Ransomware Prevention Best Practices
A thriving industry of holding data hostage has emerged out of the malicious software known as ransomware. The FBI’s Internet Crime Complaint Center (IC3) states in its Internet Crime Report for 2020 that it received a record number of ransomware complaints that year. Attributing the rise in cybercrime to the organizational chaos caused by the coronavirus pandemic, The IC3 reported 2,474 ransomware attacks with adjusted losses exceeding $29.1 million in all. As the cause of steep losses in finances and reputation, no organization can afford to lack a ransomware response plan.
What is Ransomware?
Ransomware is a form of malicious software designed to block access to a computer system and its data until a ransom is paid, usually in the form of cryptocurrency. The ransomware makes data unusable by encrypting all of the data it finds, which usually brings a company’s operations to a halt. Ransomware operators promise to return the compromised data to the victims once the ransom is paid, but more often than not, they take the money and run without returning the data. There are many ways ransomware can infect computer networks, but the most common points of entry are less sophisticated than it might sound. Ransomware attacks commonly begin as simply as cracking weak passwords, exploiting security vulnerabilities, and sending phishing emails.
The good news is that these attacks can be prevented with the right tools and the right mindset, as you will see in these five best practices for ransomware prevention. While there is no panacea for avoiding ransomware attacks, the most effective plan lies in a combination of best practices and reliable security solutions.
5 ways to Prevent Ransomware
1. Hacking Humans
Ransomware attacks usually start small and the weakest link is a negligent workforce. Ransomware operators craft simple phishing emails designed to trick employees into clicking on a malicious link or opening an infected attachment. No matter how robust your security systems are, a workforce not trained to recognize the signs of social engineering schemes will keep the door open for ransomware. Regularly drill your employees in social engineering tests, enforce good password policies, and use multi-factor authentication.
Something as preventable as a weak password is too often the starting point for crippling ransomware attacks. Organizations using Specops Password Auditor stay one step ahead of ransomware attacks by scanning Active Directory for weak or compromised passwords. Combined with Specops Password Policy, organizations can set password policies and enforce compliance before cybercriminals have a chance to find your weak passwords before you do.
2. 3-2-1-1 Backup Plan
Avoiding ransomware in the first place is ideal, but not everything will go according to plan. You can get your systems up and running without delay if you keep a secure backup of your most important data—or better yet, four of them.
A new addition to the classic 3-2-1 rule for backup, the 3-2-1-1 principle advises storing four separate copies of your data: two stored locally in different formats, one stored offline, and one saved in an immutable format. Immutable data can’t be altered as there is no key to “unlock” it with, like with encrypted data. Distributing your recovery strategy across four separate backups will rule out the temptation to pay the ransom or hire external professionals to rebuild your systems.
3. Zero Trust
The evolving threat landscape has driven the innovation of the zero-trust security model. The basic principle of zero trust is to treat every user, device, and request in your network as if it originates from an untrusted external source. In other words: never trust, always verify.
Zero trust architecture involves a wide range of best practices, but it has its foundation in two key principles: least privilege and de-parameterization.
Least privilege involves granting users the least amount of access needed for their work rather than granting permissions based on the implicit trust inherited from the organization. Implicit trust architectures more easily succumb to malicious insiders and hijacked corporate accounts, as in the case of a successful phishing campaign. De-parameterization addresses the fact that remote work and remote applications have distributed the boundaries of a company beyond its physical walls. Simply being on-site is no longer a sign of an employee’s implicit trustworthiness, so to repeat: never trust, always verify.
4. Update Your Systems
Along with social engineering tactics, outdated and vulnerable systems are the most common attack vectors for ransomware. Update your applications and operating systems as soon as new patches become available, and retire any legacy technology you may have on your network. Legacy software and hardware were designed to deal with different threats than modern ones, as ransomware operators know well. To take a famous example, the WannaCry attack owes its success to the 200,000 compromised machines running the 30-year-old SMB v1 protocol, with the help of the EternalBlue exploit kit.
5. Network Segmentation
Ransomware can only do so much damage if it targets an isolated part of the network. This is the principle of network segmentation—the practice of dividing a computer network into many sub-networks with limited connectivity between them. Employ the use of firewalls to maintain a barrier of separation between each part of the network and closely monitor the traffic flowing between them. Network segmentation is especially crucial for organizations in regulated industries where data regulations like HIPAA and PCI-DSS must be strictly adhered to.
In summary, here are five best practices to consider when fortifying your information systems.
- Regularly train your workforce to recognize the signs of a social engineering attack.
- Store at least four backups: two locally-stored copies in different formats, one offline copy, and one immutable copy.
- Never trust, always verify.
- Apply the latest security patches as soon as they become available.
- Limit the spread of ransomware by separating your network into segmented sub-networks.
(Last updated on July 12, 2022)