Preventing ransomware attacks – Preemptive measures


Ransomware incidents have increased significantly in recent years, with recent attacks against a US pipeline company and a US software company affecting managed service providers (MSPs) and their downstream customers.

Ransomware is malware that encrypts files on a device, rendering the files and the systems that rely on them inoperable. Malicious actors have traditionally demanded a ransom in exchange for decryption. Malicious actors have refined their ransomware tactics over time to be more destructive and impactful. Malicious actors are increasingly stealing data and threatening to sell or leak it—including sensitive or personal information—if a ransom is not paid. These data breaches can result in financial losses for the victim organization and a loss of customer trust.

All organizations are vulnerable to ransomware attacks and are responsible for safeguarding sensitive and personal data stored on their systems. This article provides information on preventing ransomware-caused data breaches for individuals and organizations.

Preventing ransomware attacks

1. Encrypted backups

Maintain offline, encrypted backups of your data and test them regularly. Backup procedures should be carried out regularly. Backups must be kept offline because many ransomware variants try to locate and delete or encrypt accessible backups.

2. Cyber incident response plan

Make, keep, and practice a cyber incident response plan, resiliency plan, and associated communications plan. The response plan should include response and notification procedures for ransomware incidents. The resilience plan should address how to proceed if access to or control critical functions is lost.

3. Vulnerabilities and misconfigurations

To reduce the risk of actors exploiting this attack surface, you should mitigate internet-facing vulnerabilities and misconfigurations.

The first step is to use Remote Desktop Protocol (RDP) and other remote desktop services. Threat actors gain initial network access via exposed and poorly secured remote services and then spread ransomware.

Audit the network for RDP systems, close unused RDP ports, enforce account lockouts after a certain number of failed login attempts, use multi-factor authentication (MFA), and log RDP login attempts.

Regular vulnerability scanning is required to identify and address vulnerabilities, particularly internet-facing devices. Conduct vulnerability scanning to assist critical infrastructure organizations in assessing, identifying, and mitigating cyber threats such as ransomware.

You must update software as soon as possible, including operating systems, applications, and firmware. Priority should be given to quickly patching critical vulnerabilities on internet-facing servers and software that processes internet data, such as browsers, browser plugins, and document readers. If a quick patch is not possible, use vendor-provided mitigations.

Ensure that devices are properly configured and that security features are enabled, for example, disable ports and protocols that are not used for business purposes. Disable or block inbound and outbound Server Message Block (SMB) Protocol traffic and remove or disable outdated SMB versions.

4. Control Phishing emails

You can reduce the risk of phishing emails reaching end users by enabling strong spam filters and creating cybersecurity user awareness and training that includes guidance on identifying and reporting suspicious activity (e.g., phishing) or incidents.

5. Practice cyber hygiene

Practice good cyber hygiene by keeping antivirus and anti-malware software and signatures up to date, implementing application allow listing, limiting user and privileged accounts through account use policies, user account control, and privileged account management, and using MFA for all services, particularly webmail, virtual private networks (VPNs), and accounts that access critical systems, and implementing cybersecurity.

Other best practices

  • Implement an education and training program: Because end users are prime targets, everyone in your organization must be aware of the ransomware threat and how it is distributed.
  • All incoming and outgoing emails should be scanned and filtered. Detect threats before they reach end-users, and use content scanning and email filtering.
  • Enable robust spam filters. This is done to keep phishing emails from getting to end-users.
  • Ads should be avoided. Ransomware is frequently distributed via malicious advertisements served when visiting specific websites. Adblocking can help to mitigate this risk.
  • Set up firewalls. This enables authorized users to access data while preventing access to known malicious IP addresses.
  • Separate networks logically. This aids in the prevention of malware spread. The most recent variants can spread if every user and server are on the same network.
  • Examine east-west traffic (internal traffic). When traffic is encrypted, this provides certificate anomaly detection.
  • Examine north-south traffic. Detect command and control (C&C) traffic by identifying malicious IPs, domains, and so on using threat intelligence.
  • Scan the network for artifacts. Using AI to detect malicious code and dynamically analyze file behaviors for threats.
  • Sort data according to its organizational value. Implement physical and logical network and data separation for different organizational units.
  • To manage accounts, follow the principle of least privilege. Users should not be granted administrative privileges unless necessary.
  • On critical systems, use application control. Set a default-deny policy for unapproved programs and scripts to prevent ransomware from accessing your critical assets.
  • Patch devices’ operating systems, software, and firmware. Use a centralized patch management system if possible.
  • Create processes for discovering and repairing vulnerabilities.
  • Regularly backup your data: Check the backups for integrity and run the restoration process to ensure it works.
  • Secure your offline backups: Make sure backups are not permanently connected to the computers and networks being backed up.
  • Perform a yearly penetration test and vulnerability assessment.