Top Tips for Ransomware Defense
Ransomware is spreading outside of the cybersecurity industry. Ransomware is appearing everywhere, from the news to the G7 Summit. Ransomware is now mainstream, as threat actors focus more on critical infrastructure providers who can’t afford disruption or downtime from a cyber attack – from food and transport suppliers to energy and healthcare.
Most people probably know what ransomware is (if not, go here). How does it work? Why is it so harmful? How can organizations stop it from happening? While the U.S. government has recently stated that it will be playing a larger role in thwarting ransomware and other cyberattacks, it has also stressed the importance of collaboration with the private sector to fight this pervasive issue. At the same time, the private sector has been urging stronger action from the government.
Ransomware has become a problem for everyone, from individuals to corporations to governments. Cyber attackers have more options than ever as employees can access company resources via a variety of devices/networks that are not controlled by the corporate IT department. Ransomware operators can also access your company’s files and data, and demand large sums of money to recover them.
Ransomware is so dangerous, especially right now.
Every organization’s data is vital, and can often cause a halt to operations. Ransomware is used to target individual systems and demand a few hundred dollars to retrieve data. Now, through “big game hunting,” threat actors are going after bigger targets and are moving laterally throughout an environment to get to more mission-critical systems. Once they have gained access to the network, they use ransomware to place ransomware at several points throughout the network. Sometimes the ransom is in the thousands.
Ransomware operators can also use other aggressive tactics to increase their chances of making money. They will also compromise backup systems to prevent administrators from using them to restore data. Ransomware hackers may also use double extortion, threatening to release sensitive information and interfering in the victim’s day-to-day operations.
Furthermore, the ransomware-as-a-service model makes the barrier to entry for launching ransomware very low. These services allow threat actors to purchase ransomware kits from other threat actors, even if they don’t possess the necessary skills or resources. Anyone who wants to conduct a cyberattack can easily access malicious code that is known to exploit unpatched vulnerabilities.
Why not pay the ransom instead?
Even though ransom payments today are often in the millions, sometimes paying to restore data can be less expensive than the operational impact of a business stopping or slowing down (especially when it involves critical infrastructure). Why not pay the ransom?
Ransom payments are discouraged by security experts and government officials as they feed the attack cycle. An attacker will be more motivated to attack another target if they receive a ransom payment from them once. Of course, just because an organization pays a ransom doesn’t mean their data will be restored, or that sensitive information won’t be made available to anyone.
How do attackers get in?
Ransomware hackers can use a variety of methods to infiltrate your environment. Many times, ransomware operators use social engineering and phishing to obtain credentials and/or to get employees to click on malicious links or attachments. They may also be able to enter via infected websites that users visit, or simply by exploiting software vulnerabilities within an organization’s network perimeter. In some cases, attackers may first break into an organization’s business partner, service provider, or other third parties to eventually infect their intended target.
Users are used to scrolling through email, news articles, and social media quickly. Cybercriminals take advantage of this behavior to launch attacks before users realize what they clicked. As mentioned, the initial intrusion is only part of the overall process.
Ransomware operators prefer to wait until they have control over a significant portion of a network before they deploy ransomware. This is to maximize their earning potential. Although defenders should aim to keep attackers out of their networks, it is important to ensure that the correct policies are in place to restrict what users can do if they gain control over a network or user accounts.
What can we do about ransomware?
Ransomware is multifaceted. Our protections must be multifaceted as well. It is impossible to prevent ransomware using any one technology or best practice. Ransomware defense must be considered as a continuous, multi-layered process. The most effective technologies are always up-to-date to detect new threats and can be integrated so that each solution can take over where the others leave off.
End-user education is also a crucial part of fighting ransomware. This will ensure that employees are aware of the risks involved in mindless browsing and clicking. However, according to Cisco’s Head of Advisory CISOs, Wendy Nather, there’s a right way and a wrong way to do this.
“Our culture of security scanning and scolding is not a good trend …. She said that people will cooperate if they know you have their backs and are willing to work with them to solve the problem.
Wendy said that when phishing is reported within her business unit employees are celebrated, rather than chastising anyone who falls for it. She added, “It’s an excellent way to emphasize the type of behavior we want to see.”
Top tips for ransomware defense
You can start by learning basic cyber hygiene if you don’t know where to start when it comes to ransomware protection. Although some of these steps may seem simple, they are often overlooked because of resource limitations, higher-level projects, or other factors. These common weaknesses and vulnerabilities are often exploited by attackers.
- Make sure your systems are up-to-date and kept patched. Automated patching can be a great way to ensure that nothing falls through the cracks and reduce the workload on IT and security personnel. Out of the 25 best practices we analyzed in our 2021 Security Outcomes Study, it was found that proactively refreshing technology had the strongest effect on improving overall defenses.
- Backup data regularly to ensure it is available in case of an emergency. Cyber intruders cannot find backups stored offline. Create a plan for data recovery that will allow you to restore your business at a large scale and maintain business continuity.
- Keep an accurate inventory of all your assets. Attackers often find a way to get into older, forgotten machines.
- To find vulnerabilities in your infrastructure, conduct regular risk assessments.
- Segment your network to ensure that hackers cannot gain access to critical systems.
- Your employees should be familiar with ransomware and cybersecurity. They should be taught how to spot phishing emails, the importance of strong passwords, and what to do if they get suspicious communications.
- Keep up-to-date with the latest threats and defensive strategies. Have a solid plan for responding to unexpected threats. Organizations like Cisco Talos offer incident response services to help you prepare for, respond to, and recover from breaches.
- Attention to ransomware guidance provided by government agencies such as CISA or NIST
Technologies that can assist
And of course, be sure to implement a comprehensive range of security solutions to cover the many threat vectors attackers use to get in, including:
Next-generation firewalls and IPSModern firewalls and intrusion prevention technology can prevent attacks on your network.
Email security –You can block ransomware sent via spam or phishing and automatically identify malicious URLs and attachments.
Cloud security and web security while they are online or using cloud-based applications, protect them from ransomware and any other malware.
Endpoint protection you can detect and fix threats to your environment’s endpoints.
Secure access multi-factor authentication (MFA), and other security measures can ensure that only authorized users and devices have access to your resources.
Analytics & Network visibility you can quickly identify anomalous behavior in your network and take steps to correct it. Use a solution that can analyze both encrypted and unencrypted traffic.
Using these and other technologies, organizations should take a zero-trust approach to security. This means that any attempt to access your network by anyone, device, or application should not be trusted implicitly. Cybercriminals will be unable to launch ransomware on your network if there are zero trust.