12 ways to protect your organization from ransomware
Ransomware is trending in the wrong direction. Attacks have reached a record high, and so has the percentage of paying victims. In 2017, 39% of victim organizations paid attackers in an effort to recover data. That number climbed to 45% in 2018, and reached a disturbing 58% in 2019.
This is bad news for organizations in all industries. With ransoms being paid, attackers have no incentive to stop. During the third quarter of 2020, the average payment rose 31% to $233,817, leaving cybercriminals increasingly well-funded and exerting pressure on victims by combining data encryption with data theft and the threat of exposure.
The recent “big game hunting” efforts of various ransomware gangs are a harbinger of things to come. Cybercriminals are teaming up to exchange tactics and intelligence, targeting organizations they believe are likely to pay a significant amount of money. Making matters worse, they’re using the disruption caused by COVID-19 to help them steal data before delivering the final ransomware payload.
Fortunately, there are steps you can take to defend against this kind of malware. Here are 12 tactics that can help protect your organization.
1. Check for decryption tools. If you’ve already been hit, check online to see if a decryption tool is available. Law enforcement and security companies have released decryption keys for numerous versions of ransomware through a project called NO MORE RANSOM!
2. Don’t pay the ransom. Yes, restoring systems that have been compromised can be a long and costly process. However, you can’t trust cybercriminals to keep promises. Paying the ransom does not guarantee you’ll get your files back and your stolen data won’t be published; it only guarantees that the attackers will receive your money.
Cybersecurity experts and politicians are calling for legislation that would make it illegal to pay ransoms. Additionally, the U.S. Department of the Treasury has issued a warning: Ransomware victims who pay — and firms that facilitate ransom negotiations — could face steep fines if the attackers are under economic sanctions from the U.S. government, even if the victims aren’t aware of the sanctions.
“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” –U.S. Treasury Office of Foreign Assets Control (OFAC)
3. Take data backups seriously. Don’t just back up data daily. Ensure you have thoroughly tested your ability to recover systems and data in the event of an attack. Consider removing critical assets to offline cold storage. Your backups are less vulnerable to attack if they’re disconnected from the network.
4. Strengthen patch management. Consistently monitor for vulnerabilities. Regularly update systems with the appropriate security patches to ensure cybercriminals can’t take advantage of known flaws, gain access to networks, and distribute ransomware. Audit patching processes and evaluate technologies and policies that can make them more effective, leveraging automation whenever possible.
5. Adopt multi-factor authentication. Most ransomware gains access through the hijacking of static passwords. Enabling multi-factor authentication on accounts across the network can help you thwart attackers by requiring additional information. A phishing attack may net them a user’s credentials, but it won’t provide biometric data or the answer to a personal security question.
6. Implement least privilege. Reduce the risk of attackers gaining access to critical systems or sensitive data by giving users only the bare minimum privileges needed to do their jobs. Identity and access management (IAM) controls can help you grant least privilege access based on who’s requesting it, the context of the request, and the risk of the access environment.
7. Filter web and email content. Email containing malicious URLs is the most common ransomware attack method. Implement web and email content filtering controls to block and quarantine threats and remove suspicious links from traffic before users can access them.
8. Monitor file activity. File activity monitoring (FAM) solutions monitor the file access patterns of legitimate users and detect unusual activity. Implementing FAM can provide you with real-time and historical records of all file and folder activity on your network file shares. It enables you to quarantine infected users and devices in real-time, so you can block and investigate ransomware activities.
9. Extend your endpoint security. Visibility is vital to ransomware defense. Endpoint detection and response (EDR) tools combine real-time continuous monitoring and collection of endpoint data with automated response and analysis. Emerging extended detection and response (XDR) solutions extend these capabilities to email, servers, cloud workloads, and networks to provide analysts with greater context. They bring alerts triggered by numerous security controls together, enabling faster threat detection and response.
10. Complement efforts with threat intelligence. Keeping up with the latest threat intelligence helps you detect an attack quickly, respond effectively, and prevent the attack from spreading. Threat intelligence can also help you identify where some of the attacks are coming from and use that information to block incoming traffic at the firewall.
11. Check your cyber insurance. If you don’t already have it, purchase cyber extortion coverage that entitles you to incident response assistance and reimburses you for the ransom if it’s paid. Keep in mind that insurers require cyber-hygiene assessments and they can — and will — refuse to cover incidents that could have been avoided.
12. Train your employees. Provide continuous security awareness training to ensure your employees follow good cyber hygiene practices on all devices — such as strong passwords and secure Wi-Fi connections — and help them detect and react to the latest phishing techniques.
Getting started
The onslaught of ransomware attacks will continue as threat actors pursue big payouts from the public and private sectors. These 12 steps can ensure you’re prepared to defend your organization and data.
Professional security assessments can help you get started by identifying and prioritizing weaknesses in your security program and kick-starting an actionable roadmap for remediation.
Contact your SHI account executive to learn more.
Anne Grahn contributed to this post.