How to prevent ransomware

Ransomware poses a continually growing threat, but organizations can significantly decrease their vulnerability by implementing effective security practices. These include maintaining regular software updates, frequently backing up important data, and providing comprehensive email security training to users.

Ransomware refers to a malicious form of software, or malware, that seizes files and data, holding them hostage until a ransom is paid. Typically, this is achieved by encrypting the files and data, with the attacker retaining the encryption key. Ransomware can infiltrate a network through various means, such as malicious emails, exploiting vulnerabilities, or piggybacking on other malware infections.

While it is impossible to completely eradicate the risk of ransomware infiltrating a network, following the steps outlined below can significantly mitigate the chances of an attack.

Update software regularly

Ransomware often infiltrates and propagates through networks by taking advantage of weaknesses found in outdated software. These vulnerabilities represent flaws in the software that can be exploited for malicious purposes. To address these vulnerabilities, software vendors frequently release updates or patches. Neglecting to regularly update operating systems and applications is akin to leaving the front door of a house unlocked, essentially inviting burglars to enter without resistance.

An illustrative case occurred in May 2017 when the infamous WannaCry ransomware utilized the “EternalBlue” vulnerability to infect over 200,000 computers, despite Microsoft having previously issued a patch for that particular vulnerability.

Once ransomware gains access to a network, it further exploits vulnerabilities to expand its reach. For example, Maze ransomware actively scans for vulnerabilities within a network, utilizing them to infect as many machines as possible.

To effectively prevent ransomware attacks, among other types of security breaches, it is crucial to update software regularly. By doing so, vulnerabilities are patched, effectively securing the front door and thwarting potential criminals or ransomware attackers from gaining unauthorized entry.

Use two-factor authentication (2FA)

Ransomware attacks often originate from phishing campaigns, where attackers acquire user credentials (username and password) and exploit them to infiltrate and navigate through a network. Alternatively, some ransomware attackers employ a method of trial and error by attempting to utilize default credentials, hoping to discover a server or network that employs those credentials for unauthorized access. (This technique has been observed in Maze attacks.)

To enhance security in user authentication, two-factor authentication (2FA) is a recommended approach. 2FA involves verifying an additional factor, such as a hardware token possessed exclusively by the legitimate user. Consequently, even if an attacker succeeds in pilfering a username and password combination, they are still unable to gain entry into the network.

Keep internal email secure

Ransomware attacks employ diverse techniques to infiltrate devices and networks, with email remaining a highly favored method. A significant number of ransomware attacks initiate through phishing attacks, spear phishing attacks, or the utilization of trojans concealed within malicious email attachments.

Email security encompasses two crucial aspects:

1. Filtering emails and email attachments originating from untrusted sources.
2. Educating users to refrain from clicking on links, downloading, or opening attachments from emails that may pose potential risks.

Implement endpoint security

Endpoint security refers to the measures taken to safeguard devices such as laptops, desktop computers, tablets, and smartphones against malicious attacks. The protection of endpoints involves the following key components:

• Anti-malware software plays a crucial role in identifying and isolating ransomware present on devices. By effectively quarantining infected devices, it prevents the malware from spreading further. Furthermore, certain ransomware attacks exploit existing malware infections, such as the Ryuk ransomware, which often gains access to networks through devices already compromised by TrickBot malware. Anti-malware software helps in eliminating these infections before they pave the way for ransomware. However, once ransomware is activated and files and data are already encrypted, anti-malware software provides limited assistance.

• Application control is instrumental in preventing users from installing counterfeit or attacker-compromised applications that may contain ransomware. By blocking the installation of these malicious applications, it acts as a preventive measure against ransomware attacks.

• Although hard disk encryption does not directly impede ransomware, it remains a critical aspect of endpoint security. It serves as a deterrent against unauthorized parties attempting to steal data by making it inaccessible without the appropriate encryption keys.

To delve deeper into the topic of endpoint security, you can find additional information by following this link.

Back up files and data

Backing up files and data on a regular basis is widely recognized as a crucial step to safeguard against potential ransomware attacks. By having reliable backups in place, organizations can avoid the need to pay a ransom or start from scratch to rebuild their entire IT infrastructure, as they can restore their data from the backups.

While it’s important to note that backing up data alone doesn’t prevent ransomware attacks, it plays a pivotal role in facilitating a swift recovery in case of an attack. Nevertheless, it’s essential to ensure that the backup system is securely partitioned from the rest of the network to prevent potential infections from spreading to the backups.

Use a Zero Trust model

Many organizations traditionally view their networks as castles fortified by moats, employing defensive measures like firewalls and intrusion prevention systems (IPS) to ward off potential attackers, much like moats protected castles in medieval times.

However, relying solely on this castle-and-moat mentality leaves organizations highly susceptible to ransomware attacks. The reality is that attackers frequently find ways to breach the network perimeter, rendering it ineffective. Once inside, they have unfettered access to infect and encrypt the entire network.

A more effective approach to network security is embracing the concept of Zero Trust, which acknowledges the presence of threats both inside and outside the castle walls. Zero Trust security models enforce stringent access controls and treat every person and machine with skepticism by default, including those within the network perimeter. Through continuous monitoring and regular re-authentication of users and devices, Zero Trust can swiftly block the spread of ransomware by revoking network and application access at the first sign of an infection. Additionally, Zero Trust adheres to the principle of “least privilege” for access control, making it arduous for ransomware to escalate its privileges and gain control over the network.

Toffs One represents a Zero Trust network-as-a-service (NaaS) platform that integrates security and networking services. This platform enables secure connections among remote users, offices, and data centers, following the secure access service edge (SASE) model.

To delve deeper into the topic of ransomware, you can explore these articles:

• What is ransomware?
• What is Maze ransomware?
• What was the WannaCry ransomware attack?
• What is Ryuk ransomware?