To this day, there remains to be no silver bullet or an all-encompassing solution to the ransomware threat. However, in the decade or so that ransomware has evolved from a nuisance to the thriving criminal business that it is today, the security world has since stepped up by developing tactics to counter its continuing surge.
This year, the rise of ransomware has also seen a significant shift from targeting home users to enterprises across different industries. Here are key steps to effectively lead your organization's defense against ransomware
Building a Shield: Preventing Ransomware from entering the system
As with any form of online threat, safeguarding entry points is key. Here is a security checklist for preventing ransomware from infecting the enterprise network:
Back up critical data regularly. Cybercriminals bank on the fear of losing one’s database of important files and documents to force victims to pay the ransom. Having a backup of your important files keeps potential damage to a minimum and takes the leverage held by cybercriminals out of the equation. A good backup strategy ensures that all critical data are kept in a secure location to allow the organization to easily get back on its feet in case of data loss.
Practice the 3-2-1 rule: create 3 backup copies on 2 different media with 1 backup offsite. Some ransomware variants have been known to go after backup data found on a shared network drive, which makes it important to set up a backup on a separate location, such as drives on a system that isn't connected to the company network.
Implement application whitelisting on your endpoints to block all unknown and unwanted applications. Behavior monitoring and application control are strategies that allow the security of businesses to remain intact even with attempts to infiltrate the system. Behavior monitoring keeps “anomalies” or unusual system activities at bay, while application control only allows a list of non-malicious routines, files, and processes to run on systems. This allows IT admins to determine which apps or programs are allowed to function and operation within the organization’s network.
Develop a security-oriented network segmentation plan. Strategically grouping assets and resources allows an IT admin to map where the data flows and who is granted access to them. Proper network segmentation prevents attacks from crippling the entire network.
Properly identify and categorize users and the networks they access. Segmenting user privileges and network traffic places an extra layer of protection on the organization’s most important data. By compartmentalizing areas of a network specific to a departments’ or a teams’ needs, any potential attacker will have limited access to resources, therefore curbing any form of infection. Using the least-privilege principle in assigning user profiles makes it more difficult for perpetrators to gain administrative rights.
Educate users on the dangers and signs of social engineering. Educate users on good email and internet safety practices like downloading attachments, clicking URLs or executing programs only from trusted sources. It is also important to encourage users to alert the IT Security team in place of potentially suspicious emails and files.
Perform timely application of software patches from OS and third-party vendors. Unpatched applications and servers are often exploited as an entryway for pushing malware such as ransomware into a system. To counter this, regularly patch and update software. Carefully scrutinize your patching processes to identify and eliminate roadblocks in the timely rollout of necessary patches and updates. Virtual patching protects vulnerable servers from any ransomware threat even if related patches have not been rolled out for all servers and endpoints.
Ensure your security products are updated regularly and perform periodic scans. Regardless of the number of defenses built to protect the organization's networks, a cybercriminal only needs to find one crack to get in. Make sure that security solutions you have in place are updated, as outdated solution opens gateways for an attacker.
Stopping the Bleeding: Containing the damage
The entire process between an accidental click on a malicious link or a download of an infected file to the display of the ransom note could happen in minutes. However, this gap is crucial in identifying and containing a ransomware infection and keeping the damage it causes to a minimum. Here are some notes you should include in your security checklist:
Identify and isolate a compromised machine from the network. While ransomware behavior varies based on variants and families, a significant process in completing infection involves establishing communication to a command-and-control (C&C) server. Except for a handful of recent variants that forgo this process, a network connection is needed to receive commands from a server to complete its routines.
When an alert of any unusual behavior has been raised, IT admins should act fast to keep the infection isolated to as limited resources as possible. Once the infected machine has been identified, either by spotting telltale signs early on or once the ransom note is displayed, disconnect the infected machine from the network to prevent any attempts to propagate to other systems. If the need arises, shut down the network until the incident is controlled.
Establish a real-time incident response team. A real-time incident response team will monitor systems’ activity in an organization and receive notifications of anomalies alerted by users within the network. While user alerts could mean that the encryption process has already started, the IT response team could establish control of the incident and prevent an infection from spreading.
Encourage users to report and alert IT security team of any unusual system behavior. IT admins should proactively educate users connected to the organization’s network to keep a vigilant eye on signs that could indicate a compromise. Several physical signs of an ongoing ransomware infection stealthily happening in the background can manifest itself before it gets fully carried out.
A noticeable system slowdown could ultimately signal extra processes happening in the background. Awareness of these signs could give the IT response team enough time to control the situation.
Preventing the After-Shock: Recovering from the infection
Far from how it was portrayed in the past, all is not lost when ransomware infects a system. The key is to quickly spot, respond, and recover from the incident to keep damage to a minimum, and to avoid resorting to paying the ransom. Here's a checklist of things you can do after an infection:
Find available decryption tools. A wealth of free decryption tools that can detect and remove screen-locker ransomware and certain variants of crypto-ransomware are now readily available from different security vendors. These can be used to avoid having to pay for corresponding decryption keys.
Implement a comprehensive data backup and recovery plan. Developing a comprehensive backup and recovery plan ensures that an organization’s valuable data is intact even after cases of data loss, which isn't limited to ransomware infections. With this in place, the organization will be able to easily get back on its feet and resume operations.
Conduct post-incident analysis of the infection. Once the incident has been properly dealt with, investigate and scope the breadth and magnitude of the infection. More importantly, analyze the source of the infection to identify vulnerabilities and system weaknesses that should be addressed to prevent recurrence.
In different cases, a sandbox analysis of the ransomware in question could help determine the malware's behavior. This could also be used to identify Indicators of Compromise—from its capabilities, routines, and tactics employed—that would improve detection and develop ways to prevent future incidents.
The rapid development of ransomware—with updated variants and families introduced almost daily—shows that cybercriminals see this as a lucrative form of attack. A multi-layered approach to security is vital in ensuring that all possible entry points are well-defended from ransomware.
Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting infected by ransomware:
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.
For home users, Trend Micro Security 10 provides strong protection against ransomware by blocking malicious websites, emails, and files associated with this threat.