How to Mitigate Ransomware Attacks
Mitigating the risk of ransomware attacks requires a rich portfolio of security solutions. Organizations of all types and sizes must consider ways to prevent ransomware attacks.
All organizations are not just susceptible to but are targets of orchestrated ransomware attacks. When considering how to prevent ransomware attacks, experts agree that five fundamental areas require all organizations’ utmost attention.
1. Data protection
2. System security
3. Regular testing
4. Early detection
5. Recovery plans
Let’s jump in and learn:
How Can Enterprises Mitigate Risk of a Ransomware Attack?
Knowing how to prevent ransomware attacks, starts within an organization. Several proven tactics to mitigate the risk of a ransomware attack are as follows.
Maintain at least two copies of each backup and store them on different types of media disconnected from the primary network. At least one of those backups should be kept offline (i.e., air-gapped). This copy should also be immutable. That is, data can be written only once, and it cannot be updated or deleted—a strategy often referred to as WORM or write once, read many.
- Email awareness training
Teach users to be suspicious of unexpected emails and not click on links or open files from unknown senders.
- Multi-factor authentication
Using more than one point of authentication, multi-factor authentication or MFA requires two out of the following three types of credentials:
1. Something the user knows (e.g., a password, personal identification number or PIN)
2. Something the user has (e.g., a token, ID card, smartphone)
3. Something from the person (e.g., a biometric fingerprint
- Secure networks
Require that users only connect to trusted internet connections when off of the organization’s network.
- Security questions
Require users to answer one or more questions when resetting their password—always using information that would not be publicly available.
- Software patches and updates
Install all software updates and patches as soon as they are made available.
- Strong passwords
Unique for each device or account, a strong password:
1. Does not include any personal information
2. Contains special characters
3. Includes random words or phrases
4. Is sufficiently long
5. Uses a combination of an upper and lowercase letter
- Unique accounts
Create unique accounts for each user per device and employ the principle of least privilege, giving users access only to the information that is needed.
Regular Backups to Cloud File Server
Backup and disaster recovery (BDR) combines data backup and disaster recovery to ensure an organization’s resilience and operational continuity. While data backup and disaster recovery are different, most organizations use them together.
- In addition to being a good data management practice, regular backups to a cloud file server is a proven way to prevent ransomware attacks. Backups on a cloud file server expedite recovery in the event of a ransomware attack that results in files being encrypted. Files can be restored from the cloud, allowing operations to resume with minimal disruption.
- It is important to remember that ransomware attacks usually are slow-moving with “time-bombs” set as the malware moves across a network. Often, the attack is unleashed once a critical mass of infection has been reached. This means that backups could be infected as well. Therefore, backups to a cloud file server should keep versions of the data from multiple points in time to ensure that a clean copy is available when the restoration is needed.
Ransomware Detection Tools
When considering ways to prevent ransomware attacks, anti-virus is necessary, but it is not sufficient. Ransomware is a particularly virulent malware. The key to prevent ransomware attacks is a multi-solution approach. Among the ransomware detection and prevention tools that experts recommend are the following.
- Backup systems
- Behavior-based detection systems
- Deception-based detection (e.g., honeypot)
- Dedicated ransomware detection
- File management systems
- File protection
- Security suites
- Spyware protection
Cybersecurity Best Practices
Many cybersecurity best practices are required to protect against ransomware attacks. Following are a few recommended tactics.
- Apply the principle of least privilege to all systems and services
- Audit users’ accounts regularly
- Configure firewalls to block access to known malicious IP addresses
- Employ logical or physical means of network segmentation
- Employ MFA
- Have redundancy for backups
- Limit the ability of a local administrator account to log in from a local interactive session and prevent access via a remote desktop protocol (RDP) session
- Maintain a comprehensive network diagram that describes systems and data flows
- Remove unnecessary accounts and groups
- Restrict root access
- Restrict users’ permissions to install and run software applications
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end-users
- Set up a centralized log management solution
- Understand and inventory IT assets, both logical (e.g., data, software) and physical (e.g., hardware)
- Use a file management system
- Use strong passwords
Two-Factor Authentication to Prevent Ransomware Attacks
Two-factor authentication (2FA) dramatically reduces infiltration through compromised credentials (e.g., phishing, social engineering, password brute-force attacks, exploitation of stolen credentials). A type of multi-factor authentication (MFA), 2FA enhances login security by requiring two methods to verify users’ identities. These are usually something users know, such as their username and password, and something that they have, such as a smartphone or token.
Implement Security Policies and Procedures
- Apply security controls according to best practices, such as NIST (National Institute of Standards and Technology), CISA (Cybersecurity and Infrastructure Security Agency), CMMC (Cybersecurity Maturity Model Certification)
- Assess risks to identify vulnerabilities
- Create an incident response plan
- Keep track of where critical data is stored
- Maintain an exhaustive inventory of systems—and know which handle critical functions
- Require regular security awareness training
- Set up systems for having suspicious emails forwarded to the IT and security teams
- Test all systems and processes on an ongoing basis
Monitoring and Analysis of Audit Logs
Identifying patterns of activity on networks is another way to prevent ransomware attacks. Using logging and monitoring systems, administrators can aggregate and analyze security, network, server, and endpoint logs to identify anomalous behavior, often a ransomware indicator. Monitoring and analysis of audit logs also help identify root causes and can mitigate the impact of ransomware.
To effectively use monitoring and analysis of audit logs, it is necessary to:
- Establish a baseline for activities in the environment
- Gather all data from every system that connects to the network in any way
- Continuously aggregate and analyze all data
- Filter out as much noise as possible
- Place digital tripwires to sound alarms when activity is detected in unusual areas
- Store data history to help with forensics in the event of a ransomware attack
Indicators of Ransomware Attacks
When it comes to ransomware, the next best thing to prevention is early detection. Knowing the indicators of an attack is the best way to mitigate ransomware. A few of the early warning signs of a ransomware attack are:
- Network scanners
- Small-scale attacks
- Software removal programs attempting to remove security software, like anti-virus solutions
- Suspicious emails
- Unauthorized Active Directory access attempts
How to Prepare to Prevent Ransomware Attacks
There are many ways to prevent ransomware attacks. Knowing about them and understanding them is important, but incorporating them into an organization’s security program is the only way to mitigate ransomware. Each organization is different, so consider the approaches and choose the bundle of solutions that represent the best fit. This is the best way to prevent ransomware attacks.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 16th August, 2022