It’s been the scourge of businesses globally for several years now, and shows no sign of abating – ransomware, which makes ransomware attack prevention crucial.
Not a new threat, but growing in seriousness over the last few years, aided by the ease for the criminals of getting paid via various cryptocurrencies, coupled with the increasing digitalization of society and businesses which has increased our reliance on our IT systems.
In this article we’ll look at how to prevent your business falling victim to a ransomware attack. As you can probably guess, this isn’t simple – “just run antivirus software” was OK twenty years ago, but in today’s risk landscape a more holistic approach is required.
This is also not an enterprise only danger, as small and medium business are often soft targets, with smaller budgets and less focus on cyber security.
We’ll break it down into two parts, first what to do to prevent ransomware attacks in the first place, and second, what to do if that fails and an attack is in progress.
Fundamental Steps to Prevent Ransomware Attacks
It starts with backup – if all else fails you need offline, encrypted copies of your data, preferably stored in immutable cloud storage.
Criminals know this of course, and will often lurk in your environment for months, corrupting, encrypting or otherwise invalidating your backup files, to ensure that when your production systems and files are encrypted, and you attempt to restore your files, you can’t. This will significantly increase the likelihood of payment.
Backup is boring and routine, and often fades into the background. To combat this, you need to test restoring both data and full systems regularly and ensure that the process is well documented which leads to successful restorations.
The benefit of immutable cloud storage can’t be underestimated, as the data stored there can’t be altered or deleted (until it’s expiry date).
Don’t forget the systems themselves. Attackers will focus on your data, as this is the one thing a modern business can’t function without, but having up to date documentation and templates for your infrastructure components will help immensely when the pressure is on, and everything is down.
Use Infrastructure as Code (IaC) for cloud services, this will also speed up recovery considerably.
The next step after backup is adopting a Zero Trust architecture. This requires many different improvements to technology, process and people, but is fundamentally a mind shift. Here we’ll focus on a few different core pillars, such as strong, cloud based, identity verification.
Using just usernames and passwords to access business data is no longer sufficient. Implement Multi Factor Authentication (MFA) for everyone, ideally phishing resistant technologies such as FIDO2 hardware keys, or Windows Hello for Business (biometrics).
This involves a technology component (requiring the right technology), as well as processes (addressing scenarios like someone leaving their key at home or securely onboarding new staff) and people (ensuring everyone knows how to authenticate and what to do in case of a suspicious authentication prompt, for example).
A part of Zero Trust is also making sure not to overprovision permissions and run regular access reviews to ensure that staff (and external users) only have the permissions they require.
For administrative users, have separate account for their day-to-day user account, and if you have on-premises Active Directory, as well as a cloud directory, have separate, different admin accounts for each environment to minimize the risk of attackers pivoting from one to the other.
Another part of zero trust is network segmentation (easy to do in public clouds, hard to do on-premises) so that if an attacker gains a foothold, they don’t automatically have access to everything on “the inside”.
Keeping all operating systems up to date with the latest security patches is important and challenging. Add to that keeping firmware of all systems, as well as all installed applications patched, and this becomes a huge task.
Make sure to use automation as much as possible to achieve this. Hand in hand with patching is asset inventory – you can’t protect what you don’t know exists so use a good system for this. And the yin to the asset inventory yang is vulnerability management, scanning all systems for security vulnerabilities.
This is a Sisyphean effort, as new vulnerable attack surfaces are continually found in software, assigned CVEs and CVSS scores, and then you find out that they’re in your environment, then you patch them, and while you do that, more vulnerabilities are found.
Thoroughly investigate your Mobile Device Management (MDM) and Remote Monitoring and Management (RMM) tools, ensure they have only the permissions they need, and keep them up to date, they have enormous reach across your digital estate and have been used to compromise many enterprises.
Technical Steps to Stop Ransomware Attacks
Now we’ll go a bit deeper into technical controls to implement, again the focus is on preventing a ransomware attack, but this will also decrease your overall attack surface.
Block the Remote Desktop Protocol (RDP) protocol and only allow access where necessary, and then only from specific designated systems. Also implement MFA to protect remote access and Secure Shell (SSH) access.
Disable SMB v1 and implement SMB signing and SMB encryption in a Windows network. Implement Local Admin Password Solution (LAPS) with Entra ID (formerly Azure AD) to ensure each device has a unique local administrator password, making lateral movement harder for attackers.
Pay attention to PowerShell remoting security settings, enable Remote Credential Guard and use either Defender Application Guard plus Applocker (very hard to implement at scale) or Airlock Digital. And if you’re using PowerShell for management at scale, enable logging.
Change the default usernames and passwords for any new device (particularly networking gear) and implement a good password manager (in small environments) or an enterprise password vault for larger businesses.
If you have in-house software applications that store accounts and passwords, ensure a good hashing algorithm is used, such as BCrypt with a high work factor. Similarly, keep offline backups of your source code in case of a successful ransomware attack.
If you have to provide user VPN access, ensure that the device or server is hardened and kept up to date, and enforce MFA authentication for every VPN connection.
For your DNS resolution infrastructure, implement protective DNS filtering services which will close security gaps, block malicious links and help in preventing ransomware attacks.
Malicious emails are still the preferred method for the attackers to gain initial access so email hygiene is vital. Use SPF, DKIM and DMARC along with a strong advanced threat protection (ATP) solution to keep suspicious emails with a malicious link or suspicious email attachments out of user’s inboxes.
Being Prepared for Ransomware Threats
So far, we’ve covered preventative measures, and two of the zero trust pillars (strong authentication and least privilege access), the third pillar is assuming breach.
You can do everything possible (given the IT security team and budget), but you must also plan for when these controls fail, and malware ransomware attacks are in progress or have been discovered.
This starts with having a cyber incident response plan. Depending on the size and industry vertical your business is in, the content will vary, but at a minimum it must define:
- Which data protection regulations or data breach notification laws you must comply with, and what their timeframes and bodies to report a breach to are.
- Which systems are business critical and must receive the highest level of protection, and in which order should they be recovered in an emergency situation.
- How systems can be isolated from the network, and step by step instructions for recovering business critical systems.
- The hierarchy of decisions related to a major cyber incident. If all your systems are down, and your important data unrecoverable, except by paying the ransom (and thus getting the decryption key), who makes that decision? If the criminals in question (where this can be ascertained) are sanctioned entities – can a payment even be made? If you’re going to use a ransomware negotiation service, do you have one “lined up” for when disaster strikes? The more you have thought about and prepared for these situations, the more smoothly it will go when everyone is under immense pressure.
- The plan must be practiced. Turn off systems to simulate successful attacks (make sure to consult with relevant business stakeholders ahead of time and select low traffic times to do this). Run tabletop simulations with system administrators, security teams and the leadership team to identify gaps in processes and remedy them.
Apart from having a plan to manage a ransomware infection, keeping the plan up to date and practicing it frequently, you must have the right security tools in place.
Endpoint Detection and Response (EDR) on every endpoint is required, preferably augmented with eXtended Detection and Response (XDR) solutions that doesn’t just look at endpoint security, but also takes into account network traffic, mobile devices, identity, cloud services etc.
All this telemetry and alerting will be for nought, however, if you don’t have staff to monitor incoming warnings. Especially in small and medium businesses, it’s not uncommon to find in the aftermath of a ransomware attack that the signs were there in security applications, but no one was looking.
A solution here is Security Information and Event Management (SIEM), which ingests data from all your EDR, XDR and email hygiene solutions, analyzes it for cyber threats and presents incidents in a single pane of glass.
Ultimately this enables your security teams to go beyond a reactive approach and merely reacting to alerts defined in your various security tools, to taking a proactive approach and using the collected data to do threat hunting.
To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.
Preventing ransomware infection isn’t easy, and it takes a lot of work to harden your operating systems, networks and cloud environments as you have seen in this article. It’s also an ongoing process that requires constant investment as threat actors refine their ransomware variants and perfect their social engineering tactics.
Furthermore, it’s not just a technical problem, you must also involve everyone in the business and build a security culture where all human users recognize the risks and work together for ransomware protection. But it can and must be done – the alternative is too risky.
How can ransomware attacks be prevented?
There are many steps required to harden your systems, authentication and identity systems and especially improving your “human firewalls” through security awareness training – all leading to a stronger security posture, and to ransomware prevention.
What are the two main defenses against ransomware?
You need strong identity authentication, using MFA, plus a strong email hygiene solution to prevent a malicious attachment, for example becoming the initial access point.
Can you protect yourself from ransomware?
Yes, there are many steps outlined in this article that you can use to increase the ransomware resistance and cyber security resiliency of your organization to make it much less likely that you’ll be compromised.