What You Need to Know About Preventing Ransomware Attacks
Here’s a scenario I want you to picture: You’re sitting at your desk, trying to open your company’s financial documents so you can verify some expense was logged correctly. You open up your file navigator (Finder on Macs, File Manager on a PC) and start looking for the file you want. You go to open the file, but you get a warning that the file is encrypted and cannot be opened. Suddenly, a pop-up appears on your screen saying:
“Your files have been locked.
If you want to access them,
send five thousand bucks…”
This message means that your business has become the victim of a ransomware attack, and your data is being held hostage until you pay up. Unfortunately, paying the ransom does not guarantee that the attacker will provide the encryption key you need to access your files again—nor that they won’t simply re-encrypt them later for more money.
While ransomware attacks have been on the decline overall in the last year according to data cited in a report by Malwarebytes, they still remain a significant cybersecurity threat that can cripple a business. In fact, as noted in the Malwarebytes report, “Both January and February were especially low for consumer ransomware detections—specifically, a 35 percent drop. Meanwhile, business detections have increased by 28 percent from the previous quarter.”
The best solution for dealing with this particular cyber threat is to prevent ransomware attacks from happening in the first place—or to apply ransomware protection solutions that can limit the potential impact of a ransomware attack.
With this in mind, here is how to prevent ransomware attacks from damaging your business:
Preventing Ransomware Attacks Begins with Preparation
The first thing you need to do to avoid ransomware attacks is to start preparing for them. You never know when an attacker might strike, so it’s better to start making preparations as soon as possible.
Some of the key preparations you need to make include:
- Setting Up a Remote Data Backup Solution. Having access to a remote data backup of your business’ most important data can mean the difference between feeling pressured to cave into a ransom demand and being able to laugh in an attacker’s proverbial face. With an intact and up-to-date backup of all of your important files, you can format the infected network endpoints and restore them from the backup with a minimal loss of data—largely negating the effectiveness of the ransomware attack.
- Setting Up an Incident Response Plan. It’s one thing to have a remote data backup to restore your corrupted or encrypted files from—it’s another thing altogether to actually put that data backup into use. Setting up an incident response plan (IRP) specific to a ransomware attack scenario is key for making sure that the backup solution is used effectively. This includes training employees to recognize ransomware attacks and setting specific roles and responsibilities for each person to follow in the event of a ransomware attack.
- Adding Strong Malware Protections. Preventing ransomware attacks often means having strong antimalware protections in place as well. Your business should have a robust firewall separating your internal network from the larger internet at the very least to prevent outside attackers from simply uploading the malware right to your network. Additionally, having strong network segmentation, malware detection software, and a regular security patch management schedule can all further help you avoid falling victim to an external ransomware attack.
- Train Employees in Cybersecurity Best Practices. The best antimalware protections in the world and a robust cybersecurity architecture won’t mean a thing if employees are inadvertently giving out the keys to the proverbial kingdom every time they turn on one of their workstations. Attackers are constantly refining their attack strategies to trick your own employees into downloading malware—including ransomware—via their email clients or by setting up fake websites that are filled with links to their malware. Training employees to recognize phishing emails and fake websites that are filled with malware links, as well as other ransomware tips for end users, can be the key to preventing ransomware attacks from succeeding.
- Testing Your Ransomware Protections. Every now and again, it’s important to test the ransomware protections that your company uses to thwart an attack. During the middle of trying to recover from a ransomware attack is probably the worst time to find out that your data backup is corrupted or otherwise unusable. So, one of the best strategies for preventing ransomware attacks is to routinely test the protections you use to prevent or recover from them. This can help to identify single points of failure or other issues so you can fix them before ransomware hits.
Ransomware Protection and Recovery Objectives
When choosing a remote data backup solution, be sure to consider the solution’s recovery time objective (RTO) and recovery point objective (RPO). The recovery time objective is the measure of how long the solution should take to kick in and restore your data—the faster, the better the solution usually is. The recovery point objective is the frequency of the data backup—which affects how much information is lost when you restore your data from the backup. A shorter RPO indicates that the backup occurs more frequently, meaning there’s less data lost when restoring from the backup.
However, not every business needs (or can support the expense of) a remote data backup solution that has RPOs and RTOs measured in mere minutes. When choosing a remote data backup solution, consider how quickly you really need to recover from a ransomware attack and how much data you are likely to lose if your recovery point is measured in minutes, hours, or days.
Businesses with numerous transactions per hour are more likely to need a faster recovery time and more recent recovery point, whereas businesses that use their network more for record-keeping purposes might not need to splurge on such fast and frequent backup solutions.
Also, when estimating your RTO, it’s important to take into account the time it will take to replace or completely reformat the network assets that were compromised with ransomware—simply downloading the data won’t be enough if the ransomware is still on the asset, after all.
For example, say your backup solution had an RTO of 15 minutes to download a complete backup to your network. That 15-minute RTO won’t mean a thing if there isn’t a clean database or production environment to download that data to. To ensure business continuity when fast recovery is a must, it may be necessary to either set up a spare data center that can take over for the primary one if it is hit with ransomware, or to contract a cloud computing service that can provide computing resources on demand.
Learning from Past Attacks to Avoid Ransomware Attacks in the Future
One strategy for preventing ransomware attacks is to study past attacks—both those against your own organization and those made against others in your industry. Why study attacks made against other organizations? Part of the reason is that it helps you learn about the different types of ransomware that are out there and which ones are the most likely to be leveraged against your organization.
For example, in the Malwarebytes report, there are three primary types of ransomware examined: GandCrab, Scarabey, and Hermes. Some of these threats are actually derivatives of older ransomware threats. According to the report, “Scarab, first discovered in June 2017, returned with yet another variant in December 2018 called Scarabey.” The report noted many similarities, as well as a few differences that may have been intended to make the new threat less recognizable to antimalware programs.
By studying past attacks, you can learn about how they’re carried out—hopefully helping you eliminate the specific vulnerabilities those attacks seek to exploit. This study can also help you learn what a ransomware program can and cannot do. For example, the Scarabey software threatens victims with the deletion of encrypted data over time, but, as noted in the Malwarebytes report: “there’s nothing in the ransomware’s code that would allow this. It’s just a pressure-filled ruse designed to panic victims into paying faster.” Knowing this, you could, if hit with the Scarabey ransomware, be secure in the knowledge that your data won’t be deleted, eliminating the urgency to pay immediately.
One useful tool for studying ransomware attacks against your own organization is security information and event management (SIEM) software. SIEM tools can record information about past attacks, such as origin points, attack types, and other forensic information that can be used to prepare for future attacks. Using SIEM, it’s possible to identify specific gaps in your cybersecurity architecture that may allow a ransomware attack to succeed in the future—helping you close the gaps before an attacker exploits them.
Key Takeaways: The “TL;DR” Version
This post has been a little long-winded. So, to sum up the above information, preventing ransomware attacks requires:
- A good deal of preparation—including setting up anti-malware solutions and data backup tools, training employees in using those tools and recognizing ransomware attacks, and frequent testing of ransomware protections.
- Consideration of RTOs and RPOs for recovering from a ransomware attack—including the time necessary to reformat affected systems or to spin up a spare production server or database to take over for the compromised asset—and comparing them to your business’ actual needs.
- Careful study of past attack strategies and patterns—both against your own organization and others in your industry—so you can close security gaps before someone else exploits them.
Need help preventing ransomware attacks against your organization? Contact us to learn more about security architecture implementation, or download our Cybersecurity Basics guide at the link below: