Ransomware attacks have increased to such an extent that they have now become one of the leading threats to the financial stability, reputation, and data security of an organization. The threat has grown to such a level that FBI warnings have already been issued to the public. The problem is, attackers have become more tech-savvy with time, and no longer require a person to click a link for infecting their system, which is what Diane Lockhart did in that stellar “The Good Wife” episode in Season 6. Good thing Kalinda saved the day from that Russian hacker!
Legitimate sites are now seeded with malicious code, and unpatched software or obsolete software allows hackers to corrupt the systems of end users.
While you have the option of paying the hackers responsible for ransomware attacks, it only serves to encourage them, and there is no guarantee that your network will be spared from future attacks. So your best option is to prevent and mitigate ransomware. Check out the seven best practices below:
Teach employees about suitable actions during ransomware attacks
Similar to other types of malware, ransomware mostly infects systems via downloads, email attachments, and Internet browsing. It is critical for an organization to educate their employees through regular training so they know which malware pitfalls to avoid. But once you realize that your security is compromised and ransomware has infected your systems, take immediate action:
- Before switching off your system, try to take a snapshot of the system memory. This provides a means to find the attack vector later on, along with any kind of cryptographic material. All this can help with the decryption of data.
- Turn off the system to stem the tide of the attack.
- In order to trace the attack vector, you must recall any email that might have been the carrier of the attack.
- Notify the proper authorities so they can launch an investigation.
- Prevent your network from accessing any command-and-control servers being used by the ransomware.
Back up your system regularly
There is no solution more effective and foolproof than backing up your precious data regularly, and verifying the entire system. A lot of the recent ransomware encrypts data files, shadow copies, and Windows system restore points. In effect, they block all methods of partially restoring your data following an attack. It is paramount that you store the backups on a different system – one that is updated regularly and is inaccessible from the network. This way, at least the entirety of your data is not lost.
Review system permissions
This practice holds a lot of weight since it can make all the difference between initiating ransomware attacks and mitigating the impact.
It is always an astute idea to remove any local administrative rights. This effectively deters ransomware from affecting local systems, thereby stopping the spread of the attack. If you’re wondering why local admin rights matter so much, it’s because they serve as major components in the event of ransomware attacks.
They provide the requisite level of power to alter system directories and files along with system storage and registries. When you remove the local admin rights, you are effectively blocking access to all the important system files and resources that the ransomware might choose to encrypt.
You must restrict the write capabilities of users and deter any execution from the user directories. Whitelisting applications without prior permissions should also be stopped. You also need to limit access to network shares and storage. There are some types of ransomware that need write access to certain and specific file avenues in order to execute or install. When you limit the permission to a few directories, you prevent the ransomware variants from executing their actions in a successful manner.
You can even block potential ransomware attempts or executables by removing execution permission for those directories. There are different organizations that rely on a specific type of application for business purposes. The execution of applications like ransomware that have not been whitelisted is successfully prevented through the implementation of a whitelist-only practice for those apps.
One other permission practice that can stop ransomware and prevent its spread is the login from various access points, like mapped and local drives.
Keep your software well maintained and updated
One of the most essential rules for shielding your system as well as detecting ransomware early is to ensure that all software present in your machine is fully updated and maintained frequently and consistently, respectively. You should especially focus on anti-malware and security software .
Protect against corrupt emails
Always filter your emails properly. This reduces the possibility of a successful ransomware attack on your system considerably. The less employees get emails containing spam or harmful software, the less the chance of infection. Another significant step that you need to take is to block attachments. This helps lower the attack surface. Most of the time, ransomware gets delivered to you in the form of an executable attachment.
The most prevalent formats include MS Office files that feature .zip files and macros that are either executable themselves or hold executable files. Thus, you should have a policy in your organization whereby such attachments cannot be sent via email. Even if an employee does so, the email security feature will automatically remove it.
Make use of smart patch management
When you have a centralized patch management process in place, it can protect machines throughout the organization and also prevent any vulnerabilities from cropping up via new patches. What this means is that businesses need to move beyond conventional compliance and adopt a more proactive stance if they do not want their vulnerabilities to be exploited.
Secure the network
While securing your entire company network can prove difficult, it is not impossible. Start by implementing robust blacklisting within the organization, and it will successfully prevent any web-based download of malware. Moreover, it will not give ransomware any opportunity to connect to your command-and-control server. A firewall is useful for restricting or entirely blocking the remote desktop protocol (RDP) along with other management services at the network level. You should even initiate spam detection features, like spam lists, so that compromised emails do not reach the inbox of users. Another option is to limit the kinds of file extensions that you can deliver as an email attachment.
The number of ransomware attacks is only going to increase as time goes by. And though government organizations and law enforcement agencies work together to handle this problem in a somewhat thorough manner, the best thing for a company to do at this point is to put up their shields to mitigate the ransomware attack.
Photo credit: Pixabay
3 thoughts on “7 best practices to prevent and mitigate ransomware attacks”
All the advice is valid as part of multi-layered security strategies to prevent ransomware. Patch management, network security is of great importance to companies.
However, when it comes to ransomware it is weird no direct ransomware defenses were mentioned…antivirus, anti-ransomware are not presented in the article although they play a decisive role in ransomware protection.
Ultimately, there is ransomware that can bypass all the mentioned defenses here, so that is why anti-ransomware technology should have a top position in any such article.
Nice comments Calin. Nice feedback. Valid points. My focus is on bringing the lesser known aspects to surface. Anti-ransomware software is on the top of many enterprise purchase lists, but the idea is to have a wholesome approach, and not just depend on a product to keep ransomware at bay. OK, have a wonderful day.
OK.. Let me through my two cents worth in this mix. What I have seen of this process is that often the servers the virus reports to are out of this country. I recently discovered that our WatchGuard firewall has an app that can be purchased that will allow you to block any country from getting in or out of our network. I have not gone farther with this as of yet but I am sure it is a monthly fee based service. Now I know that some companies need access to places around the world and those can be white listed but the vast majority of us do not. This could be a major advantage to stopping a lot of, not only this crime, but a lot of major intrusions into our networks.