How to Defend against Ransomware
Ransomware has become wildly successful over the last few years and seen a recent spike since working from home measures have been in place. It works by using malicious software to extort money from the victims with promises of restoring encrypted data. Like other computer viruses, it usually finds its way onto a device by exploiting a security hole in vulnerable software or by tricking somebody into installing it.
Since the first trace of ransomware was found in 2005, ransomware has become one of the most challenging cyber threat today and an extremely lucrative industry for criminals.
That’s not a surprise, given how often victims pay fraudsters to free their infrastructure from the crippling malware. Experts urge organisations not to negotiate with criminal hackers, yet many do. Two of the top three ransomware pay-outs of all time were two local Florida governments of Riviera Beach and Lake City, paying out in excess of $1 million to cyber criminals.
The cost of not paying the ransom could be significantly worse, one example of this being Norsk Hydro, a global aluminium producer.
Norsk Hydro had 22,000 computers across 170 different sites in 40 countries infected, practically bring production to a stand still. Despite that Norsk Hydro's Chief Information Officer Jo De Vliegher refused to negotiation with the hackers. Three months after the attack in March 2019, Norsk Hydro announced it had "so far cost more than £45m."
Most of the ransomware attacks that have taken place in the past have been linked to poor protection practices by employees.
More recently though security reports have shown a large increase in phishing email attacks where macros are the method of infection, and 98% of ransomware attacks are targeted to Microsoft Office applications. Preparing to deal with ransomware is important. Not having an adequate mitigation strategy in place in order to respond before your data is encrypted can be devastating.
Top tips for defending against ransomware
Fortify your network layered security Periodically review your network defenses and determine if they are adequate to deal with the latest threats. Implemented next gen anomaly Intrusion Detection Systems, advanced Malware detection and protection, real time end-point protection solutions with the latest behavior based analysis tools.
Strengthen your existing email security Determine if your current email gateway has the capabilities to perform real-time inspection and detection to completely dissemble email attachments and downloads to remove potential malware threats that use hidden triggers to bypass detection.
Review your current backup strategy Keep data safe and the backup network separate and encrypted. Use a separate network account to perform backups. It is always a best practice to ensure that your network administrator’s account is not used to perform backups in the event that their credentials are compromised. Regularly back up your systems. This enables you to wipe your systems in the event of a ransomware attack and restore previous, accessible versions of your information. Restore any impacted files from a known good backup. Restoration of your files from a backup is the fastest way to regain access to your data.
Implement user accounts restrictions Limit your network user’s access to resources, remove local admin rights, and ensure access to their network drives have the appropriate security. Use a tool to perform periodic user access reviews.
Enhance your patch management Review your patch management strategy, if you don’t have one, it is important to develop it. Prioritise patching of critical systems and applications. Finally, run vulnerability scans to help ensure patches are deployed. Apply patches as soon as they are released. Vendors often release updates that fix vulnerabilities that could be exploited. As soon as a patch is announced, criminals are alerted about the weaknesses, exploit kits hosted on compromised websites are commonly used to spread malware. Regular patching of vulnerable software is necessary to help prevent infection.
Deploy a security monitoring tool Deploying a security incident event monitoring (SIEM) tool is one of the most important components to detecting and proactively responding to malware attacks. Ensure that file integrity is monitored; unexpected or unauthorised file integrity changes are important indications of a potential ransomware attack.
Train your users Educating your users will help mitigate security risks. Having a security awareness plan to educate your first line of defence, your users, is probably as important as any security tool. - Users must be able to recognise phishing emails, understand the threat they pose, and know what to do, and not to do, when they receive these types of emails. Phishers will try to trick employees into installing malware, or gain intelligence for attacks by claiming to be from a legitimate source. - If you’re going to be using public wireless Internet, make sure you use a trustworthy Virtual Private Network (VPN) when accessing public Wi-Fi. Hire a security service provider to develop, social engineer, and email Phishing campaigns in order to test your users’ abilities to recognise potential threats.
Make use of Security Software - Enable software features that reduce or prevent malicious software from affecting a machine, e.g. exploit protection settings. - Purchase antivirus solutions that can detect ransomware and alert your Information Security team to the attack. It’s important to use antivirus software from a reputable company because of all the fake software out there.
Configure Firewalls Correctly Deploy firewalls that use blacklists of known command and control centres that are updated through security feeds to prevent malware contacting the criminals who planted it to get instructions or encryption keys, or download additional malicious modules. Maintaining a strong firewall and keeping your security software up to date are critical.
Finally, it could be argued that paying the ransom only encourages and funds future attacks. Also worth noting that paying does not guarantee that access to your data will be given back to you. But following the steps above should put yourself and your business in the best possible position to avoid ransomware attacks.
For further Ransomware help or advice, CentriVault is here to help you. Please free feel to get in contact with us.