Ransomware continually makes the headlines because of the shock tactics that identify this type of cyber attack. Attacks such as the Colonial Pipeline ransomware infection resulted in a real-world impact, affecting access to fuel for 50 million people in the USA.
Others, such as the ransomware attack on Acer, have such substantial ransom demands, $50 million in Acer’s case, that the world sits up and listens.
Ransomware, however, is not just a problem for a high-profile company. A 2022 report from Cyberedge Group found that 71% of companies were impacted by ransomware in 2021.
Ransomware nets the cybercriminal gangs behind this nasty malware a fortune. Chainanalysis estimates that ransomware gangs made around $692 million in cryptocurrency in 2020.
Big pay-outs from cybercrime, such as ransomware, are likely to lead to further attacks on the horizon. So how does the average company prevent ransomware attacks?
The Best Five Ways to Prevent Ransomware Attacks
The Colonial Pipeline ransomware attack started with a compromised password posted to a dark website. This password was most likely on the dark web because it was stolen during a phishing attack. The hacking of an employee account is the doorway into an operating system, and phishing attacks provide a highly effective way of gaining access to login credentials, using malicious links or attachments.
The 2021 Verizon Data Breach Investigation Report (DBIR) attributes 61% of breaches to compromised credentials. The same report links one-third of these breaches to phishing. A hacker does not have to compromise an account of a network administrator to get privileged access. If the hacker has an employee’s credentials, they can build up access privileges once inside a network.
Hackers do this using a technique known as ‘lateral movement’; the hacker uses vulnerabilities in other software, such as the Kerberos protocol and Active Directory, to escalate their privileges until they have the keys to the castle and can install ransomware (and steal data) at will.
The chain of events that lead to a ransomware infection is where best practices come in. If you can build preventative layers across that attack chain, you can stop the ransomware hacker in their stride.
Here are five of the best ways to prevent ransomware attacks:
Best Practise 1: Simulated Phishing Exercises
This best practice is your foundation layer and one that may stop ransomware before it becomes an incident. Phishing is evolving increasingly sophisticated tactics, and spear-phishing is even more so.
For example, many ransomware attacks will target a specific type of user or employee role. The attackers will then use the kind of language typically used in email exchanges with that individual to manipulate their behaviour. Simulated phishing exercises should reflect this level of sophistication and provide role-based templates to create spoof spam emails.
Best Practise 2: Holistic Security Awareness Training
Phishing and social engineering offer entry points into a network by providing a mechanism to steal login credentials. Security Awareness Training is another foundational layer of ransomware prevention that imbues employees with a sense of the importance of good security behaviours.
Security hygiene, such as good password creation and not oversharing information on social media, help to develop a proactive layer around an organisation. With role-based simulated phishing, Security Awareness Training is the most effective ransomware protection to help create a security culture.
Best Practise 3: Zero-Trust and Least Privilege
Privileged users can be a highly effective target for ransomware attackers. As such, they attract cybercriminals like bees to honey. So much so, that two-thirds of businesses see privileged users as their greatest insider threat. Therefore, privileged users need to be viewed as a group and trained appropriately in the types of phishing and social engineering they are most at risk from.
In addition, an organisation must set out a strategy to deal with these privileged users and account access. The principle of ‘least privilege’ should form the framework of this strategy. This fits in with a zero-trust security model where you never trust and always verify access attempts to control that access at a granular level.
Zero-trust security works alongside enabling technologies such as Identity and Access Management (IAM) and rules that trigger these measures to implement robust checks and measures, such as requiring additional authentication to access sensitive resources.
Best Practise 4: Make Sure to Include Remote Workers in Your Ransomware Prevention Strategy
The Covid-19 pandemic normalised the hybrid work model where we sometimes work from home. Remote work changes security dynamics, potentially giving the cybercriminals a head start. However, specific approaches and measures turn the tables on hackers being able to extort home workers.
One of these is using a secure VPN (Virtual Private Network). A VPN extends the security of a network perimeter to the home office. A secure VPN encrypts data sent over potentially insecure Wi-Fi connections to prevent information such as personal data or login credentials from being intercepted by a hacker. A VPN also can be used to ensure that access to corporate apps is secured.
As well as a secure VPN, home offices should be assessed for potential security gaps, including insecure home printers. In addition, homeworkers should be given enhanced Security Awareness Training that reflects their work environment.
Best Practise 5: Secure Your Network to a Security Standard and Carry Out Regular Assessments
Several security frameworks and standards offer advice on enforcing robust security and protecting your endpoints.
The National Institute for Standards and Technology (NIST) has published a Cyber security Framework Profile for Ransomware Risk Management. This is currently in draft, but it is a good resource for advice on preventing a ransomware attack. The paper is based on the five Cyber security Framework Functions (also from NIST):
- Identify
- Protect
- Detect
- Respond
- Recover
The framework includes our five best practices to remediate the risk of ransomware.
ISO27001 is an international security standard that guides the development of an ISMS (information security management system). ISO27001 uses a holistic approach to security that weaves in people, processes, and technology; this framework covers exploits across the entire threat landscape and includes social engineering and technical exploits.
Frameworks and standards provide the groundwork to ensure that security best practices are applied. They also have guidelines on assessing these measures that include employee security awareness and security hygiene.
Ransomware is a severe threat to all businesses. However, ransomware mitigation is achievable by using our five best practices and being systematic in closing the door on this most concerning cyber threat.