Ransomware is a unique type of malware designed by an attacker to encrypt files on a target device, denying access or rendering the files unusable, and then demand ransom from the user in exchange for decryption. Typically, ransomware spreads through phishing emails or by unknowingly visiting a malicious website.
In recent years, ransomware incidents have become increasingly prevalent among critical infrastructure organizations and the state, local, tribal, and territorial (SLTT) government entities.
According to a 2019 study, ransomware potentially cost the US government, health care providers, and schools approximately 7.5 billion dollars. Statistics related to the private sector are harder to find because of the lack of reporting standards. Yet, it can be assumed that similar trends are happening in the non-reporting private sector. Ransomware incidents can severely impact businesses, leaving them without data to operate and deliver mission-critical services.
Ransomware incidents are increasingly becoming more destructive and impactful in nature, with malicious actors upgrading their ransomware tactics over time. They pressurize the victims for payment and threaten to release stolen data if they refuse to pay. The monetary value of all ransom demands has also increased exponentially, with some demands exceeding the US $1 million. They also increasingly use tactics, such as deleting system backups, that make restoration and recovery more difficult or infeasible for impacted organizations.
This post will focus on general prevention tips to stay away from ransomware attacks.
- Always maintain offline, encrypted backups of data and regularly test your backups. It is essential to set up backup procedures since many ransomware variants attempt to find and delete any accessible backups.
- Always maintain updated “gold images” of critical systems and image “templates” that include a preconfigured operating system (OS) and associated software applications so that in the event they can be rebuilt and quickly deployed. In addition to system images, source code and executables should be stored with backups.
- Create and maintain a ransomware response checklist and a basic cyber incident response plan that includes notification and response procedures for any ransomware incident.
- Conduct regular vulnerability scanning in your network to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface.
- Regularly patch and update operating systems, internet-facing servers, and software, processing internet data, such as web browsers, document readers, and browser plugins — for known vulnerabilities.
- Ensure devices are appropriately configured with proper security features. Ensure to deploy best practices for the use of Remote Desktop Protocol (RDP) and other remote desktop services.
- Audit your network for systems using RDP, close unused RDP ports, apply multi-factor authentication (MFA), enforce account lockouts after a specified number of attempts, and log every RDP login attempt.
- Block or disable Server Message Block (SMB) protocol outbound and remove or disable outdated versions of SMB, since threat actors use SMB to propagate malware across organizations.
- Implement a cybersecurity awareness and training program to guide how to identify and report suspicious activity such as phishing or incidents.
- Conduct company-wide phishing tests to increase user awareness and reinforce the importance of identifying potentially malicious messages and emails.
- Implement adequate filters at the email gateway to filter out emails with known malicious indicators, such as suspicious Internet Protocol (IP) addresses and known malicious subject lines.
- Implement Reporting and Conformance (DMARC) policy, domain-based message authentication, and verification to lower the chance of spoofed or modified emails from valid domains. Add a reporting function to allows both senders and receivers to improve and monitor protection from fraudulent email.
- Disable macro scripts for Microsoft Office files, transmitted via email, which can be used to deliver ransomware.
- Ensure anti-malware and antivirus software are up to date.
- Use application directory to allow listing on all assets to ensure that all unauthorized software is blocked from executing and only authorized software can run.
- Implement an intrusion detection system (IDS) to identify command and control activity and other potentially malicious network activity that can occur before ransomware deployment.
- Implement risk management and cyber hygiene practices for third parties or managed service providers (MSPs). If a third party is responsible for maintaining your organization’s backups, ensure that they follow the applicable best practices.
- Employ multi-factor authentication for all services, particularly for webmail, virtual private networks, and accounts that access critical systems.
- Apply the least privilege to all services and systems so that users only have the access they need to perform their jobs. Restrict user permissions to both install and run unauthorized software and limit the local administrator’s ability to log in from a local interactive session. Remove unnecessary groups and accounts and restrict root access. Audit user accounts regularly.
- Create a comprehensive asset management system to understand the inventory of your organization’s IT assets, both logical (e.g., software and data) and physical (e.g., hardware). Investigate which data or systems are mission-critical for health and safety, revenue generation, or other critical services and associated interdependencies.
- Retain and secure logs from network devices and local hosts to support triage and remediation of cybersecurity events. Set up centralized log management using security information and event management tool to enable an organization to correlate logs from the network and host security devices.