Best practices to protect your organization against ransomware threats
Ransomware is a type of malware that encrypts files and data of users or organizations, rendering them unreadable. It’s not a new threat to computer security. These destructive, financially motivated attacks where cyber criminals demand payment to decrypt data and restore access have been studied and documented for many years. These attacks are now more common, affecting essential services such as healthcare and gasoline pumping. Ransomware continues to be a threat to organizations in all industries. It disrupts business processes and threatens critical infrastructure services. Many organizations are now looking for ways to protect themselves. Ransomware is especially dangerous to organizations that rely on legacy systems. These systems may not be patched or maintained regularly.
Google has been securely operating in the cloud for more than 20 years. We use our modern technology stack, which allows us to create a safer environment and protect it at scale. Our security innovations are available on our platforms and products, so customers can also use them. This underpins our work to be the industry’s most trusted cloud, and while the threat of ransomware isn’t new, our responsibility to help protect you from existing or emerging threats never changes. This post will guide how organizations can improve their resistance to ransomware, and how our Cloud products can help.
To protect yourself against ransomware, you should have a complete and defensive security strategy
Multiple layers of defense are required to provide robust protection against ransomware and other threats. The National Institute of Standards and Technology (NIST) outlines five main functions in the Cybersecurity Framework that serve as the primary pillars for a successful and comprehensive cybersecurity program in any public or private sector organization. Here are some examples of ransomware threats that our Cloud technologies can address.
Pillar #1: Identify and understand the cybersecurity risks that you must manage to protect your assets, data, people, capabilities, and systems. This covers the most vulnerable systems and processes to ransomware attacks, as well as the potential business consequences if certain systems are rendered unusable. This will allow you to prioritize and concentrate your efforts in managing risks.
Our CISO Guide to Security Transformation whitepaper outlines steps for a risk-informed, rather than risk-avoidance, approach to security with the cloud. Instead of trying to address security risks you are already familiar with, a risk-informed approach will help you focus on the most critical ones. This risk-informed approach is easier and more efficient when cloud service providers provide many of the tools and controls that you need to protect yourself from modern security threats. Services like Cloud Asset Inventory provide a mechanism to discover, monitor, and analyze all your assets in one place for tasks like IT ops, security analytics, auditing, and governance.
Pillar 2 – Protect: Create safeguards that ensure critical services are delivered and business processes are protected to minimize or limit the effects of an attack or cybersecurity incident. These safeguards can include zero-trust frameworks that authenticate and protect user access, device integrity, segment environments, and authenticate executables. They also reduce phishing risk, filter malware, and spam, integrate endpoint security, patch consistently, and provide continuous assurances. Here are some examples of products or strategies that you might consider including in this step:
Cloud-native, highly secure email platform Email is the core of many ransomware attacks. This vulnerability can be used to steal credentials and distribute ransomware binaries. Advanced phishing and malware protection in Gmail provides controls to quarantine emails, defends against anomalous attachment types, and protects from inbound spoofing emails. Security Sandbox detects the presence of previously unknown malware in attachments. Gmail blocks more than 99.9% of spam, phishing, and malware from reaching users’ inboxes. Gmail, unlike legacy on-premises email systems that are often exploited, is continuously and automatically updated with security enhancements and protections to keep your email safe.
Strong protection from account takeovers Compromised accounts enable ransomware operators to gain a foothold within victim organizations, perform reconnaissance and get unauthorized access data. They can also install malicious binaries. Google’s Advanced Protection Program is the best defense against account takeovers. It has yet to see any user who participates in it be successfully phished. Google Cloud also uses many layers of machine-learning systems to detect anomalies across different browsers, devices, and usage events.
- Zero trust access controls that limit attacker access and lateral movement: BeyondCorp Enterprise provides a turnkey solution for implementing zero trust access to your key business applications and resources. A zero-trust access model allows authorized users to access individual apps at a time, not the whole corporate network. Permissions are constantly evaluated to ensure that access is still valid. This prevents ransomware attackers from leveraging the network to spread malware and hunt for sensitive data. BeyondCorp’s protections can even be applied to RDP access to resources, one of the most common ways that ransomware attackers gain and maintain access to insecure legacy Windows Server environments.
- Chrome Enterprise threat protections: Chrome uses Google Safe Browsing technology to warn users about millions of malware downloads every week. BeyondCorp Enterprise threat protection delivered via Chrome can protect against infections by previously unknown malware, including ransomware. It includes real-time URL checks as well as deep scanning of files.
- Malicious download warnings to alert users in Chrome
- Endpoints designed for security: Chromebooks are designed to protect against phishing and ransomware attacks with a low on-device footprint, read-only, constantly invisibly updating Operating System, sandboxing, verified boot, Safe Browsing, and Titan-C security chips. The rollout of ChromeOS devices for users who work primarily in a browser can reduce an organization’s attack surface, such as relying too much on legacy Windows devices, which have been found to often be vulnerable to attacks.
- Pillar #3– Detect: Identify potential cybersecurity incidents or events and establish continuous monitoring of your organization. This could include monitoring for intrusion attempts and deploying Data Loss Prevention solutions (DLP) to detect the exfiltration of sensitive information from your organization. It also includes scanning for signs of ransomware propagation and execution.
- It is crucial to detect and stop ransomware activity as soon as possible to prevent business disruptions. Chronicle is a threat detection solution that identifies threats, including ransomware, at unparalleled speed and scale. Google Cloud Threat Intelligence for Chronicle surfaces highly actionable threats based on Google’s collective insight and research into Internet-based threats. Threat Intel for Chronicle allows to you focus on real threats and speed up your response time.
- DLP technology is also useful for detecting data that might be attractive to ransomware operators. With data discovery capabilities like Cloud DLP, you can detect sensitive data that’s accessible to the public when it should not be and detect access credentials in exposed code.
- Pillar 4 – Respond. Activate an incident management program in your company to help reduce the impact of security (in this instance, ransomware).
- It is crucial to protect your communication channels both internally to your team and externally to customers and partners during a ransomware attack. Many legacy Office installations have been replaced by Google Workspace. It offers a standardized and secure online collaboration platform and can be quickly set up to provide an additional secure environment in case of a security incident.
- Pillar #5 Recover: Create a cyber-resilience program and backup plan to help you prepare for the possibility of restoring core systems or assets that have been affected by security (in this instance, ransomware). This function is crucial for supporting recovery timelines, minimizing the impact of cyber events, and allowing you to get back to your business.
- At a point in time, the safe backup image must be created immediately after a ransomware attack. Actifio GO provides scalable and efficient incremental data protection and a unique near-instant recovery capability for data. The near-instant recovery allows for quick identification of a clean restore point, which allows for rapid resumption. Actifio GO is infrastructure-agnostic and can protect applications on-premises and in the cloud.
- In Google Workspace, if files on your computer were infected with malware but you sync them to Google Drive, you may be able to recover those files. Additionally, ensuring that you have a strong risk transfer program in place, like our Risk Protection Program, is a critical element of a comprehensive approach to managing cyber risk.
For IT and business leaders, key ransomware mitigation and prevention considerations
- Here are some key questions you should ask yourself as you prepare for ransomware threats.
- What is your ransomware strategy? It is important to establish strong partnerships with cloud providers that are based on a mutual understanding of security and risk objectives.
- How can you protect your company’s systems, data, and employees from malware?
- Are your systems current and being updated?
- Are you looking out for data leakage or other irregularities in your organization?
- Is there a comprehensive zero trust strategy, particularly for authenticating employees who access information?
- Are you ensuring that high-assurance immutable locations are available for backup and testing that they work properly? This should include periodic restoration of key assets and data.
- What exercises are you using to test your organization’s response to cyber incidents or events?
Ransomware attacks are set to continue to evolve
- Ransomware groups have been evolving their tactics to steal data before it is encrypted. They also threaten to extort this data through data leaks. Additionally, some ransomware operators have used the threat of distributed-denial-of-service (DDoS) attacks against victim organizations as an attempt to further compel them to pay a ransom. DDoS attacks can also be used to distract security teams, while attackers attempt other objectives like data exfiltration and encryption of business-critical information. You can protect Google Cloud services, as well as other clouds and on-premise, by deploying Google Cloud Armor, which can absorb large DDoS attack waves.
- Ransomware protection is an important issue for all companies. These questions and best practices will only help you build a robust and resilient cybersecurity strategy. You can’t just focus on one piece of the defense. You need a comprehensive cybersecurity plan that allows you to detect, prevent, detect and respond to threats. You need a variety of solutions that are highly resilient and battle-tested to work together with your business. To learn more about how Google Cloud can help you implement a comprehensive cybersecurity program to protect against threats like ransomware and more, visit our Google Cloud Security Best Practices Center.