12 ways to protect your organization from ransomware
Ransomware is trending in the wrong direction. Attacks have reached a record high, and so has the percentage of paying victims. In 2017, 39% of victim organizations paid attackers in an effort to recover data. That number climbed to 45% in 2018, and reached a disturbing 58% in 2019.
This is bad news for organizations in all industries. With ransoms being paid, attackers have no incentive to stop. During the first quarter of 2020, the average payment rose 33% to $111,605, leaving cybercriminals increasingly well-funded and exerting pressure on victims by combining data encryption with data theft and the threat of exposure.
The recent “big game hunting” efforts of the MAZE ransomware gang — including high-profile attacks on a Fortune 500 insurer, a southeastern city, a multi-national IT services provider, a state-owned bank, and most recently, a global electronics manufacturer — are a harbinger of things to come.
Cybercriminals are teaming up to exchange tactics and intelligence, targeting organizations they believe are likely to pay a significant amount of money. Making matters worse, they’re using the disruption caused by COVID-19 to help them steal data before delivering the final ransomware payload. As this trend becomes more common, companies will need to treat ransomware attacks as data breaches and report them as such. This could trigger hefty fines under regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
Fortunately, there are steps you can take to defend against this kind of malware. Here are 12 tactics that can help protect your organization.
1. Check for decryption tools. If you’ve already been hit, check online to see if a decryption tool is available. Law enforcement and security companies have released decryption keys for numerous versions of ransomware through a project called NO MORE RANSOM!
2. Don’t pay the ransom. Yes, restoring systems that have been compromised can be a long and costly process. However, you can’t trust cybercriminals to keep promises. By paying up, you could encourage additional attacks.
A recent study found 75% of Americans are now worried about ransomware threats to their personal data, and 63% prefer paying higher repair costs over using tax dollars to pay attackers.
Politicians also want to avoid playing into the hands of cybercriminals. Two state senators from New York have proposed bills banning local municipalities and governments from using taxpayer money to pay ransomware demands.
If your organization is unable to function following an attack and you feel paying is the best way to protect your shareholders, employees, and customers, consult vendor-independent security professionals first to verify that the decryption keys will work and the infection can be thoroughly remediated.
3. Take data backups seriously. Don’t just back up data daily. Ensure you have thoroughly tested your ability to recover systems and data in the event of an attack. Consider removing critical assets to offline cold storage. Your backups are less vulnerable to attack if they’re disconnected from the network.
4. Strengthen patch management. Consistently monitor for vulnerabilities. Regularly update systems with the appropriate security patches to ensure cybercriminals can’t take advantage of known flaws, gain access to networks, and distribute ransomware. Audit patching processes and evaluate technologies and policies that can make them more effective, leveraging automation whenever possible.
5. Adopt multi-factor authentication. Most ransomware gains access through the hijacking of static passwords. Enabling multi-factor authentication on accounts across the network can help you thwart attackers by requiring additional information. A phishing attack may net them a user’s credentials, but it won’t provide biometric data or the answer to a personal security question.
6. Implement least privilege. Reduce the risk of attackers gaining access to critical systems or sensitive data by giving users only the bare minimum privileges needed to do their jobs. Identity and access management (IAM) controls can help you grant least privilege access based on who’s requesting it, the context of the request, and the risk of the access environment.
7. Filter web and email content. Email containing malicious URLs is the most common ransomware attack method. Implement web and email content filtering controls to block and quarantine threats and remove suspicious links from traffic before users can access them.
8. Monitor file activity. File activity monitoring (FAM) solutions monitor the file access patterns of legitimate users and detect unusual activity. Implementing FAM can provide you with real-time and historical records of all file and folder activity on your network file shares. It enables you to quarantine infected users and devices in real-time, so you can block and investigate ransomware activities.
9. Protect your endpoints. Endpoint detection and response (EDR) tools continuously monitor and record endpoint activity and events and use behavior analytics to identify breaches. EDR helps you:
- Protect endpoints from known and unknown ransomware threats with machine learning
- Centralize endpoint security with a platform that applies policies across all endpoints
- Leverage behavioral indicators of attack (IOAs) to defend against ransomware written in PowerShell
10. Complement efforts with threat intelligence. Keeping up with the latest threat intelligence helps you detect an attack quickly, respond effectively, and prevent the attack from spreading. Threat intelligence can also help you identify where some of the attacks are coming from and use that information to block incoming traffic at the firewall.
11. Check your cyber insurance. If you don’t already have it, purchase cyber extortion coverage that entitles you to incident response assistance and reimburses you for the ransom if it’s paid. Keep in mind that insurers require cyber-hygiene assessments and they can — and will — refuse to cover incidents that could have been avoided.
12. Train your employees. Provide continuous security awareness training to ensure your employees follow good cyber hygiene practices on all devices — such as strong passwords and secure Wi-Fi connections — and help them detect and react to the latest phishing techniques.
The onslaught of ransomware attacks will continue as threat actors pursue big payouts from the public and private sectors. These 12 steps can ensure you’re prepared to defend your organization and data.
Professional security assessments can help you get started by identifying and prioritizing weaknesses in your security program and kick-starting an actionable roadmap for remediation.
Contact your SHI account executive to learn more.
Garth Whitacre contributed to this post.