Cyber Incident? Get Help

10 best practices to prevent ransomware attacks

ER Crime Hero Image

Overview

Ransomware, a type of malicious software that blocks access to computer systems and data, is one of the most common adverse cyber events. Read on to learn more about ransomware and how to prevent it from disrupting your operations.  Want to learn more about Ransomware Insurance? Read more here.

What is a ransomware attack?


Ransomware is a type of malware attack that restricts access to computer systems, files, and networks. Cybercriminals launch ransomware attacks by deploying malicious software via emails, links, and attachments. After gaining access to an organization's network, they can deploy the ransomware itself, which encrypts devices and files, rendering them inaccessible for users. The hackers then hold all systems and data hostage until a ransom is paid. Ransomware threatens businesses across all industries. In a recent example, financial technology provider NCR suffered a ransomware attack that left 100,000 restaurant customers without access to back-office payment tools and gift card functions. Ransomware attacks are dangerous because they put businesses at the attacker’s mercy. What’s more, cybercriminals don’t always restore access after receiving payment. As a result, the FBI discourages businesses from making ransom payments. The amount of ransom hackers expect is often based on the size of the company and the industry it operates in. For example, cybercriminals demanded $70 million in bitcoin from IT provider Kaseya after a ransomware attack. Separately, hackers hit German chemical distributor Brenntag with a $7.5 million ransom. 

What are the 10 tips to prevent a ransomware attack?


Ransomware attacks are ubiquitous and expensive to remediate. While you can’t prevent bad actors from targeting your business with ransomware, you can use these tips to protect against it:

1. Turn on multi-factor authentication

2. Run security awareness training 

3. Update vulnerable servers

4. Use strong passwords 

5. Implement endpoint detection and response

6. Establish a regular patch cadence

7. Implement secure remote access 

8. Prioritize account maintenance 

9. Maintain backups

10. Use attack surface monitoring

Best practices for preventing a ransomware attack


Unfortunately, there isn’t a silver bullet for preventing a ransomware attack. Threat actors constantly adjust their tactics and procedures to evade defenses — forcing businesses to use a variety of defense strategies to protect themselves.  So, how do you prevent ransomware attacks?  Follow this ransomware prevention checklist to start moving in the right direction. 

1. Turn on multi-factor authentication

Ransomware attacks often start when threat actors access user accounts or networks. Because of this, the best way to prevent a ransomware attack is to use multi-factor authentication (MFA), an identity verification strategy that requires users to provide multiple authentication credentials during login attempts. With MFA in place, a threat actor must bypass multiple checkpoints to gain access.  There are three main MFA methods: knowledge, possession, and inherence.

  • Knowledge-based MFA relies on facts that users know. Examples include passwords, personal identification numbers, and personal security questions — like a pet’s name or birthplace.

  • Possession-based MFA leverages user items like an employee’s phone. For example, a company might send a one-time password (OTP) via email or SMS. Companies may also grant access using software certificates or physical objects like USB devices.

  • Inherence-based MFA grants access via unique identification factors, including facial recognition, fingerprints, and other biometric identifiers.

According to recent data, authenticator applications (e.g., Google Authenticator) are the most common type of MFA, with roughly 58% of companies using them. Less common methods include SMS codes (39%), OTPs (37%), hardware security keys (30%), and secondary email addresses (15%).

2. Run security awareness training

It’s common for threat actors to hide ransomware in places like email attachments and SMS links. In one example, Ireland’s Health Service Executive was hit with a ransomware attack when an unsuspecting end user opened an infected phishing email.  To ensure users know what hacking attempts look like, it’s imperative to run security awareness training on a regular basis, teaching employees about threats the company faces, how to identify and prevent them, and where to go for help after an attack. These training sessions also serve as an opportunity to remind employees to watch out for inconsistencies in emails and examine links and attachments before opening them. 

3. Update vulnerable servers

In addition to targeting end users, cybercriminals also go after machines. For example, a recent ransomware campaign targets a common vulnerability in VMware servers; to date, at least 3,200 servers have been compromised. Prioritize scanning and updating servers with the latest security patches, especially for internet-exposed devices or services. When teams fall behind with patches, cybercriminals can easily discover vulnerabilities and infect machines with ransomware and other types of malware. 

4. Use strong passwords

Employees often opt for weak passwords out of convenience. While this may make it easier for an employee to remember their credentials, it also makes it easier for cybercriminals to penetrate accounts and deploy ransomware. In fact, one study links 30% of ransomware infections with weak passwords. For this reason, one of the most important ransomware prevention best practices is to enforce strong passwords. Never reuse passwords, and regularly update passwords for sensitive accounts. Security teams can also provide secure password managers and digital vaults to deter employees from storing credentials in insecure locations. 

5. Implement endpoint detection and response

Gone are the days when organizations defended one central network, which is sometimes referred to as the castle-and-moat model. Thanks to hybrid workforces, and organizations that must provide third parties with access to critical data, each endpoint — i.e., any device accessing your network — now serves as a gateway to private resources, making them a focal point for cybercriminals. Security teams can take back control and reduce risk by using endpoint detection and response (EDR) solutions to continuously monitor devices and look out for suspicious system behavior. Endpoint detection systems block harmful activity and help IT teams remediate threats when they arise.  Unfortunately, cybercriminals have disabled EDR solutions on target systems before deploying ransomware and backdoors. While endpoint detection is still very effective for preventing ransomware, it’s best to use it as part of a layered defense strategy. 

6. Establish a regular patch cadence

Ransomware groups sometimes exploit unpatched software and use it to target business users. As an example, the Buhti and IceFire ransom groups are targeting unpatched IBM Aspera Faspex file exchange applications. To avoid the ire of hackers, security teams must implement a regular patch cadence to address software vulnerabilities and prevent threat actors from infiltrating enterprise systems. As a general rule, software patching should occur on a monthly basis. Many teams set specific days for patch rollouts, with deadlines for device updates. Another option is to patch on a rolling basis and deploy software updates throughout the month as they become available.  

7. Implement secure remote access

Most companies are now fully or partially distributed, with people working on both private and public networks (e.g., at coffee shops and hotels). However, these third-party networks are often insecure. In some cases, hackers will even create fake WiFi hotspots that appear legitimate to steal employee data and then pivot to a company network to launch a bigger attack. To protect against this, companies must extend security perimeters beyond their borders to accommodate on-the-go workers. Companies can enhance remote security by using virtual private networks (VPNs), which create secure, encrypted tunnels between employees and private resources. Many companies are also going beyond traditional VPNs and setting up Zero Trust network access (ZTNA) frameworks to provide secure remote access to applications and data using defined access control policies. 

8. Prioritize account maintenance 

Companies today have an ever-growing number of user accounts, and attackers frequently target them to access private systems and applications. One of the most dangerous examples is a golden ticket attack, which gives a threat actor total control over a company’s Active Directory (AD). To avoid account takeovers, security teams must maintain account hygiene. This requires keeping an eye on user privileges and watching them for unexpected changes. It’s also necessary to review all accounts in AD and disable any that are no longer in use.  By being proactive about account maintenance, it becomes much easier to identify suspicious activity and prevent cybercriminals from exploiting dormant accounts. 

9. Maintain backups 

Another way to protect your business from ransomware is to frequently back up your systems and your data. According to one study, 91% of organizations say they use backups to protect their databases.  During a ransomware attack, cybercriminals often attempt to encrypt both the main copy and the backup. You can protect against this by storing data offline in a secure environment, which shields information from attackers. On top of this, you should also test backups regularly by restoring files and attempting a full recovery. This way, your team can ensure that backup data is always in working condition. Most companies tend to only test backup data when they need to and often find out the hard way that it isn’t accessible.  

10. Use attack surface monitoring

The cybersecurity attack surface is becoming larger every day, with companies continuously adding new users, cloud services, and devices. At the same time, cyberthreats are increasing in size and sophistication. More than ever, security teams must automate attack surface monitoring to rapidly identify and address vulnerabilities. Coalition Control is a free automated scanning and monitoring tool that discovers organizational risk and explains how to fix vulnerabilities. Security teams can use Control to engage in ongoing monitoring from the outside in — gaining deeper visibility into your infrastructure, which makes it easier to avoid dangerous attacks.

Why must small businesses protect themselves from ransomware attacks?


Ransomware remains a popular method of attack for cybercriminals as malware becomes increasingly dangerous and easier to deploy. Making matters worse, the software is now evolving to attack Mac devices — a worrying trend that may accelerate in the coming months. Though their payouts are lower, ransomware gangs are still raking in profits from ransomware; according to the FBI, Conti ransomware payouts now exceed $150 million.  Add it all up, and small businesses and enterprises alike must take active measures to prevent, detect, and eliminate ransomware. A ransomware attack can occur at any time, bringing operations to a standstill and threatening an entire organization. Companies that avoid or delay forming ransomware strategies risk suffering substantial financial, operational, and reputational damage. 

Attune About Background

Protect your business with Coalition Active Cyber Insurance

At some point, cybercriminals will target your organization with ransomware — putting your team’s skills, knowledge, and communications to the test. Coalition’s Active Cyber protection policies cover up to $15 million in financial, tangible, and intangible business damage. With Coalition, you can protect your business from stolen funds, lost business income, breach response, computer replacement, cyber extortion, ransomware, and even bodily injury.  Ready to protect your business against ransomware? Take a look at Coalition’s coverage options today.