When it comes to ransomware, prevention is half the battle. This piece provides key steps to ensure your organization has the right controls and processes in place to protect against potential ransomware attacks.
Ransomware Prevention
As recent trends indicate, ransomware is here to stay, and its operators are getting better and bolder. Organizations should consider preventive measures, including:
Strong Backup and Disaster Recovery Plans
Organizations must have effective, tested disaster recovery plans with verified offline backups, especially with new ransomware variants in the wild that target and destroy an organization’s backup infrastructure
– including Commvault, Tivoli Storage Manager (TSM) and many others.
Effective Ransomware Incident Response
This requires proper planning, documentation and exercising to ensure organizations can recover from a ransomware attack or other security incident before it affects their business on a larger scale. For example, many organizations conduct tabletop
exercises to validate their existing incident ransomware response plan works well and is understood.
Strong Vulnerability Management Processes
Internet-facing vulnerabilities and misconfigurations are infection vectors of ransomware. To mitigate against such threats, consider conducting regular vulnerability scans, patch and updating software and operating
systems regularly, ensuring proper and secure configurations of devices, securing remote desktop protocol (RDP) and other remote desktop services, and disabling the SMB protocol.
Phishing Defenses
You don’t need to be a proficient hacker to gain access to a reasonably secure information system via a simple phishing email. However, there are many technical controls to prevent phishing, including spam filters, DMARC, email
signing, website certificates, microsegmentation, SSO, MFA, least privilege and others. But the most effective controls are non-technical, including awareness trainings, timely reporting and out-of-band verification.
Controlled Folder Access
Controlled folder access monitors all processes attempting to change data in defined folders. If a process tries to modify files in protected folders without being authorized to do so, the operation is blocked and an alert is
generated – stopping ransomware and preventing malicious programs from making changes. When implementing controlled folder access, the user or the system administrator may add the necessary applications to an allow-list of applications that
are then allowed to access and change the protected folders.
Zero-Day Detection Capabilities
Signature-based technologies are not effective in detecting a majority of malware today due to the ease with which a given piece of malware can be camouflaged or “packaged” to slip past traditional antivirus
solutions. Ensure your network and endpoint protection can detect and defend against obfuscated malware or zero-day attacks. Furthermore, consider implementing network devices that can block by file type and provide application control to the endpoint
device.
In addition, consider implementing other general cybersecurity best practices and hardening, such as:
- Enabling security settings in cloud environments.
- Developing and maintaining a comprehensive network diagram to help during incident response.
- Employing asset management.
- Restricting usage of PowerShell and enabling PowerShell logging.
- Securing domain controllers.
- Retaining and securing logs from both network devices and local hosts.
- Determining normal network behavioral patterns to help detect anomalous activity.
- Uninstalling non-essential applications.
- Disabling non-essential services.
- Using Secure Boot and a BIOS password.
- Securing potentially vulnerable protocols.
- Enforcing application allow-listing.
Ransomware Prevention Guidance
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint guide on defending against and responding to ransomware threats. The guide stresses the urgency of
being prepared for this type of threat by employing the following best practices to reduce the risk of ransomware and prepare for swift and efficient response:
- Maintaining offline and encrypted backups that are regularly tested.
- Creating and maintaining an incident response plan that is regularly exercised.
The guide also lists the best defenses against ransomware’s most common attack vectors, including:
- Internet-facing vulnerabilities and misconfigurations, which can be mitigated by conducting regular vulnerability scans; patching and updating software and operating systems regularly; ensuring proper and secure configurations of devices; securing RDP
and other remote desktop services; and disabling the SMB protocol.
- Phishing, which can be mitigated by implementing a user awareness and training program; deploying email gateway filters; implementing DMARC; and disabling macros for Microsoft Office files.
- Precursor malware infections, which can be mitigated by using an up-to-date anti-malware solution; deploying application allow-listing; implementing of IDS/IPS; and performing risk management of third parties.
Reduce the Risk of Ransomware Attacks
Other general cybersecurity best practices and hardening guidance include:
- Employing MFA.
- Applying the principle of least privilege.
- Enabling security settings in cloud environments.
- Developing and maintaining a comprehensive network diagram to help during incident response.
- Employing network segmentation.
- Employing asset management.
- Restricting usage of PowerShell.
- Securing domain controllers.
- Retaining and securing logs from both network devices and local hosts.
- Determining normal network behavioral patterns to help detect anomalous activity.
Like most attackers, ransomware gangs tend to focus on victims that offer the least resistance and the best return on their investment. Putting strong defensive mechanisms in place not only helps your organization stay off their list of easy targets,
but ensures you can recover quickly if the worst happens.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.