With the surge in ransomware attacks over the past two years, businesses have been scrambling for ways to combat these threats. Even as ransomware gangs are ramping up their ransomware efforts against the financial services industry, many have been caught flat footed and lost critical data to ransomware operators. In the past year, big names such as Accenture, Colonial Pipeline, and even the NBA have been hit by ransomware. However, the big distinction between them is the severity of the impact caused by the ransomware. While Colonial Pipeline was taken completely offline and resulted in gasoline shortages throughout the east coast, those who are more prepared to weather the storm have been able to massively mitigate the fallout of the attack.
With this in mind, we have put together a list of the top 5 tips to stop ransomware in its tracks.
1. Secure your Endpoints
While not every endpoint needs to be fully hardened to the point of DoD STIG compliance, it’s crucial that good endpoint protection is in place to prevent ransomware from taking hold. Endpoint management solutions are critical in managing, protecting, and isolating compromised user devices from the rest of the network. Ideally, a centralized endpoint management service should be utilized to restrict local administrator access, implement application whitelisting, manage device encryption, and enable remote wiping of infected devices. There are a variety of solutions on the market that will fit just about any budget, meaning that small businesses don’t have to immediately spring for the most expensive and well-known management platforms.
2. Patch, patch, patch
All mission-critical assets must be routinely patched. While some ransomware strains do their dirty work utilizing zero-day vulnerabilities, they don’t remain unknown for long, meaning that the vast majority of ransomware utilizes known vulnerabilities that are exploiting outdated clients and services to find their way into your machines. Consistently applying security updates is one of the most basic steps you can take to protect the backbone of your business operations. Neglecting to apply high-priority security updates, particularly on externally facing hardware and services is just inviting ransomware propagators to take a swing at your defenses.
3. Backups are more than just for show
The single biggest process that mitigates the impact of a ransomware attack is having a robust backup infrastructure. When a system is infected with ransomware, system owners are given an ultimatum; Pay the ransom or lose all data on the system. But the ultimatum loses all of its power over the system owners if they have recent backups of the encrypted data. With a recent backup or image of the device, wiping the infected machine and restoring from the backup becomes the obvious answer. The question now becomes much simpler—which utility do you use to nuke the drive from orbit?
As for how to set up comprehensive backup procedures, this will vary a lot based on the needs of the specific company and what critical assets cannot afford to be lost to the encryption algorithms employed by ransomware operators. There are plenty of commercial options that promise mindless scheduled backup and restoration, but for a small number of critical assets a dedicated sysadmin could just as easily script out automated backups.
4. Continuous monitoring
The third critical step in dealing with ransomware is to have a cohesive continuous monitoring strategy. In order to effectively triage a ransomware attack, you need to know as soon as it happens to have the best chance at quarantining the infection to as few systems as possible. Part of this is in deploying network and system monitoring utilities, such as an IDS/IPS like Snort or Suricata, but it applies more generally to having extensive visibility into your environment. Effectively responding to a ransomware attack requires insight into what is on your network, how critical those assets are to business operations, and how well those assets are secured. This leads us nicely into our last tip.
5. Know your numbers
Knowing your digital environment is crucial in both planning for future attacks as well as responding to current threats. Having real-time visibility into how your cybersecurity team is performing on a daily basis is critical in securing your infrastructure since all it takes is a handful of mistakes or misconfigurations to open a gap in your defensive perimeter. Tracking cybersecurity performance indicators gives executives and key decision makers all the information they need to craft targeted strategic security initiatives that have a measurable impact on the cyber security hygiene of the organization as a whole.
These are just the tip of the iceberg when it comes to securing your organization against ransomware. They are our top 5 considerations for mediating the risk posed by ransomware, but if it were easy then ransomware wouldn’t be keeping CISOs up at night. At the end of the day, cybersecurity is a game of preparation. It’s about identifying cybersecurity risks, determining reasonable solutions to mitigate the harm, and putting into place processes that will minimize the financial harm from an eventual security incident. If you plan your security poster to respond to an inevitable attack, your business will be far better off when that day comes than one that became complacent thinking that their defenses would always hold.