How to Combat Ransomware to Stay Online

Recently we discussed the heavy cost of ransomware, both in the form astronomical ransoms that have been paid recently as well as the cost of dealing with the aftermath of an attack.  When it comes to most serious cyberattacks, a pound of prevention is worth a pound of cure.  The truth is that in most cases, ransomware attacks are not that difficult to prevent.  The list of security measures known to effectively combat ransomware are also prove effective in combating malware attacks in general.  Together, these implementations and configuration tasks listed below help to create a multi-faceted security strategy.

1. Develop a regular patching process
2. Email Security
3. Web Filtering
4. Least Security Privilege Enforcement
5. Use Best Practice Backup Strategies
6. Application White Listing

1. Develop a regular patching process

Many companies experienced disruptions to their critical operations as a result of one of the global ransomware attacks this past summer that took down so many organizations across the world.  Sadly, many of those companies could have prevented those attacks from completing their malicious deeds had they simply kept the patching of their computers up to date.  A patch was released by Microsoft four months prior to the first attack.  Patching operating systems, software, and firmware on all devices is imperative to combat zero-day exploits and attacks.  Even if malware is introduced into your network, proper patching will many times at least diminish the damage caused by it.

2. Email Security

Email continues to be the primary delivery method for ransomware.  According to an article in CSO magazine last year, 93% of all phishing email contained ransomware.  These cleverly worded emails are designed to entice and encourage users to click an embedded URL or open a malware-laced attachment.  Both of these actions result in the user’s device downloading a ransomware package from the Internet.  Once embedded within the device, the encryption malware starts conducting its dastardly deeds.  Email security constitutes more than just mere SPAM filtering.  An effective email security solution should be able to analyze emails attachments, embedded URLs, and identify unorthodox behavior that might indicate ransomware. It should have integrated antivirus components as well to strip malware-infected attachments.

3. Web Filtering

Web filtering constitutes far more than preventing users from accessing distasteful or offensive web content.  Proactive web filtering plays a vital role in protecting the network today from known deployment sites for malware and exploit kits. Modern day web filtering solutions today are designed to block known malicious sites as well as potentially dangerous sites such as parked sites or sites that change IP addresses often.  A web filtering gateway should also be integrated with an antivirus component as well to strip ransomware and other dangerous code from incoming web packets as many legitimate websites are compromised by hackers who then deposit malicious code to infect unsuspecting users.

4. Least Security Privilege Enforcement

Malware is installed using the credentials of the user that downloaded it.  Ransomware can only encrypt the files it has access to, which in the case of a high privilege admin account, could mean everything in the network.  Local users should never be allocated local admin privileges and IT staff should never use web or email services while logged on as an administrator.  Files should also be locked down in granular fashion so that the only users that have access are those who need it.  System administrators should segment their network by using VLANs to limit the scope of a malware infection that tries to proliferate throughout your enterprise.

5. Use Best Practice Backup Strategies

The one consolation for ransomware is that your data can be restored through a well-designed backup strategy in the event of an encryption attack.  This is the antidote of last resort, which means it must be protected at all cost.  Your backup servers should reside in a separate zone that is fully protected by the firewall, as backup systems are now a prime target of advanced ransomware strains.   You should also implement the classic 3-2-1 backup strategy.

• 3 copies of all your data
• Residing on at least 2 types of media
• Ensure that 1 copy is off site

6. Application White Listing

If your employees use a defined assortment of applications, then application white listing may be a viable solution.  Those enterprises that utilize devices running Windows Enterprise or Education versions of Windows 7, 8 and 10 can use AppLocker, which is an integrated component of Group Policy.  By configuring AppLocker policies, any application or executable that is not whitelisted is simply denied.  Essentially, it is the equivalent of deploying kiosk computers to all of your users.  Although this may seem like a rather extreme solution, more and more companies are turning to application whitelisting as a way to lock down their devices and terminate malware threats.

Cloud Availability Platforms

Many companies are also turning to the cloud in order to avoid costly disruptions to day-to-day operations.  One method is to utilize cloud based file synchronization solutions so that there are two active pools for data and digital services.  Just having multiple pools is not enough though without the ability to route users to these multiple locations.  That is why those who utilize the cloud need global load-balancing platform hosted in the cloud that can route, reroute traffic amongst multiple data center locations, and even cloud providers.  This is not an extreme solution; it is a solution that has come of age because of the cloud, allowing enterprise to achieve the degree of flexibility and agility that they seek.