Part 2: How to prevent ransomware like a pro
If there’s one call a CISO never wants to get, it’s the news that operations are shutting down across the company because ransomware has locked access to critical files.
While Lumen regularly works with companies to deal with successful ransomware infections, prevention is better – and cheaper – than cure. The first article in our three-part series explored the history and evolution of ransomware. Now, we’re going to tell you how you can help prevent a ransomware infection. To increase your chances of success, these measures should target both people and technical infrastructure.
1. Educate and enforce
A comprehensive cybersecurity policy is the key to protecting your employees against ransomware threats. Security guidance should include thinking twice before opening attachments, not inserting unfamiliar external media (such as USB keys) into a device, and not clicking on unknown links.
As phishing is a top delivery vector for ransomware, it is vital to warn employees about activities that could indirectly help phishing attackers. For example, oversharing on social media (posting photographs of your office or divulging details of your team structure) can give phishers valuable information that can make attacks more convincing.
2. Secure endpoints
Even those with the best of intentions sometimes make mistakes. That’s why it’s important to implement technical protections. On the client side, these include locking down endpoint USB access with group policies and implementing appropriate endpoint protection software.
Configuring the Windows Firewall is another robust defense against ransomware trying to infect machines across the network. Disabling some local endpoint functions is also a useful hardening measure if they are not being used. These include Windows Script Host (which controls the use of VBScript files) and PowerShell. Closing Remote Desktop Protocol (RDP) ports on machines that don’t use them is also an excellent anti-ransomware measure, as RDP is a popular infection vector for ransomware.
3. Implement back-end security
Embedding security protections at the infrastructure level is also a crucial layer of defense to prevent client-side compromise. Protect groups of machines using mail content scanning and filtering, and with IP blocking rules driven by robust threat intelligence services such as Lumen’s.
Securing the gateway between clients and the public internet helps to prevent infection but it’s also important to protect east-west traffic inside an organization. Ransomware operators often move laterally through a target’s infrastructure looking for assets. Segmenting your network infrastructure will help to stop them.
Complement these measures with a least-privilege approach to access. Limiting employee access to only the applications and data they need will help to prevent ransomware from using an infected account’s privileges when spreading throughout the organization.
4. Patch software and build policy
Another aspect of cybersecurity hygiene is software patching, which applies both at the server and the client level. In their 2021 Spotlight Report on ransomware, RiskSense and Cyber Security Works (CSW) noted 18 application-level common vulnerability enumerations (CVEs) tied to ransomware when cross-referencing its research, including not just individual applications such as WordPress and Drupal, but broader frameworks including Java, PHP, and ASP.net. Companies must look further than patching just those vulnerabilities with high CVSS scores to thwart ransomware, the company points out. Much of the ransomware it examined used older, lower-scoring vulnerabilities that companies might not prioritize under rudimentary vulnerability management programs.
RiskSense also noted a rise in other vulnerabilities, including those in backup and storage appliances and perimeter security equipment such as virtual private network (VPN) software and gateways. Taken together, this complex landscape of security weaknesses highlights the need to work with a partner that takes a comprehensive approach to vulnerability management.
The RiskSense report highlighted another worrying trend in the security loopholes that ransomware can exploit: Software as a service (SaaS). This category of cloud-based application services are becoming a more popular attack vector. As ransomware crooks find and capitalize on cloud-based weaknesses, employees choosing their own online services without approval put the entire company at risk of ransomware infection. Creating and enforcing a policy defining approved online applications is critical to avoid the rise of shadow IT.
5. Protect your data and manage your risk
As anyone who has been on the sharp end of a ransomware attack will tell you, effective backups are crucial in stopping attackers from holding your data hostage. This means more than merely syncing files to your network drive or Dropbox account.
Much modern ransomware is smart enough to find backed-up data on local network shares and encrypt that, too. Services that replicate local changes to a cloud-based file storage system could also replicate ransomware encryptions. To truly protect data, maintain regular file backups that are air-gapped from production systems.
While backups are non-negotiable in ransomware prevention, they are no longer enough to protect you in a rapidly changing attack environment. Double-extortion ransomware is increasingly common, in which attackers steal data while encrypting it. They then threaten to publish the data unless the victim pays up.
Limit your vulnerability to double-extortion attacks by conducting an information risk analysis. Understand what information assets you are storing and map their level of protection against their sensitivity. Assess the impact on the organization should that data be stolen and made public.
This exercise is a useful foundation for a broader information strategy that will define what information you store, where, and how, along with who is responsible for maintaining it. It also paves the way for deeper conversations about what data you need to collect. Privacy legislation such as Europe’s General Data Protection Regulation (GDPR), which also affects many US companies, warns against collecting more personal data than is necessary.
Tackle these cybersecurity tasks now and you’ll be far less likely to get that dreaded ransomware call in the future. Comprehensive ransomware prevention involves a lot of heavy lifting. Working with a trusted third party, like Lumen can help you accelerate this process and harden your organization quickly.
Discover how we can help to protect you against this threat, and how to mitigate an existing compromise.
This blog is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. ©2021 Lumen Technologies. All Rights Reserved.