Ransomware, which typically infiltrates a system through phishing emails, continues to loom as a significant threat to individuals and businesses. Once inside, it scans the system for files and encrypts them. The encrypted files become unusable, and the victim receives a ransom note demanding payment in exchange for the decryption key. The attackers often threaten to delete or publish the files online if the ransom is unpaid. Even if the victim pays the ransom, there is no guarantee the attacker will unencrypt your files and not publish them online.
While there is no way to guarantee complete protection from ransomware, there are several steps you can take to minimize the impact and reduce the likelihood it will happen.
User Awareness and Education
Users continue to be the weakest link and are generally the quickest way into your network. Therefore, train employees to recognize phishing emails, malicious websites and suspicious attachments. Encourage them to report suspicious activity immediately and to always, “Think before you click.” You can’t go back once you click that link or open that attachment. What’s worse is that users typically don’t see a flashing red screen that says, “Got you!” when infected. Hackers may work in the background and “attack” when they feel you are most vulnerable.
Implementing the following technical controls will help reduce (not eliminate) the likelihood of an infection.
Implementing multi-factor authentication (MFA) is the best control to protect yourself from ransomware. While some methods of MFA are better than others (i.e., authentication apps vs. text/SMS), MFA should be implemented across your infrastructure at EVERY ACCESS POINT to your network, including VPNs, firewalls, remote desktops, AWS and Azure sites, and Office 365. MFA is also important for all your hosted applications, but securing your internal network should come first.
Software Updates and Patching
Keeping your operating system, applications and software up to date is essential for patching vulnerabilities that attackers could exploit to gain access to your system. Software updates always contain security patches that address known weaknesses, making it harder for malware to infiltrate. Your organization should define patching processes for operating systems and hardware devices, automate them (where possible), enforce them across the entire enterprise architecture, and monitor them for success.
Anti-Virus and Anti-Malware Protection
Enterprise-grade anti-virus and anti-malware solutions will help detect and block ransomware before it infects your device. As with patching, you should automate this, enforce it across the entire enterprise architecture, and monitor it for success.
User education, MFA, patching and antivirus fall under good, general cyber hygiene. The following are additional controls to reduce the impact of a ransomware infection or other breach.
I recently read an article that said, “Backup like you’ll be attacked.” That is excellent advice but requires cross-functional teaming with IT and the business owners. Defining a Business Continuity Plan and Disaster Recovery Plan is critical to determining maximum RTOs (Recovery Time Objectives) and RPOs (Recovery Point Objectives).
If that seems too daunting (we can help!), then you can perform a more fundamental analysis to identify critical, day-to-day business applications first. Next, determine how long the business could reasonably function before the data was restored (i.e., your Recovery Time Objective). Then, you can work with your IT team to design a backup configuration that includes:
- Multiple backup schemes that follow the 3-2-1 principle: three up-to-date copies, two different types of storage media, and one off-site copy, including:
- Off-site backups (for durability),
- On-site backups (for quick restores, day-to-day),
- Air-gapped backups that are immutable, stored on devices that aren’t always connected to the internet or otherwise configured to protect against ransomware.
- Full disaster recovery restore testing performed annually, including partial (at a minimum) fail-over recoverability from the various backup solutions.
- Application-level file recoverability performed monthly.
Segmenting your network into smaller, isolated segments can limit the spread of ransomware. This approach prevents malware (and attackers) from easily moving across the entire network and encrypting all your data. Work with your IT team to implement virtual local area networks (VLANs) to take the first steps in network segmentation.
Restrict and Review Administrative Privileges
Limiting administrative privileges to a small number of authorized personnel will reduce the attack surface, as hackers want to elevate privileges once they gain access to the network. You should review this access every month, at a minimum.
SIEM & Administrative Access Monitoring
Security Incident and Event Monitoring (SIEM) solutions now leverage machine learning to make them more effective and reduce the potential for false positives. Configuring a SIEM to trigger key alerts to IT and Operations Management can help identify a breach sooner.
Ransomware poses a significant threat to both individuals and businesses, but it is not an insurmountable challenge. Network segmentation, careful backup environment design, administrative access restriction and monitoring can significantly reduce the impact to a non-event. At the same time, solid technical controls and user training can help prevent it from happening in the first place.