainly applies to this growing threat.
Organizations can protect themselves against ransomware attacks by deploying comprehensive antimalware and antivirus software and robust backup systems that keep data offsite and out of reach of threat actors. They should also establish procedures for rapidly recovering impacted files and resuming business operations after an attack, testing them to ensure they work as planned.
Educating employees on recognizing suspicious emails and attachments is crucial, as attackers often use email as a primary infection vector. Secure email gateway solutions with targeted attack protection can help stop malicious attachments, documents, and URLs before they reach users’ computers.
Network access controls should be in place to limit the ability of attackers to download and run ransomware code on enterprise systems. Those controls should include tools like safe listing and mobile device management, allowing only officially approved software installed on devices. They should also prevent access to systems that contain critical or proprietary data or those that enable sensitive communications with customers and suppliers.
Organizations should keep their operating system and other software patched with the latest updates for the best ransomware prevention. The recent WannaCry attack, for example, exploited a vulnerability that had been patched months before and could have been prevented with the rapid deployment of available updates.
Preparation
Whether an organization decides to pay a ransom or settle, it should be prepared for the worst. That’s why organizations should develop comprehensive prevention, preparation, and mitigation strategies that build cyber maturity and reduce the likelihood of an attack or loss.
A comprehensive security strategy should include a layered approach with network, endpoint, edge, application, and data-center controls powered by actionable threat intelligence. It should also leverage privileged access management (PAM) to limit the blast radius of attacks by brokering privileged sessions, enforcing the principle of least privilege, and mitigating poor password hygiene through MFA.
In addition, a next-generation EDR solution should provide deep visibility, threat intelligence, and rapid response to stop threats before they do damage. It should also allow organizations to perform forensic analysis of compromised systems and data and prioritize impacted systems for recovery and restoration.
Finally, organizations should prepare an incident response plan and conduct regular tabletop exercises with their teams to practice the steps they would take during a ransomware attack. It should include specific tasks that people should carry out, such as notifying the vendor and determining how much data was impacted, so they can quickly and efficiently recover. It should also include a plan for identifying the root cause so organizations can tighten up their digital environment and avoid the same kind of compromise again.
Response
A purposeful response plan can help mitigate the damage and limit the impact when an attack occurs. It can also help prevent extortion and other forms of blackmail by cyber criminals.
Preparation and prevention are critical, but a well-thought-out response can help minimize the effect on business operations and productivity when an incident occurs. Organizations with robust business continuity and disaster recovery programs with regular data backups can recover without paying a ransom to cybercriminals.
If a backup isn’t available, it’s time to consider leveraging technology solutions to identify and respond to bulk file encryption (a ransomware signature). These solutions can send alerts when a certain number of files have been encrypted and can execute custom scripts to deactivate a user account, shut down the server, terminate a specific process, or change firewall settings.
Ransomware attacks continue to rise and target businesses as their primary targets, including hospitals, airlines, utilities, and food providers. These attacks can disrupt supply chains and cause crises for businesses that must close operations or pay a ransom to regain access to their data. They can also cripple productivity and lead to significant brand damage.
In many cases, the initial compromise that launches a ransomware attack is a phishing attack with an infected attachment or URL. These infections are often followed by more advanced malware, such as Emotet or TrickBot, that re-infects systems with the ransomware, GandCrab, SamSam, and Ryuk.
