Skip to content

Effective Ways to Mitigate Ransomware Attacks

Effective-Ways-to-Mitigate-Ransomware-Attacks

Cyberattacks pose one of the most significant threats in the modern age, especially as technology becomes deeply woven into our daily lives. While the impact and sophistication of these attacks vary, ransomware stands out as the most menacing among them. To execute ransomware, cybercriminals maliciously encrypt their victims’ data and demand a ransom payment to unencrypt it. Anyone can be a target, from the average internet user to a large tech company to even the critical infrastructure of a nation-state. Cybercriminals have realized the potential of these attacks, and they work tirelessly to increase their sophistication and resistance to traditional security controls. Given the growing threat these attacks pose, implementing a detailed mitigation plan to protect against them is no longer an option but an absolute necessity. This article will explain ransomware attacks and the many actionable steps you can take to protect your business against them.

How Ransomware Works

Unlike other malware that attempts to steal information or conduct fraud, ransomware is designed to encrypt sensitive information and make it unavailable until a payment is sent to the cybercriminal (typically in the form of cryptocurrency). This encryption can make it extremely difficult, if not impossible, for businesses to function. Therefore, victims usually end up paying the ransom, making these attacks particularly lucrative for cybercriminals. 

Ransomware typically enters a business via malicious email attachments or links that users are socially engineered into clicking. Once the user clicks on them, the malware exploits existing vulnerabilities to gain a foothold within the network and encrypt the data. Another technique is infecting an existing, legitimate website with malicious software that gets silently downloaded when the user visits, a form of attack known as a “drive-by download.” No matter the technique used, ransomware can be highly disruptive, with attacks like WannaCry and Ryuk demonstrating the extent of the damage they can do. In addition, cybercriminals can customize them to target specific industries, which can result in even more focused and effective attacks. 

Ransomware services have also cropped up on the dark web, with cybercriminals offering buyers Ransomware-as-a-Service (RaaS) models. Here, individuals can purchase readymade attacks backed by guarantees and customer support. More dangerously, ransomware has become a cyberweapon in the hands of nation-states that have used it to target their enemies’ critical infrastructure. The recent Russia-Ukraine conflict is a prime example of this type of malware being weaponized. The scale and sophistication of these attacks is only expected to increase with time. 

Mitigation Techniques Against Ransomware

Having delved into ransomware and how it works, let us examine key mitigation strategies to guard against it. This is not an exhaustive list, given the ever-changing nature of the threat, but is intended to serve as a foundational guide.

Risk Assessments

This is an essential step, yet often ignored: conducting a detailed risk assessment of the environment to check its vulnerability against ransomware attacks. Ransomware is a multifaceted problem, and starting with a thorough risk assessment enables companies to get a holistic view of the environment and where threats might emerge. This also helps prioritize critical areas and focus efforts to maximize return on security investment.

Backups

The most effective control against ransomware is having a proper backup strategy in place. A well-prepared and tested backup will enable ransomware victims to revert their data to a state prior to the attack, allowing them to easily restart operations. However, there are some key points to keep in mind:

  • Periodic Backups: Backups must be regular and aligned with the criticality of the data. An industry best practice is the 3-2-1 rule, which calls for a total of three backups, with two on different storage mediums and one stored offsite. We suggest the additional step of testing your backups quarterly. This ensures that ransomware cannot compromise all copies of your information. 

  • Cloud/Offsite backups: Cybercriminals are fully aware of mitigation techniques, and train ransomware to actively look for backups to compromise. Backups should be “air-gapped” and stored on a different network, preferably on the cloud, without any connection to the primary network. This will ensure they remain unaffected by an attack.

  • Immutability: Companies can also consider implementing immutable backups, which cannot be altered or changed in any way once they are made. This makes them especially effective against ransomware attacks, as they cannot be erased, modified, or encrypted.
Patch and Vulnerability Management

Ransomware often gains a foothold within a network by exploiting a vulnerability in the underlying operating system or software. To ensure that these potential entry points are closed off, companies must regularly patch and manage vulnerabilities throughout their lifecycle.

Anti-malware and Threat Protection

Anti-malware tools are a useful way to protect against known attacks. Endpoint Detection and Response (EDR) solutions are another method; these use advanced techniques to detect more sophisticated variants. Other tools, such as email protection, can prevent malicious links and attachments from reaching users. By implementing a layered technical defense, companies can thwart cybercriminals more easily.

Whitelisting

An effective way to protect against ransomware is to only allow approved applications to run on a system. This list of approved applications is known as a whitelist and prevents any unauthorized software (like ransomware) from being executed. However, it should be noted that this is not suited for dynamic environments, given the overhead required to maintain the whitelist.

Training and Awareness

The users of a business are a major weak point, as they are susceptible to social engineering—a common way that ransomware enters an environment. To prevent this risk, users must be trained on the common types of attacks and how to recognize them. Standard training might not be sufficient, though. It should be complemented by regular drills that simulate ransomware attacks, giving an opportunity to assess how the staff responds. This allows the company to see if their awareness is working and where improvements are needed.

Robust Identity Controls

Strengthening controls around identities can significantly hinder ransomware. Some of the essential controls to consider are:

  • Multi-factor Authentication (MFA): An additional layer of authentication along with passwords is a security best practice. It stops bad actors from taking over user identities, and also serves as a mitigant even if the user is socially engineering and falls victim to a phishing attack.

  • Control over administrative users, such as implementing Privileged Identity Management (PIM) solutions, ensures that these powerful privileges cannot be abused. It also enforces the concept of least privilege.
Network Segmentation

Segmenting a network based on the criticality of the systems is a security best practice that helps to protect against ransomware. By breaking the network into separate segments and implementing controls like firewalls and IDS/IPS between them, ransomware can be contained to stop it from infecting other systems. This reduces the “blast radius” of the attack.

Zero Trust Architecture

A traditional network is based on the concept of implicit trust following the principle of “trust but verify”. Zero Trust works differently, aiming for improved security. As the name implies, a Zero Trust approach assumes that no device or user can be trusted, and every request must be verified before being granted access. Implementing Zero Trust principles prevents attacks like ransomware from laterally moving across the network and infecting other systems. The Zero Trust engine verifies each request against a baseline of previous behavior, enabling it to detect and decline malicious requests.

Threat Intelligence

Ransomware is a constantly evolving threat, so cybersecurity teams must subscribe to threat intelligence feeds to stay updated on new methods and emerging variants. Companies can collaborate to share information about attacks and what best practices they have implemented based on shared experience. Adopting a collaborative approach ensures that the entire industry benefits from this information.

Incident Response

An incident response plan dedicated to ransomware is a must, given the damage a successful attack can do. Such incidents are high-pressure scenarios; a company must respond rapidly and contain the attack before it spreads. 

 Some of the critical areas that must be covered in the plan include: 

  • Defined playbooks for isolating systems, informing stakeholders, and resuming operations.

  • Communication plans that cover both internal communication (so that employees do not panic) and external communication (so that public perception of the incident is managed, and stakeholders are not alarmed). 

  • Regular testing of the plan to ensure it is working; lessons should be incorporated for a constant improvement loop. 

It is also crucial to consider what to do in a worst-case scenario. If attempts to prevent or recover from ransomware fail, a business must decide whether to pay the ransom. Paying is generally not advisable, as the cybercriminals could simply take the money without unencrypting the data. Even so, depending on how much downtime and lost revenue a business can tolerate, this may be a risk worth taking. 

Conclusion

Information is power today, and cybercriminals have realized the benefit of holding this information hostage. Ransomware poses a severe threat to companies worldwide, but there are ways to stand against it. By implementing the strategies in this article, businesses can develop a comprehensive strategy to protect against the threat of ransomware. It is important to remember that ransomware is not just a technical problem, but a business one that directly impacts functions and the bottom line, making it even more serious. By adopting a robust defense based on human awareness and technical controls, companies can face these threats head-on, stay operational, and keep their data safe.

Thank you for trusting us to help with your cybersecurity needs. Contact us any time – we’re always happy to help.  

Adam 

Meet the Author
Adam Burke is Quest's Vice President of Sales and Partnerships.
Contact Quest Today  ˄
close slider