Ransomware Prevention: What to Do Before, During & After an Attack
Ransomware prevention and protection are possible.
Ransomware prevention has rapidly become one of the most urgent issues at organizations across the globe. With attacks occurring at an average rate of every 11 seconds in recent years, businesses have been scrambling to find the best ways to protect themselves.
Solutions for preventing ransomware include everything from anti-malware software to proper employee training. Below, we’ll look at some of the most important measures to implement within your business continuity plan, along with some emerging technologies that will play an increasingly important role in keeping these cyberattacks at bay.
What is Ransomware?
Ransomware is a form of malware that encrypts computer data and then demands ransom money in exchange for restoring access to the encrypted files.
Back in 2016, the FBI warned that ransomware was on track to extort over $1 billion a year from a wide variety of organizations. But the true cost of these attacks goes far beyond the ransom payouts. As of 2021, ransomware was causing $20 billion a year in damages worldwide.
Some of the most common targets for ransomware include:
- School districts
- Government agencies
- Law enforcement agencies
- Small to large businesses
A common form of attack comes through email, which is disguised as an invoice, receipt or other business communication. The emails often come with an attachment that contains the malicious code. When the user opens the attachment, the malware infects the machine.
The FBI explains, “Once the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to.”
Increasingly, attacks also occur when users visit a website that has been infected with malicious code. These can be sites linked from the same malicious emails or, in some cases, completely legitimate websites. That was the case in March 2016, when corrupted ads on nytimes.com and several other major media outlets infected thousands of visitors’ computers with ransomware.
Why the Need for Ransomware Prevention?
Ransom demands have skyrocketed over the last few years, especially as attackers have increasingly targeted larger institutions. Cybersecurity experts suggest the average ransom payment in early 2022 was somewhere between $200,000 to $300,000.
Ransomware is increasingly targeted to organizations, rather than individuals, because such attacks are more lucrative. Organizations with highly sensitive data are more willing to pay larger sums to regain access (and restore their operations).
In one high-profile ransomware hospital attack in 2016, Hollywood Presbyterian Medical Center paid $17,000 to hackers (the initial ransom demand was $3.4 million) after the hospital’s computers remained infected for over a week. This caused an internal emergency at the hospital, forcing it to divert patients to other medical centers.
The cost of a ransomware infection can extend far beyond the expense of paying the ransom alone. When businesses lose access to critical data, it disrupts operations. It results in productivity loss. It creates new expenses for emergency data restoration and even new infrastructure. It creates a credibility issue with clients and customers who are adversely affected by the downtime.
Some recent ransomware statistics highlighted in The Atlantic show that ransomware costs businesses at least $75 billion a year when factoring in these expenses.
That is why ransomware prevention has quickly become such a critical component of business continuity planning.
The Two Sides of Ransomware Prevention
Ransomware prevention is a two-sided coin: prevention and response. Organizations must consider:
- How to prevent a ransomware attack from occurring in the first place: What processes, training procedures and technologies can help to reduce the risk of an attack?
- How to resolve the problem if an attack does occur: How will the business respond to a ransom demand? How can it avoid it? How can data be restored without paying the ransom?
Let’s look at the first of these two concerns.
1) Ransomware Prevention
The FBI advises several important steps for preventing a ransomware attack:
It’s important to remember that a devastating, network-wide ransomware infection often begins with a “simple” mistake by an employee: opening a suspicious email attachment containing the ransomware virus. This is why training staff is so important. Employees must know what to look for, what the risks are and why it’s so important to practice utmost caution.
- Conduct cybersecurity training for all employees annually.
- Training should be also be conducted as part of the onboarding program for new hires.
- Employees should be trained on how to handle emails from unknown senders, how to spot a potential phishing attack, how to ensure safe Internet usage, etc.
A strong spam filtering system can help to prevent phishing and other malicious emails from ever reaching staff inboxes. The FBI also recommends authenticating inbound email with technologies like Sender Policy Framework (SPF).
- Use/enable DMARC (Domain-based Message Authentication, Reporting and Conformance) to authenticate mail senders and prevent email spoofing.
- Make sure your email systems also use DKIM (DomainKeys Identified Mail) to detect forged sender addresses in email (a common method for phishing and spam emails).
- Larger organizations should consider deploying anti-spam hardware for more advanced filtering.
Access Control & Privileged Accounts
In the event that someone does inadvertently open an infected file, you could significantly curb the spread of the infection by limiting write access to only those who absolutely need it. Manage the use of privileged accounts and configure file, directory and network share permissions appropriately.
- Always apply the principle of “least privilege.” Limit users, services and hosts from accessing data and systems that are outside their immediate responsibility.
- Use “just in time privileges.” Restrict raised privileges on a case-by-case basis: only when they are needed at the time.
Incidents of ransomware attacks on mobile phones and other digital devices are on the rise. Security on these devices is just as critical as any other workstation on your network. The FBI recommends patching the O/S, software and firmware on such devices, ideally through a centralized patch management system.
- Keep up-to-date inventories of all systems, so that all devices, operating systems and third-party applications are carefully documented.
- Create a patch management policy to establish what should be patched and when. For example, since some systems will likely need to be patched more frequently than others, this should be documented in your patch management policy.
The FBI advises that organizations should “Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (for example: temporary folders supporting popular Internet browsers, compression/decompression programs).”
- In addition to Software Restriction Policies (SRP), use application whitelisting to block the installation and execution of all applications except those that are on the approved list.
- Disable macro scripts from Office files sent by email. Use Office Viewer software to safely preview document attachments without fully opening them in the application.
Network firewalls & IP blocking
Tighten network security to prevent ransomware and other threats from entering your systems in the first place. One important component of this is blocking access to known malicious IP addresses. Lists of these IPs are sometimes referred to as Threat Intelligence Feeds. Some feeds can be obtained for free, while others are premium feed available through select cybersecurity firms. They are usually available in various formats, such as TAXII, STIX format or csv/text.
- Establish a firewall configuration change plan. This involves periodically reviewing and updating your firewall configurations to ensure they continue to provide the strongest protection, especially against new threats.
- Use network penetration tests and simulated cyberattacks to test whether your network firewalls can be compromised.
Implementing anti-virus and anti-malware software is critical. These systems should be set to update and scan on a regular basis. While many ransomware infections are caused by new strains of malware that might not be detected, many attacks use well-known variations that would otherwise be stopped by a good anti-malware solution.
- In addition to server protection, anti-malware software should also be used on all endpoint devices. If it’s connected to the network, it should be scanned regularly for malware.
- Set anti-malware to generate audit logs. Regular log collection creates records of all IT activity, including suspicious activity, which is critical to understanding the nature of security incidents.
Businesses should already be backing up data regularly as part of their continuity planning. With a proper backup and recovery system in place, an organization should be able to restore data after an infection. Be sure to check the integrity of those backups to ensure they can be restored without failure. Additionally, the FBI warns: “Make sure [backups] aren’t connected to the computers and networks they are backing up.”
- Use a hybrid backup approach to store backups locally with replication in the cloud. This will provide assurance that data can be restored even if on-site infrastructure is destroyed or inaccessible.
- Look for backup systems that have built-in ransomware prevention. For example, the Datto SIRIS helps to prevent ransomware by scanning each backup for signs of an infection. This allows admins to respond faster and prevent ransomware from spreading further.
Disable Remote Desktop Protocol
If it’s not being used, disable it. Cybersecurity experts at Palo Alto Networks say that Remote Desktop Protocol is still “the most popular ransomware attack vector and has been for years.” Many businesses have an ongoing need for RDP, including for accessing virtual machines or enabling remote IT support. But often RDP is left exposed on a forgotten system, making it vulnerable to attack. This is why it’s critical to disable RDP if it’s not being used.
- Secure RDP by limiting access to only the IP addresses that need access. Instead of banning all the IP addresses that don’t need access, allow only the addresses that do.
- Require strong passwords to prevent brute force attacks.
- Consider putting RDP behind a VPN. By having users connect to a VPN before logging into RDP, this takes RDP off the Internet and removes the risk of brute-force attacks.
Segment / Separate Networks & Data
In short, don’t put all your eggs in one basket, accessible to everyone. The FBI strongly recommends that businesses “categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units.” This will make it harder for ransomware to spread across one large network to infect all your data.
- Categorize data by type and the degree of sensitivity. This allows you to quickly apply security policies to the most sensitive parts of your network, while protecting data more efficiently.
- Continually monitor segmented networks to ensure the architecture is secure; identify gaps in your subnetworks that could be exploited.
- Limit third-party access to all networks to minimize exploitable entry points.
2) Ransomware Response
Even with the preventative measures above in place, an infection can still happen. What then? Here are some important steps and systems to consider for properly responding to a ransomware attack.
Early Detection & Data Rollback
Detecting the first sign of an infection is key to stopping an attack in its tracks. As soon as an infection is detected, businesses should roll back to clean data backups right away. The problem here, however, is that most businesses don’t discover the infection until it’s too late. That’s why data-protection companies like Datto have introduced new technology, built into its backup systems, that automatically detects a ransomware attack and notifies administrators to immediately revert to a healthy backup.
When an infection is detected, the infected computer should be removed from the network as soon as possible. This may help to prevent the malware from infecting other computers and shared drives on the network.
The FBI recommends powering off all other devices on the network that have not yet been infected. Even if the infection spreads across the network initially, shutting down other computers and servers can help to contain the damage and allow more time for cleaning and recovering data.
Take backup systems offline, if they aren’t already. Before reverting to a backup, administrators should make sure it is clean and hasn’t been infected by the ransomware.
Reporting the incident to authorities is extremely important, even if you feel the situation is under control. The FBI strongly encourages organizations to contact their nearest FBI field office immediately after discovering a ransomware attack. The FBI can also provide assistance for properly responding to the attack.
After removing the infected system from the network, change all online account passwords and network passwords. Additionally, when the infection has been removed from the system, you should change all system passwords.
“What if we just pay the ransom?”
When weighing the cost and time to restore your system after an attack vs. simply paying the ransom, you may be faced with a difficult decision. The attackers know this. They often keep the ransom demands under $2,000, knowing that many unprepared businesses would rather pay up than sink into an even more costly recovery process.
However, the FBI discourages businesses from paying a ransom unless it is deemed absolutely necessary after careful consideration of the situation.
If your organization is leaning toward paying the ransom, here are a few warnings to keep in mind:
- Paying the ransom is a gamble. It doesn’t guarantee that you will be given the decryption keys that were promised.
- The FBI reports that some victims were asked to pay even more money after paying the initial ransom. Other organizations never received their decryption keys at all.
- Some businesses who have paid the ransom were attacked additional times later on.
It’s also worth noting that paying the ransom effectively reinforces the business model of ransomware. As long as organizations keep paying up, you can be sure these attacks will keep happening.
Ransomware Prevention FAQ
1. How can ransomware attacks be prevented?
Ransomware attacks can be prevented with a multifaceted cybersecurity strategy that includes anti-malware software, routine system patching, strong network firewalls and user education on safe practices for email and Internet.
2. What is the best defense against ransomware?
Routine system patching and cybersecurity training are two of the best defenses against ransomware. User training can significantly reduce the risk of infection through deception, such as phishing and spam emails. System patches remove known vulnerabilities that are commonly exploited by hackers.
3. Can ransomware be decrypted?
Some types of ransomware can be decrypted without a decryption key, especially if the encryption was not done properly. Ransomware decryption tools are available from select cybersecurity firms, such as Avast, Kaspersky, AVG and Emsisoft.
Keep in mind that only a handful of ransomware strains can be decrypted. Ransomware recognition software can be used to help identify the type of ransomware and confirm if a decryption tool is available.
Learn More about Combatting Ransomware
Invenio IT specializes in enterprise-grade business continuity solutions for small businesses, including advanced data backup and ransomware prevention technologies from Datto. Contact our business continuity specialists for more information on protecting your organization from a ransomware attack and other disaster scenarios. Visit www.invenioIT.com, call (646) 395-1170 or email us at success@invenioIT.com.