Cloud Ransomware Protection

Best practices to protect your organization against ransomware threats

Ransomware is a type of malware that encrypts files and data of users or organizations, rendering them unreadable. It’s not a new threat to computer security. These destructive, financially motivated attacks where cyber criminals demand payment to decrypt data and restore access have been studied and documented for many years. These attacks are now more common, affecting essential services such as healthcare or pumping fuel. Ransomware continues to be a threat to organizations in all industries. It disrupts business processes and threatens critical infrastructure services. Many organizations are now looking for ways to protect themselves. Ransomware is especially dangerous to organizations that rely on legacy systems. These systems may not be patched or maintained regularly.

Google has been securely operating in the cloud for more than 20 years. We use our modern technology stack, which allows us to create a safer environment and protect it at scale. Our security innovations are available on our platforms and products, so customers can also use them. This is what underpins our efforts to be the most trusted cloud in the industry. While ransomware is not new, we are always committed to protecting you from any emerging or existing threats. This post will guide how organizations can improve their resistance to ransomware, and how our Cloud products can help.

To protect yourself against ransomware, you should have a complete and defensive security strategy

Multiple layers of defense are required to provide robust protection against ransomware and other threats. The Cybersecurity Framework, which is outlined by the National Institute of Standards and Technology (NIST), outlines five functions that are the main pillars of a comprehensive and successful cybersecurity program in any private or public sector organization. Here are some examples of ransomware threats that our Cloud technologies can address.

Pillar #1: Identify and understand the cybersecurity risks that you must manage to protect your assets, people, data, and capabilities. This covers the most vulnerable systems and processes to ransomware attacks, as well as the potential business consequences if certain systems are rendered unusable. This will allow you to prioritize and concentrate your efforts in managing risks.

The CISO Guide for Security Transformation whitepaper outlines steps to take to ensure that security with the cloud is not averted but rather risk-informed. Instead of trying to address security risks you are already familiar with, a risk-informed approach will help you focus on the most critical ones. This risk-informed approach is easier and more efficient when cloud service providers provide many of the tools and controls that you need to protect yourself from modern security threats. Cloud services like Cloud Asset inventory allow you to monitor, analyze, and discover all of your assets from one location. This is useful for tasks such as IT ops, security analytics, and auditing, as well governance.

Pillar 2 – Protect: Create safeguards that ensure critical services are delivered and business processes are protected to minimize or limit the effects of an attack or cybersecurity incident. These safeguards can include zero-trust frameworks that authenticate and protect user access, device integrity, segment environments, and authenticate executables. They also reduce phishing risk, filter malware, and spam, integrate endpoint security, patch consistently, and provide continuous assurances. Here are some examples of products or strategies that you might consider including in this step:

Cloud-native, highly secure email platform Email is the core of many ransomware attacks. This vulnerability can be used to steal credentials and distribute ransomware binaries. Gmail’s advanced phishing and malware protection protect you from inbound spoofing email, guards against unusual attachment types, and quarantines emails. Security Sandbox detects previously unknown malware in attachments. Gmail blocks more than 99.9% of spam, phishing, and malware from reaching users’ inboxes. Gmail, unlike legacy on-premises email systems that are often exploited, is continuously and automatically updated with security enhancements and protections to keep your email safe.

Strong protection from account takeovers. Compromised accounts enable ransomware operators to gain access to victim organizations, perform reconnaissance, gain unauthorized access to data, and install malicious binaries. Google’s Advanced Protection Program is the best defense against account takeovers. It has yet not to see any user who participates in this program is successfully phished. Google Cloud also uses machine learning systems to detect anomalies and distinguish between safe and suspicious user activity across browsers and devices.

Zero trust access controls to limit attacker access and minimize lateral movement. BeyondCorp Enterprise offers a complete solution for zero trust access to key business applications and resources. A zero-trust access model allows authorized users to access individual apps at a time, not the whole corporate network. Permissions are constantly evaluated to ensure that access is still valid. This prevents ransomware attackers from gaining lateral access to the network. BeyondCorp can even be used to RDP access resources. This is one of the most common ways ransomware attackers have gained and maintained access to insecure legacy Windows Server environments.

Chrome Enterprise threat protections: Chrome uses Google Safe Browsing technology to warn users about millions of malware downloads every week. Chrome provides threat protection in BeyondCorp Enterprise to protect users against previously unknown malware, including ransomware. It also offers deep scanning and real-time URL checks.

Malicious downloading warnings to warn users in Chrome

Endpoints for security: Google Chromebooks protect against ransomware and phishing attacks. They have a small footprint, are read-only, and invisibly updated Operating systems, sandboxing, and Safe Browsing. The rollout of ChromeOS devices can help reduce the organization’s attack surface. This is especially true if users work mostly in a browser.

Pillar #3– Detect: Identify potential cybersecurity incidents or events and establish continuous monitoring of your organization. This could include monitoring for intrusion attempts and deploying Data Loss Prevention solutions (DLP) to detect the exfiltration of sensitive information from your organization. It also includes scanning for signs of ransomware propagation and execution.

It is crucial to detect and stop ransomware activity as soon as possible to prevent business disruptions. Chronicle is an advanced threat detection tool that detects ransomware at unprecedented speed and scale. Google Cloud Threat Intelligence to Chronicle identifies highly actionable threats using Google’s collective intelligence and research into Internet-based attacks. Threat Intel for Chronicle allows to you focus on real threats and speed up your response time.

DLP technology is also useful for detecting data that might be attractive to ransomware operators. You can use data discovery tools like Cloud DLP to detect sensitive data that isn’t intended for the public and identify access credentials in exposed codes.

Pillar 4 – Respond. Activate an incident management program in your company to help reduce the impact of security (in this instance, ransomware).

It is crucial to protect your communication channels both internally to your team and externally to customers and partners during a ransomware attack. Many legacy Office installations have been replaced by Google Workspace. It offers a standardized and secure online collaboration platform and can be quickly set up to provide an additional secure environment in case of a security incident.

Pillar #5 Recover: Create a cyber-resilience program and backup plan to help you prepare for the possibility of restoring core systems or assets that have been affected by security (in this instance, ransomware). This function is crucial for supporting recovery timelines, minimizing the impact of cyber events, and allowing you to get back to your business.

At a point in time, the safe backup image must be created immediately after a ransomware attack. Actifio offers scalable, efficient incremental data protection as well as a unique, near-instant data recovery capability. The near-instant recovery allows for quick identification of a clean restore point, which allows for rapid resumption. Actifio GO is infrastructure-agnostic and can protect applications on-premises and in the cloud.

If files on your computer are infected by malware and you sync them to Google Drive you might be able to recover those files. A comprehensive approach to managing cyber risks includes ensuring you have a robust risk transfer program, such as our risk protection program.

For IT and business leaders, key ransomware mitigation and prevention considerations

Here are some key questions you should ask yourself as you prepare for ransomware threats.

What is your ransomware strategy? It is important to establish strong partnerships with cloud providers that are based on a mutual understanding of security and risk objectives. How can you protect your company’s systems, data, and employees from malware? Are your systems current and being updated? Are you looking out for data leakage or other irregularities in your organization? Is there a comprehensive zero trust strategy, particularly for authenticating employees who access information? Are you ensuring that high-assurance immutable locations are available for backups and that they work properly? This should include periodic restoration of key assets and data. What exercises are you using to test your organization’s response to cyber incidents or events?

Ransomware attacks are set to continue to evolve

Ransomware groups have been evolving their tactics to steal data before it is encrypted. They also threaten to extort this data through data leaks. Additionally, some ransomware operators have used the threat of distributed-denial-of-service (DDoS) attacks against victim organizations as an attempt to further compel them to pay the ransom. DDoS attacks can be used to distract security teams and attackers from achieving other objectives, such as exfiltrating or encrypting business-critical information. You can help protect services in Google Cloud, other cloud providers, and on-premise against DDoS attacks by deploying Google Cloud Armor. This can be scaled to absorb large DDoS attacks.

Ransomware protection is an important issue for all companies. These questions and best practices will only help you build a robust and resilient cybersecurity strategy. You can’t just focus on one piece of the defense. You need a comprehensive cybersecurity plan that allows you to detect, prevent, detect and respond to threats. You need a variety of solutions that are proven to be resilient and battle-tested, which can be integrated with your business. Learn more about Google Cloud and how it can help you create a comprehensive cybersecurity program that protects against