5 Practical Tips to Stop Ransomware in 2022
2021 was a golden era for ransomware, with cybercriminals leveraging this attack vector to target businesses of all sizes and demanding millions of dollars in ransom. High-profile ransomware attacks such as Kaseya, Colonial Pipeline, and JBS Foods attacks dominated headlines. Because these attacks are becoming more aggressive and common, companies of all sizes must reevaluate their cybersecurity defenses, policies, and procedures to minimize the risk of a successful ransomware attack.
Ransomware is a specific kind of malicious software or malware used by cybercriminals to render data or systems inaccessible to extort a ransom. In a standard ransomware attack, the cybercriminal gains unauthorized access to a victim’s network, installs the ransomware, usually in locations with sensitive data or business-critical systems, and then executes the program, locking files on that network, making them inaccessible to the victim until a ransom is paid.
However, an attacker now also steals sensitive data before deploying the actual ransomware in what is known as a double extortion ransomware attack, then goes further by targeting the victim’s suppliers, clients, and partners. The theft of data compels the victim to engage in negotiations and raises the potential reputational, financial, and legal costs of not paying the ransom as the attackers will not only leave the victim’s data locked but also leak sensitive information that could include confidential business data or personally identifiable information.
So how can organizations protect themselves from a ransomware attack? Here are five tips to help develop the appropriate level of cyber-resiliency and redundancy that will limit damage and allow for a quick recovery from a ransomware attack.
1. Patch Management is Critical
Effective patch management is one of the single most important mitigations of ransomware risk within your organization. For instance, the WannaCry ransomware that affected numerous Windows systems in May 2017 spread like wildfire because it took advantage of a vulnerability in the Windows SMB protocol. This vulnerability had already been addressed in a critical security update released by Microsoft two months prior.
Because of organizational silos, it takes most IT departments weeks or even months to deploy patches throughout their highly distributed environments. In fact, it can take organizations several months to even come close to achieving complete patch compliance. This delay in patching makes your organization vulnerable to a ransomware attack should hackers take advantage of the unpatched vulnerability in your systems.
Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface. Prioritize timely patching of internet-facing servers and software processing internet data, such as web browsers, browser plugins, and document readers—for known vulnerabilities. Consider using a centralized patch management system or outsourcing your patch management needs to a service provider like ECW Networks & IT Solutions.
2. Implement MFA and Zero Trust Policies
Employ MFA for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems. Multi-Factor Authentication (MFA) is a security method that requires the use of two or more authentication factors to verify a user’s identity. MFA provides greater assurance that users are who they say they are and helps keep data and business systems safe even if one set of credentials (such as a user ID and password) has been compromised. Combining multiple factors and adding more layers to how a user authenticates makes it harder for the bad guys to break in.
MFA enforces a Zero Trust approach regarding identity, but it isn’t enough. Zero Trust must extend beyond the identity layer and validation of network traffic to focus equally on endpoints. Zero Trust focuses on the principle that an organization should not trust anything inside or outside its perimeter and that everything trying to connect to the network should be verified before access is granted.
A Zero Trust approach that includes endpoint security as a key control point provides more robust protection by verifying trust at both the user and device levels before allowing access to sensitive applications and data. Apply endpoint segmentation – one of the key tenets of Zero Trust is micro-segmentation, and this applies equally to endpoints. Micro-segmentation on the endpoint stops the propagation of peer-to-peer threats by only allowing the required applications.
You also need to ensure that all endpoints have next-generation endpoint protection platforms (EPP) and endpoint detection and response (EDR) solutions installed. Modern lightweight systems use a combination of threat analysis and behavioral analytics to identify and stop known and unknown malware.
3. Invest in Employee Cybersecurity Awareness Training
Social engineering attacks continue to be one of the top ways malicious hackers breach organizations and cause damage. Bad actors often focus their efforts on phishing employees to obtain needed credentials or system access for an attack. To reduce the opportunity for successful phishing attacks, focus on training your employees to identify potential ransomware threats and report suspicious activity or incidents.
Conduct organization-wide phishing tests to gauge user awareness and reinforce the importance of identifying potentially malicious emails. Importantly, cybersecurity awareness training should recognize that ransomware threats are continually changing. Employees need to be regularly up-skilled and empowered to spot and avoid new dangers.
4. Backup and Data Recovery
The best defense against ransomware is the ability to restore data from clean backups. Even when an organization pays a ransom, there is no guarantee that the attackers will hand over the decryption key. Restoring from backups is more reliable, cheaper, and does not involve handing money to cybercriminals.
Verify that you have a process in place to securely back up all your critical data. Implement a secure backup process that involves multiple copies online and offline – consider using the 3-2-1 backup rule, which states that you should have at least 3 copies of your data, 2 media types for your backups, and 1 backup stored in an offsite location.
You should also ensure your data is encrypted. Encryption ensures that even if hackers get their hands on your backups, they won’t be able to make heads or tails of it without your encryption key. Make sure your data is backed up regularly to reduce the amount of data loss in case of a ransomware attack. For example, if you back up your data every 20 minutes, you’ll likely lose 20 minutes’ worth of data during an attack.
Continually test your organizational ability to recover in a timely fashion from your backups. Unfortunately, many organizations learn during a ransomware event that what they thought was a robust system of backing up their data is either too slow or unusable.
5. Create an Incident Response Plan
Every organization should have a cybersecurity incident response plan in place. When your organization has a defined plan — and has practiced it repeatedly — you are more likely to avoid the panic and delayed reactions that can exacerbate a ransomware event and increase damage and costs. When creating your organization’s cybersecurity incident response (IR) plan, verify that your plan includes all roles involved in your response — internal and external — that may be involved, including key support contacts and vendors. The plan should define the responsibilities for each role and the general steps that must be taken to identify, contain, remediate and recover from a cybersecurity incident.
Stress-test your organization’s incident response plan to develop muscle memory. You can do this through cyber range experiences or tabletop exercises, where all required personnel can simulate an actual ransomware event. This helps identify ways to improve the plan and provide your team with critical real-life experience to improve reaction times.
No company is immune from cyber threats, and the best defense is to be prepared for a ransomware attack. ECW Networks & IT Solutions can help improve your cybersecurity posture by conducting a penetration test to identify vulnerabilities before the bad guys do and providing comprehensive recommendations on how to remediate those vulnerabilities.
Our ransomware experts can also help if you’ve been hit by a ransomware attack. We can remove the ransomware from your systems, help you avoid paying a ransom by recovering your data, and if paying a ransom is absolutely necessary, we’ll guide you through the entire process, ensuring the ransom payment is legal. Contact us today to schedule a consultation, and let’s get started securing your organization against ransomware threats!
Thanks to our colleagues at DataEcon in Dallas for their help with this article.
ECW Computers is an information technology company. Headquartered in Deerfield Beach, FL, we specialize in providing unique, specially-tailored Managed IT solutions to businesses in Fort Lauderdale, West Palm Beach, Miami and across South Florida.