A mid-year cyber threat report reveals that there has been a dip in the number of ransomware attacks in 2022 so far. However, this is seen as a temporary relief. A significant part of this decrease is attributed to the changes in major ransomware-as-a-service groups like Conti and LockBit 2.0, and they are expected to bolster their attacks again in the very near future.
To prepare for the ramped-up assault from ransomware perpetrators, enterprises, which happen to be top targets, need to be prepared. It is important to reevaluate existing protection and strengthen defenses. The following pointers should be useful.
Observe best practices
Ransomware is already a common problem affecting organizations of all kinds and sizes. As such, best practices in fending off attacks should already be integrated as part of the standard security posture. These include the following.
- Continuous data backups – Ransomware is effectively rendered futile if it fails to achieve its key goal of denying the victim access to their own files because of the availability of backup copies. Why will the victim pay the ransom if they can easily recover their data from the backup? It is crucial to always have continuously updated backups. However, these backup copies should not be created through simple file synchronization between on-prem and cloud storage. This approach may end up copying the corrupted or encrypted files as backups in the process.
- Security patching – Another important ransomware defense measure is the prompt patching of cybersecurity software tools. Security solutions are regularly updated in response to new developments in the cyber threat landscape to update their ability to detect and prevent new attacks. Failing to promptly patch security tools can create a significant weakness in ransomware defense. Security updates should be applied as soon as possible.
- Strict user authentication measures – For ransomware to infect files, it needs to gain access to them. This can be prevented by imposing strict user authentication whenever file access is requested. Services like RDP are favorite attack points for threat actors because they can gain access by using stolen credentials. With strong user authentication, attackers cannot readily gain access even if they manage to guess the correct password or steal login credentials.
- Zero trust and the least privilege principles – In connection with strong user authentication, it is advisable to never assume that a request for file or resource access is legitimate because of the origin of the request or the user involved. Likewise, it is sound policy to never grant more privileges than what is needed to accomplish a specific task. Again, file encryption only happens if the ransomware manages to access files, so it is important to limit opportunities for the ransomware to penetrate the network or system.
- Network segmentation – This will not prevent ransomware attacks, but it is a critical step in making sure that an infection is contained. Dividing networks into multiple segments with their respective security controls helps isolate an attack and makes it easier to remediate and reduce disruption.
- Email security – Emails play a big role in the spread of ransomware. Until now, many still have the habit of clicking links or downloading attachments they find in their email inboxes. Ensuring solid email security is a significant step in controlling the spread of ransomware and preventing other kinds of malware from infecting devices and networks.
Control attack surfaces
Attack surfaces are points through which attacks penetrate. These include workstations, websites, or pages that accept submissions (file attachments from visitors in particular), and various digital devices connected to the network. These attack surfaces, however, are not only used for the introduction of the ransomware executable to a device, system, or network. They can also be used by threat actors to undertake recon ops, gain access to certain services, or elevate privileges.
To control attack surfaces, it is important to have formidable endpoint security, especially for organizations that regularly allow non-insiders to access their network. Endpoint security usually includes antivirus and malware protection, web browser security, data loss prevention (DLP) solutions, mobile security, real-time security alerts and notifications, as well as network assessments for security teams.
Conduct continuous security testing
No cybersecurity system can ever be foolproof. There will always be malfunctions, dysfunctions, or moments of unreliability every once in a while. This is why frequent or preferably continuous security validation is important.
While most ransomware attacks tend to happen during the night or over the weekends, the reality is that ransomware perpetrators can strike anytime. Also, it takes only a few seconds for the ransomware file, which can be anywhere from 1 MB to 4 MB in size, to infect its target. These few seconds could spell the difference between protection and disaster.
Provide adequate cybersecurity education or training
The people in an organization are risk factors in the spread of ransomware. The more ignorant they are about ransomware, the more likely it is for them to unwittingly aid the installation of the malicious software.
The solution for this is education or adequate training on the dangers of ransomware and the ways to prevent or help contain them. The reality about existing cybersecurity training leaves much to be desired, though. It is not difficult to provide cybersecurity orientations or training, but the effectiveness of such is not guaranteed.
A survey by employee training company TalentLMS reveals that nearly 7 out of 10 employees received cybersecurity training from their employers. However, when they were made to take a basic cybersecurity quiz, around 61 percent of them failed. These are clearly disappointing numbers, and they do not bode well with the ability of employees to become useful agents against ransomware attacks.
It is important to emphasize adequate cybersecurity training preferably with unannounced evaluations. People should cease to be the weakest link in the cybersecurity chain. Everyone has a role to play to combat ransomware.
Never pay the ransom
Lastly, organizations need to stop making ransomware profitable for cybercriminals. The reason ransomware attacks continue to be a threat is the fact that many are paying the ransom, against the advice of authorities. If all ransomware victims refuse to pay, at least one major motivation for perpetrators to continue attacking disappears.
Also, it is essential to bear in mind that paying the ransom does not guarantee quick recovery. In the case of the Colonial Pipeline ransomware attack, for example, the company reportedly paid the ransom worth nearly five million in bitcoins. However, this turned out to be a mistake, as Colonial received a slow-paced decryption software in return. They had to resort to using their own backup to expedite the recovery process.
Ransomware attacks are unlikely to stop becoming one of the biggest cyber threats worldwide. Organizations need to be ready to stop them or deal with the consequences of a successful attack. Data backups are not going to be enough as a solution. Organizations need a holistic approach, which includes steps undertaken before an attack happens and measures designed to contain an attack and mitigate its adverse impact. Moreover, it is important to be part of the broader solution by not paying the ransom and making ransomware a less attractive option for cybercriminals.