InfoSec Insider

10 Steps for Ransomware Protection

ryuk ransomware

Here are things you can do right now to shore up your defenses and help your recovery when you get hit.

Just the thought of ransomware is enough to keep CISOs and security teams up at night. Victims are caught in an awful choice between paying a ransom to a criminal who may or may not release their captured network and data, or potentially spending millions of dollars to remove the ransomware on their own. According to one recent report, the cost for a single ransomware incident averages about $713,000 when you figure in the costs of paying the ransom along with related losses, such as down time, the value of any lost data or hardware, the expense of improving your infrastructure, and the time and money required to repair your brand image. This number can also increase exponentially the longer that critical systems remain offline.

And, those costs are likely to rise. In a recent attack this year, for example, attackers demanded a payment of 13 Bitcoin (over $75,000) for each computer affected by the attack so users could regain access to their files – far above the normal ransom demand, which previously was just under $13,000.

Because of the financial success of ransomware, it continues to attract cybercriminals, who either launch large-scale attacks that seek to suck in careless victims or who carefully plan highly focused attacks aimed at specific targets that are most likely to pay up. Even less technical criminals are jumping on the bandwagon through a growing number of ransomware-as-a-service portals available on the Dark Web.

Regardless of the approach, however, in today’s digital world, a ransomware attack is more an issue of when than if.

Regardless of how bleak this news may seem, organizations actually have a way to effectively defend themselves against ransomware. It starts by using some best practices to prevent as many attacks as possible and then taking appropriate precautions so that the impact of any successful attack is minimized.

Here, then, are 10 critical steps every organization needs to consider as part of their anti-ransomware strategy:

  1. Map your attack surface. You can’t protect what you don’t know needs to be protected. Start by identifying all of the systems, devices and services in your environment that you rely on to conduct business, and maintain an active inventory. This process not only helps you identify your most vulnerable targets but should also help you map out your system’s baseline for recovery.
  2. Patch and upgrade your vulnerable devices. Establishing and maintaining a regular patching and upgrading protocol is just a basic best practice. Unfortunately, far too many organizations simply don’t do it. Of course, not every system can be taken offline for patching of upgrading. In that case, they need to either be replaced (where possible) or protected using strict proximity controls and some sort of isolation or zero-trust strategy.
  3. Update your security systems. In addition to updating your networked devices, you also need to ensure that all of your security solutions are running their latest updates. This is especially crucial for your secure email gateway (SEG) solution. Most ransomware enters an organization via email, and a SEG solution should be able to identify and remove malicious attachments and links before they are delivered to their recipient. Likewise, an effective web filtering solution that leverages machine learning ought to be able to effectively stop phishing attacks. In addition, your security strategy needs to include things like application whitelists, the mapping and limiting of privileges, implementing zero trust between critical systems, enforcing strong password policies and requiring the use of multifactor authentication.
  4. Segment your network. Network segmentation ensures that compromised systems and malware are contained to a specific segment of the network. This includes isolating your intellectual property and sequestering the personal identifying information of employees and customers. Likewise, keep critical services (like emergency services or physical resources such as HVAC systems) on a separate, segregated network.
  5. Secure your extended network. Ensure that security solutions deployed on your core network are replicated in your extended network – including operational technology (OT) networks, cloud environments and branch offices – to prevent security gaps. Also take time to review any connections from other organizations (customers, partners, vendors) that touch your network. Make sure those connections are hardened and that appropriate security and filtering are in place. Next, alert those partners to any issues you may discover, especially related to the possibility of malicious content being shared or spread through those connections.
  6. Isolate your recovery systems and backup your data. You need to perform regular data and system backups and, just as critically, store those backups off-network so they are not compromised in the event of a breach. Organizations should also scan those backups for evidence of malware. You also need to ensure that any systems, devices and software required for a full system recovery are isolated away from the network so they are fully available should you need to recover from a successful attack.
  7. Run recovery drills. Regular recovery drills ensure that your backed-up data is readily available, all required resources can be restored and that all systems operate as expected. It also ensures that chains of command are in place and that all individuals and teams understand their responsibilities. Any issues raised during a drill need be addressed and documented.
  8. Leverage outside experts. Establish a list of trusted experts and consultants who can be contacted in the event of a compromise to assist you through the recovery process. When possible, you should also involve them in your recovery drills. NOTE: Organizations should also immediately report any ransomware event to the CISA, a local FBI Field Office or a Secret Service Field Office.
  9. Pay attention to ransomware events. Stay abreast of the latest ransomware news by subscribing to threat intelligence and news feeds, make it a habit for your team to learn how and why systems were compromised, and then apply those lessons to your own environment.
  10. Educate employees. Rather than being the weakest link in your security chain, your employees need to be your first line of cyber defense. Because ransomware usually starts with a phishing campaign, it is imperative that you educate them in the latest tactics cybercriminals are using to trick them – whether they target corporate, personal or mobile devices. In addition to the sort of regular, annual security reviews most employees are required to participate in, consider a regular cadence of awareness campaigns. Quick 30- to 60-second video updates, phishing simulation games, email messages from the executive staff and informative posters help maintain awareness. In addition, running your own internal phishing campaigns can help identify employees who may need additional training.

When it comes to cybercrime, we are all in this together. Ensure that you have regular meetings with industry peers, consultants and business partners – especially those essential to your business operations – to share these strategies and encourage their adoption. This will not only ensure they don’t spread ransomware infection up- or downstream, creating liability for themselves and you, but also help protect your organization, since any disruption of their network will likely have a cascading impact on your business.

Derek Manky is Chief of Security Insights and Global Threat Alliances, Fortinet

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles

Cyberattackers Put the Pedal to the Medal: Podcast

Fortinet’s Derek Manky discusses the exponential increase in the speed that attackers weaponize fresh vulnerabilities, where botnets and offensive automation fit in, and the ramifications for security teams.