Ransomware attacks are no longer headline news — reports of new victims appear daily. So it is more important than ever for companies to have a well-conceived multi-level strategy for protecting against this threat.
Close attackers’ entry points
Most ransomware attacks are fairly standard: either an employee falls for social engineering and opens an email attachment, or the attackers gain remote access to the company’s systems (through password leaks, or brute-forcing credentials or buying them from initial access brokers). In some cases, they exploit vulnerabilities in server-side software. Therefore, you can eliminate most problems by:
- Training employees in information security and digital hygiene. If people are able to distinguish a phishing email from a legitimate one and keep passwords safe, this will greatly reduce the burden on infosec departments;
- Having a strict password policy that bans weak and duplicate passwords and requires to use a password manager;
- Not using remote desktop services (such as RDP) in public networks unless absolutely necessary, and if the need does arise, by setting up remote access only through a secure VPN channel;
- Prioritizing the installation of updates on all connected devices – above all patches for critical software (operating systems, browsers, office suites, VPN clients, server applications) and fixes for vulnerabilities that allow remote code execution (RCE) and privilege escalation.
Prepare your infosec team for the latest cyberthreats
Your infosec team’s protection tools and technologies must be ready for today’s threats. And the experts themselves should have access to up-to-date information on the changing threat landscape. Therefore, we advise:
- Using up-to-date threat intelligence to keep your experts up to speed on the latest cybercriminal tactics, techniques and procedures;
- Updating security solutions in a timely manner so they provide comprehensive protection against the threats most commonly associated with ransomware delivery (remote access Trojans (RATs), exploits, botnet activity);
- Using tools that not only detect malware, but also track suspicious activity in the company’s infrastructure (Extended Detection and Response (EDR) solutions);
- Considering, if internal resources are limited, hiring third-party experts (or using Managed Detection and Response (MDR) solutions);
- Monitoring outgoing traffic to detect unauthorized connections from outside the corporate infrastructure;
- Closely monitoring the use of scripting languages and tools for lateral movement in the company’s network;
- Staying tuned for ransomware news and making sure your protection technologies can handle new strains.
Develop a strategy in case a ransomware attack succeeds
Although it’s possible to rely on technologies to detect and counter ransomware, it’s always better to have a plan in place in case they fail. There are different scenarios. For example, a malicious insider — especially one with administrator rights — might disable your security system. It’s important that an incident does not catch you off guard. To avoid downtime due to cyberincidents:
- Regularly back up data — especially if business-critical;
- Ensure quick access to it in the event of an emergency.