Ransomware And How To Prevent It

Ramsomware continues to be one of the most disruptive attack vectors businesses and organizations face today.  Often, it only takes one click of a link in a well-crafted spear phishing email and the company’s data is encrypted with strong encryption only to be left with a flashing screen with instructions to transfer a large dollar value of a crypto currency such as bitcoin in order to receive (hopefully) the decryption key.

The gangs behind these attacks are usually highly-organized, well-funded, and continuously employ increasingly sophisticated tactics. Even nation-state actors such as North Korea are known to be in the ransomware business.  State and local governments, schools, and hospitals have been a particularly attractive target in recent attacks. The attackers admittedly have a significant arsenal of exploits to gain a foothold on your network, but there are some basic and effective steps you can take to lower the chances that your company is next.

Use reputable and complete Endpoint Protection

Your enterprise should have a FULLY deployed endpoint protection suite with central management configured to update often, and notify administrators if an attack or virus is detected.  Scanning of email is vitally important because ransomware is most often introduced via email links and attachments.

Use sophisticated Edge Protection

Start with hardened firewalls with Intrusion Detection/Prevention capabilities.  Place all internet-facing hosts in a DMZ.

Use OpenDNS or similar service

Secure DNS services can be an important additional layer of security and can often render malware unfunctional as it can’t “phone home” for additional malicious payloads.

Have a VERY ROBUST backup solution

Often the only way to restore a compromised system is to restore it from backup, hopefully to a point before the system was compromised.  It’s important to note that in some of the more sophisticated attacks, the hackers took extra steps to delete backups prior to triggering the ransomware encryption process – Yikes!

 Train, Train, Train your staff

The very best way to avoid these exploits is to train your staff to avoid the behavior that leads to compromise.  The human element is often the weak link and consistent and persistent training can go a long way to avoiding a very costly mistake that could have otherwise been easily avoided.

Patch systems regularly

Software companies release updates and patches for a reason.  When a new vulnerability is discovered, the software vendor will fix the issue by releasing a software update.  Every company and organization should have a patch management process and program.

Have system administrators disable unnecessary services

Many systems have open ports and accessible services by default.  These overlooked services are often the weakness that will be exploited by the bad guys.  RDP vulnerabilities, for example, are a favorite attack vector for ransomware attacks.

These examples are important components of a mature security program, and there are numerous other defenses that can be overlaid on a network to increase the system security and reduce the risk that your company or organization will be the next statistic in the ever-changing ransomware threat landscape.   In addition to the technical controls listed above, every organization should work on completing a complete information security risk assessment (annually at a minimum), and develop a carefully considered set of controls to mitigate those risks.   Every organization should also have a well-developed Incident Response Plan and a Business Continuity/Disaster Recover plan to ensure that in the event controls fail and ransomware does find a hold on the company network, there is a defined and planned response to ensure the incident is contained, and the threat can be removed as quickly as possible.

He can be reached at prife@blaircarlisle.com or prife@holbrookmanter.com.