How to prevent ransomware attacks
The rise of ransomware attacks has been astonishing.
The ransomware business has picked up,
carrying out attacks aggressively
and relentlessly over the past decade.
And business is good; cybercriminals are making thousands,
if not millions, of dollars from ransom payments every year.
According to a recent ransomware survey,
there were 4,399 ransomware attacks in 2023,
representing an increase from 2022, where 2,581 attacks were reported.
The survey predicts that companies are more likely to be
the target of ransomware attacks in 2024
and beyond since the trend of ransomware attacks
and ransom payments nearly doubled in 2023.
Seeing as this threat shows no signs of stopping,
the question shouldn’t be “if” but “when”:
When your company falls prey to this kind of malicious attack,
will you be ready?
The thing with ransomware is that once it has hit,
the targeted system is never the same.
Ransomware is nearly impossible to remove,
and it tends to be detected only after the fact
(some of the signs are a lagging system,
changes in file names or locations, data loss,
indistinct file encryption,
or an explicit announcement by the attacker).
That’s why we say it is better to be safe than sorry,
or in this case, better to be prepared than sorry.
Prevention is key.
The greater your understanding of these attacks,
the better you can make your defense.
For starters, let’s review the ways ransomware is delivered.
How is ransomware delivered?
Good question. Ransomware, like other malware,
is delivered through an entry point that is exploited
to gain access to the target system,
facilitating the next stages of the attack.
Cybercriminals know that a sophisticated,
well-structured method of delivering ransomware can lead
to a successful and crippling attack,
and that’s why they spend time refining techniques
to distribute malicious software.
The most prevalent tactic is phishing.
This type of social engineering is an attacker’s
bread-and-butter because they know that emails,
SMS and other types of messages are accessed
by the greater part of the world.
Phishing messages
are disguised as coming from legitimate sources,
for example, banks, credit card companies,
and even family or colleagues,
and contain malicious attachments or links that,
when clicked, force the download and installation of ransomware.
Spear phishing, smishing, vishing,
and whaling are among the forms of phishing
that we all should be aware of.
Another tactic used by malicious actors
is the Remote Desktop Protocol (RDP) attack.
RDP,
which is pre-installed in all current Windows operating systems,
is used by many remote workers who need
to connect to their organization’s servers
in order to perform their duties.
Cybercriminals see RDP as an easy entry point.
Whether by exploiting security vulnerabilities
(which RDP is prone to), password cracking,
or credential-stuffing,
attackers gain remote access to the target system
and can deploy ransomware there with payment instructions.
RDP ransomware attacks have increased since working remotely
became necessary during COVID-19 restrictions
and a popular choice for companies
to hire around-the-world employees.
A tactic in which a person browses through a website
and an unsolicited download occurs is called a drive-by download.
Attackers use websites to install malicious software
or redirect visitors to web pages they control,
leaving the user open to cyberattacks like ransomware.
This type of strategy is an ominous threat
because it can be executed even without
the victim’s consent or knowledge.
Exploit kits can be used in this tactic
to provide the attackers with information on unpatched or outdated apps,
web browsers or plugins.
More examples of ransomware delivery techniques
are malvertising (or malicious advertising,
is a tactic that attempts to spread malware via online advertisements),
software piracy (unlicensed and usually free programs,
apps, movies, games, or other software that can contain malware),
and removable media (USBs and external hard drives can be easily
used to infect anything they are connected to).
Ransomware prevention best practices
Preventing ransomware attacks from occurring in the first place
is the strongest defense against them.
A well-built defensive strategy can help mitigate
or completely prevent a ransomware attack.
Many websites provide checklists or information on this matter,
including CISA (the Cybersecurity & Infrastructure Security Agency)
which came up with a guide
for companies to be better prepared against these attacks.
We’ve also compiled here what we consider
the best practices to build a robust prevention strategy:
-
Maintain offline and encrypted backups: Regularly back up critical data
and store these backups offline.
A step further is to encrypt them,
making them unreadable if ever breached.
Test the restoration procedure of the backups frequently
to ensure they are functional.
This step ensures the organization has a clean copy
to restore from in case of data encryption or elimination by attackers. -
Create an incident response plan (IRP): An IRP includes policies
and procedures to manage a ransomware attack.
It should provide detailed instructions for internal
and external communication, outline ways to contain
or stop the attack from spreading to other networks,
and describe responding protocols to different scenarios
and steps to recover data and restore systems.
A hard copy of the plan should be on hand for anyone
with access to company devices
and should remain offline so only intended personnel know about it.
It should also be constantly updated and regularly tested. -
Implement a zero trust model: Prevent unauthorized access
and limit user privileges, granting only the required permissions.
This reduces the potential damages if attackers gain access
to a user account. -
Carry out continuous vulnerability assessment: To reduce
the attack surface, frequent vulnerability scanning should be performed
with tools that are linked to lists like
CVE or CWE in order to
identify recent or known threats.
This can be part of a vulnerability management solution,
which should involve ethical hackers
to perform penetration testing.
Ethical hackers have a deep understanding of vulnerabilities
and know how to exploit them.
As part of their assessments,
they should provide reports on exploitation scenarios
and remediation suggestions.
Fixing the identified vulnerabilities
(especially those of higher severity) should be done ASAP,
as they are constantly being sought out by threat actors.
Vulnerability assessment and management
are key in a prevention plan. -
Patch and update software constantly: Apply the latest updates
to servers, operating systems and any internet-facing application.
These updates often contain security patches that fix vulnerabilities
that could be exploited by cybercriminals. -
Separate networks logically: Network segmentation helps contain
a ransomware attack to a section or sections
by controlling access or limiting lateral movement. -
Disable macros in Microsoft Office: Consider disabling macros
for Microsoft Office files received via email,
as these can be used to deliver ransomware. -
Implement password policies: Set rules that outline
how employees should create, use, and manage the passwords
they need to access company systems and data. -
Enable multi-factor authentication (MFA): Require identification
from users with more than just a username and a password.
MFA uses multiple verification steps,
which adds an extra layer of security that protects systems
against unauthorized or unwelcome people.
Implement MFA to access corporate resources like applications,
email accounts, VPNs and databases.
Authentication methods like entering
codes received in phone calls or SMS texts,
push notifications from authenticator apps,
or biometrics such as fingerprints
are convenient security options to use as an MFA. -
Use intrusion detection systems (IDS): An IDS is a monitoring tool
that checks on network traffic for signs of suspicious activity
or irregular behavior that could indicate an attack.
An IDS can detect command-and-control activity
and unknown or potentially harmful activity
that happens before ransomware deployment. -
Provide security awareness training: Educate employees
about the dangers and risks in the cyberworld.
Provide training on things like malware attacks
(including ransomware), phishing scams, suspicious attachments,
brute-force attacks and other tactics.
Teach employees how to recognize possible threats
and to report them; also reinforce the importance of adhering
to security policies and procedures.
Social engineering awareness
Companies should invest in social engineering awareness
because educating employees about the manipulation techniques
used by attackers reduces the risk of falling victim to one of them.
Malicious actors know that the weakest link in a company
is its employees since they can be persuaded, pushed, tricked,
or in any way manipulated into giving out information
that can compromise the company’s security.
Cybercriminals use strategies like baiting the employee
with something desirable, phishing emails that could exploit
the employee’s curiosity, pretexting pop-up windows
or ads that target the employee,
and creating false identities to collect credentials,
among many other techniques.
Investing in cybersecurity assessments and training employees
to recognize red flags is a great way to foster a culture of security
that can significantly reduce a company’s odds of a ransomware attack.
The power of proactive defense
As we talked about in a previous blog post,
ransomware attacks have been,
are and will be a tremendous threat in the cyber world we live and work in.
By adopting a proactive mindset and implementing security measures
like those mentioned above,
organizations can reinforce their systems against ransomware attacks.
They also entail staying informed about emerging threats
and investing in cybersecurity.
Fluid Attacks offers continuous application security testing
as a comprehensive solution to guard
against exploitable vulnerabilities.
One of our solutions is vulnerability management,
which uses automated scanning software
and ethical hacking,
helping you better handle issues
that may arise when developing software.
Our ethical hackers are certified professionals
who continuously work to find cybersecurity risks
in your systems and are skillful
in discovering zero-day vulnerabilities as they emerge.
This allows your organization to maintain a strong security posture.
All the information we find will be available
to you on our platform,
where we provide you with each vulnerability’s particulars
like severity, location, status and remediation suggestions.
Vulnerability management is just one
of the solutions we provide within
our Continuous Hacking
Advanced plan.
Find more of our application security solutions here
and build a layered security approach for your organization.
We’re a click away.
*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Wendy Rodriguez. Read the original post at: https://fluidattacks.com/blog/ransomware-prevention/