Stop Ransomware Attacks

Steps to Help Prevent & Limit the Impact of Ransomware

Ransomware attacks affect a wide range of institutions, from small local governments to huge corporations. It is incumbent to all of us to do everything we can to keep them from being successful.

Ransomware is a sort of malware that prevents a victim from accessing a system, device, or file until a ransom has been paid to the attacker. For example, ransomware can achieve this by encrypting files on the endpoint, threatening to delete files or restricting system access. When ransomware attacks target hospitals, emergency call centers, and other important infrastructure, the consequences can be very severe.

Protecting your organization from ransomware demands a holistic, “all hands on deck” approach that involves everyone in your organization. The following are seven methods that companies can assist in preventing attacks and mitigating the effects of ransomware. CIS Controls security best practices have been assigned to each issue, so you may learn more about each topic by clicking on it.

1. Keep backups — and do so intelligently.

The Microsoft Information Security and Assurance Center (MS-ISAC) recommends that backing up sensitive data is the single most effective method of recovering from a ransomware infestation. It is necessary to examine a few factors, however. It is critical that your backup files are properly safeguarded and stored offline or out-of-band to ensure that they are not targeted by attackers. Using cloud services may help you avoid a ransomware outbreak because many of them maintain prior copies of files, allowing you to restore a previously unencrypted version if necessary. Make a habit of checking the effectiveness of backups regularly. Should an attack occur, be sure that your backups are not affected before rolling back your changes.

A data recovery plan can be created using the CIS Control 11 tool, which gives more information.

2. Make plans and policies for the future.

Create an incident response strategy so that your information technology security staff knows what to do in the case of a ransomware attack. During an attack, the strategy should outline clearly defined responsibilities and communications channels that will be used to communicate with one another. A list of contacts, such as any business partners or vendors who would need to be contacted, should also be included in your plan. Do you have a policy in place for “suspicious email”? If this is not the case, consider establishing a company-wide policy. This will assist in educating employees on what to do if they receive an email that they are unclear of how to respond to. It is possible to do something as basic as forwarding an email to the IT security staff.

More information on incident reaction and management may be found in CIS Control 17.

3. Check the port configurations.

RDP port 3389 and Server Message Block (SMB) port 445 are used by many ransomware variants to encrypt files and demand payment. Consider if your company needs certain ports to remain open and whether it is necessary to restrict connections to only trustworthy hosts. Make sure to review these settings for both on-premises and cloud environments, and to collaborate with your cloud service provider to disable any unneeded RDP ports if necessary.

CIS Control 4 covers the various methods by which your business can control network ports, protocols, and services, as well as how to implement these methods.

4. Make your endpoints more secure.

Constantly check to see that your systems are configured with security in mind. Secure configuration settings can assist you in reducing the attack surface of your company and closing security vulnerabilities that may have been left open by default setups. The CIS Benchmarks are a fantastic, no-cost option for companies wishing to use industry-leading, consensus-developed settings at little or no cost.

You may find more information on secure setups by visiting CIS Control 4.

5. Make sure that your systems are up to date.

Make sure that all of the operating systems, applications, and software in your business are updated regularly. Applying the most recent security updates will assist in closing the security gaps that attackers are attempting to take advantage of. Turn on automatic updates whenever possible to ensure that you always have the most up-to-date security fixes.

Additionally, in CIS Control 7, you may find information on updating and vulnerability management.

6. Educate and train the team

Ransomware must be stopped in its tracks, and security awareness training is essential. When employees can recognize and avoid dangerous emails, everyone contributes to the organization’s overall security. Team members can learn what to look for in an email before they click on a link or download an attachment by participating in security awareness training sessions.

Security Awareness and Training Programs (CIS Control 14) contain more information on how to put in place security awareness and training programs.

7. Put in place an IDS.

An Intrusion Detection System (IDS) searches for malicious behavior by comparing network traffic logs to signatures that have been identified as being associated with malicious behavior in previous instances. A well-designed IDS will update signatures regularly and notify your company as soon as it identifies potentially harmful activity.

CIS Control 8 addresses the upkeep, monitoring, and analysis of audit logs, which are managed by the majority of commercial intrusion detection systems.

In addition, CIS has created the Albert Network Monitoring technology, which can be found here. This is an IDS solution designed specifically for State, Local, Tribal, and Territorial (SLTT) government agencies in the United States. With the help of a custom signature set, Albert is extremely good at identifying ransomware and other malicious software. The signatures on Albert are updated regularly to ensure that enterprises are protected from the most recent threats.