How to prevent ransomware in 6 steps
Ransomware can cost companies billions in damage. Incorporate these ransomware prevention best practices, from defense in depth to patch management, to keep attackers out.
There's no shortage of ransomware attacks in the headlines today. Attacks within the past year have proven no company is safe, regardless of size or industry.
Ransomware attacks can cause significant damage, but they are almost completely preventable. Organizations that build a strong cybersecurity foundation will find themselves far less vulnerable to attacks than their competitors.
Follow these six ransomware prevention best practices to bolster your company's defenses and prevent it from falling victim to this all-too-common attack.
1. Maintain a defense-in-depth security program
Ransomware is a type of malware, and the reality is most ransomware outbreaks use well-known variants that are easily detected by active antimalware controls. Most antimalware tools today include specialized anti-ransomware features.
Build a defense-in-depth security program that has strong antimalware in conjunction with other technologies and processes, such as the following:
- Firewalls.
- Endpoint scanning and filtering.
- Endpoint detection and response.
- Network traffic analysis.
- Web filtering.
- Intrusion detection and prevention systems.
- Email security filtering.
- Allowlisting/denylisting.
- Cloud access security brokers.
Ransomware prevention best practices also include following the principle of least privilege; requiring multifactor authentication; using VPNs, zero-trust network access or other perimeter security technologies for remote employees; disabling or limiting Remote Desktop Protocol use -- a common entry point for ransomware attacks -- and protecting ports from exploitation.
2. Consider advanced protection technologies
While most ransomware attacks can be caught by basic antimalware defenses, risk remains that attackers will target victims with novel attacks. To detect these zero-days, consider using advanced technologies and strategies, including the following:
- Extended detection and response.
- Managed detection and response.
- Sandboxing.
- Secure access service edge.
- SIEM.
- User and entity behavior analytics.
- Zero-trust security.
- Cyber deception.
3. Educate employees about the risks of social engineering
Ransomware often enters an organization through the inadvertent actions of employees. Most times, this involves an employee falling victim to a phishing attack and clicking a malicious URL or downloading an infected attachment.
Conduct regular cybersecurity awareness training for all employees, partners and stakeholders. Aim to offer current and consistent messaging that both reminds them of foundational best practices and teaches them about new types of phishing attacks. Ransomware-specific awareness training can help drive home the severity of the threat.
At a minimum, advise employees to do the following:
- Use strong passwords.
- Verify email senders.
- Open links and attachments only from known senders.
- Refrain from opening suspicious emails, clicking questionable links or downloading suspicious attachments.
Unprepared employees can expose a company to significant risk. Ensure the staff knows what to do in the event ransomware does infect the network, including immediately notifying management if there is any reason to believe an attack might be underway.
Develop a ransomware incident response plan that includes actions for employees, the security team, management, etc.
4. Patch regularly
Regularly installing patches for software and system vulnerabilities could have saved many organizations a lot of time, stress and money. The notorious WannaCry ransomware attack in May 2017, for example, exploited a vulnerability in legacy versions of the Server Message Block protocol. Microsoft had released a patch for the vulnerability in March 2017, but the WannaCry ransomware still affected approximately 230,000 systems worldwide.
Follow a patch management program and best practices to ensure any vulnerabilities are patched quickly and efficiently.
5. Frequently back up critical data
Most ransomware attacks aim to deprive victims of access to critical information until they pay a ransom. Backups can mitigate this risk by providing you with a fallback plan.
If ransomware encrypts your data, backups can help restore access quickly without meeting the attacker's demands. Store backups where they cannot be accessed from the network. Disconnect the backup, or put it on an external device, so it will not be affected by a ransomware attack.
Remember: Restoring from backup brings you to a point in time where you likely still have the same vulnerability that attackers originally exploited. Make sure your ransomware recovery process includes the identification and remediation of the incident's root cause.
6. Don't depend solely on backups
Ransomware is evolving. Many attackers now employ double extortion, where they encrypt the victim's data and exfiltrate it, or triple extortion, which involves the addition of a DDoS attack or extorts the victim's customers, partners and other third parties. In these attacks, even if a company restores its data from backup, the attacker can still demand that a ransom be paid to not leak the data.
Backups are important, but they're only one element of a defense-in-depth ransomware prevention strategy.
Pulling it all together
Organizations that follow these ransomware prevention best practices will find themselves well prepared for the next wave of ransomware attacks. While these security controls aren't rocket science, in the face of millions of successful attacks in the past year, they remind us they're critically important.