Ransomware is one of the biggest cyberthreats facing businesses today. It’s disruptive, often costly to remediate and affects organizations of all sizes, from mom-and-pop stores right the way through to schools, hospitals and government agencies.
In this blog post, we’ll discuss how to prevent ransomware attacks on your business, proven techniques you can use to keep your systems safe and what to do in the event of an incident.
What is ransomware?
First observed in the late 1980s, ransomware is a type of malicious software that uses encryption to prevent you from accessing a computer system, or the data stored on that system, until a sum of money (often measured in the hundreds of thousands) has been paid to the attacker. Failure to pay the ransom by the specified deadline results in the data being lost forever. Many modern ransomware incidents also involve a data exfiltration component, whereby attackers use the threat of data leaks and public exposure as additional leverage to encourage victims to pay up.
During the incident, a ransom note is usually deposited on the target system, which typically includes payment instructions, an overview of the data that was stolen during the incident and directions on how to communicate with the attacker.
Once the ransom has been paid, the attacker will – in theory, at least – provide a decryption tool that allows the victim to recover the encrypted files. However, when you’re dealing with cybercriminals, there are no guarantees. Your data might get corrupted during the decryption process due to a faulty decryption tool, or threat actors might leave a backdoor on your system so they can return at a later date and engage in further malicious activity.
Paying the ransom may also incentivize further attacks, while the money generated during ransomware incidents may be used to fund other forms of illegal activity. Law enforcement agencies and cybersecurity experts strongly recommend that you should never pay the ransom.
How to protect against ransomware
The following practices may help organizations reduce the risk of a ransomware incident.
1. Maintain backups of your data
A robust backup strategy remains the most effective way of mitigating the impact of a ransomware incident. Should your business fall victim to ransomware, backups allow you to restore your data and return your systems to a safe and operational state.
To maximize the impact of an attack, ransomware operators will often deliberately seek out and destroy locally stored backups. With this in mind, it’s important to maintain backups on a mixture of media storage and store copies both on- and off-site, preferably using a trusted cloud service.
The 3-2-1 rule is a useful starting point for developing a strong backup strategy:
- Keep at least three copies of your files.
- Store the copies on at least two different types of storage media.
- Store at least one copy offsite.
See this article for more guidance on creating ransomware-proof backups.
2. Develop plans and policies
Avoiding ransomware isn’t always possible. Every business should operate on the assumption that it will, at some point, be impacted by ransomware. When that moment occurs, you need to be confident that you’ll be able to respond quickly and decisively in order to limit the impact of the incident.
That’s where an incident response plan comes in. An incident response plan is a formal document that sets out the step-by-step actions that need to be taken to remediate an incident, the people – both internal and external – who are responsible for doing it, and the tools they’ll use to get the job done. Your plan might also define how you’ll respond to the ransom demand, along with your legal obligations and reporting procedures.
Once you’ve developed an incident response plan, you’ll need to put it to the test. Simulate a ransomware event using tabletop exercises, which can be used to measuring your team’s ability to remediate an incident and reveal any shortcomings in your response chain.
3. Stop malware from being delivered to your endpoints
The ransomware attack chain often begins with an inadvertent click by an absent-minded employee. While it’s not possible to eliminate every unwitting click, there are certain steps you can take to prevent ransomware (or the malware that acts as a precursor to ransomware) from being delivered to your endpoints in the first place.
Mail filtering and spam filtering, for example, can be effective for blocking malicious emails, while email authentication techniques such as Sender Policy Framework, DomainKeys Identified Mail, and Domain-Based Message Authentication, Reporting and Conformance are useful for validating the authenticity of an email and detecting suspicious messages.
Browser extensions such as Emsisoft Browser Security may also be useful for blocking access to dangerous websites that are used to distribute malware and launch phishing attacks.
4. Harden your system
System hardening is the practice of addressing security vulnerabilities throughout your IT environment – including both hardware and software – to condense your attack surface and subsequently reduce the risk of a ransomware incident.
A comprehensive guide to endpoint hardening is beyond the scope of this article, but the following may be a helpful starting point for understanding how to stop ransomware:
- Remove unneeded software: To reduce the risk of system compromise, all unnecessary applications and services should be uninstalled, with particular attention being given to tools that are commonly used by ransomware actors, such as Remote Desktop Protocol, PowerShell, Windows Script Host, Microsoft Office macros, and so on.
- Apply updates: Threat actors frequently exploit known security vulnerabilities to gain access to a target system. To mitigate this risk, organizations should adopt a robust patch management strategy that ensures important security updates are applied to all endpoints and servers as soon as possible.
- Use MFA: Multi-factor authentication helps prevent unauthorized access to accounts, tools, systems and data repositories by requiring users to provide an additional form of authentication to validate their identity. If a threat actor were to get their hands on one of your user’s passwords, they still wouldn’t be able to access the associated account or service without the secondary form of authentication. MFA is an easy and effective tool for preventing ransomware and should be enabled wherever possible.
- Restrict user access: The principle of least privilege is a security concept that stipulates that a user should only have access to the specific resources that are essential to perform their job function. This concept should be applied across the network to help prevent lateral movement should a threat actor gain access to your system.
- Use a trusted antivirus solution: Endpoint security software plays a critical role in protecting against ransomware events. A good cybersecurity solution will be able to identify the telltale patterns of ransomware and intercept the threat before it has the chance to encrypt your files. Some endpoint security solutions, including Emsisoft Anti-Malware, offer cloud-based management functionality, which allows your security administrators to manage all of your endpoints remotely from a single dashboard and respond rapidly to alerts.
5. Train the team
Ransomware incidents most commonly begin with a user-initiated action (say, opening a malicious email attachment or clicking on a malicious URL), so businesses must provide staff with quality cybersecurity training, with a particular focus on the social engineering techniques threat actors use to distribute ransomware.
Cybercriminals are continuously finding new ways to implement and deliver ransomware, so training should ideally be an ongoing process to ensure your end users are up to date with the current threats. Everyone has a role to play in ransomware prevention, and quality training material can be an effective way of not only keeping the corporate network safe, but also building a culture of cybersecurity in the workplace.
Conclusion
Ransomware poses a serious threat to businesses big and small. By following the steps described above, you can start improving your security posture today and reduce the risk of falling victim to ransomware.
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trialLooking for the ultimate solution to ransomware? You’ve found it. Emsisoft Anti-Malware uses custom-built behavioral monitoring to stop both known and unknown ransomware strains before they can encrypt your files. Download your free trial today.