10 Tips for Preventing Ransomware Attacks
You’re already working long hours. Covid-19 is not letting up and your team is running on empty. Now you need to mitigate yet another virus of a different kind. Preventing ransomware attacks and mitigating their extreme financial impacts (an average of $8,500/hour of downtime) is essential. The following best practices can help your IT and healthcare administrators protect your systems.
1. Back up your systems.
Ensure that you are backing up all systems with important data or applications. Ideally, you should have (a) a local backup, (b) a remote backup, and (c) a cloud backup. These backups should use at least two different technologies / backup systems. It should not be possible to access the backup systems directly from the very systems being backed up. Make sure that a compromised workstation does not have the ability to compromise your backup systems. The backups should not be just “copies of data on a shared drive,” for example. For extremely important data, offline backups are critical. There is no way for malware to corrupt backups that are not connected to any computers!
Periodic testing ensures that your backups are actually working. However, it is important to realize that restoration from backups can be costly. Consider the amount of effort it would take to restore a system from backup. If you have many systems and they are all impacted at the same time, ask yourself whether the restoration process would be feasible from a “how long will it take” point of view? You might not be able to improve the restore time, but you may be able to reduce the number of systems that could be affected at once via isolation (see #6, below).
2. Archive your email.
For maximum resilience against impact during a cyberattack, use a third-party SaaS solution to archive your email. Email archival is a critical form of backup: all inbound and outbound email is streamed in real-time to “archival servers” which keep easily accessible email copies available indefinitely. When ransomware strikes and renders “in house” systems inaccessible, archived email managed by a third-party SaaS provider is likely to remain intact and available for essential business needs.
3. Outsource to Software-as-a-Service (SaaS) providers when possible.
Outsource to lower the potential impact an attack can have on your operations. When a ransomware attack impacts your systems, a large number of your servers may quickly become unusable. Software-as-a-Service solutions provide boundaries between your systems and the SaaS providers’ systems. As a result, when your internal systems are down or under attack, SaaS systems will remain up and your data and applications available.
4. Invest in really good email filtering.
A majority of ransomware attacks gain their initial foothold in an organization through malicious email messages. Indeed 90% of malware comes through email. Basic employee training can mitigate this to an extent; however, stopping most malicious emails from reaching your employees greatly lowers the risk that such emails are opened and your systems are infiltrated. Filtering reduces risk due to human error.
5. Keep your infrastructure up to date.
It is critical that your IT team routinely updates all workstations, servers, printers, IoT devices, routers, and other devices that exist in your organization’s infrastructure. While there are attacks that leverage unknown vulnerabilities in systems (zero-day attacks), most attacks leverage software issues for which preventative updates have already been released. Keeping your devices up-to-date greatly lowers your risk of a successful cyberattack.
6. Maximize system isolation.
Segment your network into parts that do not need to communicate directly. If many of your company’s devices can easily communicate with each other via the same network, then if one of them is compromised, every other device will also be compromised. Because wide-open corporate networks are convenient and simple, they are employed very frequently. This is risky. Instead of joining up everything with site-to-site VPNs, make VPN access a privilege that is granted only as needed and monitor it closely. On the extreme, if you do not use an any kind of open central corporate network and file share, your vulnerability to a ransomware attack can be quite small.
As you review your company’s systems, consider this question: “What other devices can this device see …and therefore…compromise?” Then work on inserting barriers so that if you are compromised, the impact of the attack will be limited through isolation and your recovery time will thus be less.
7. Choose SaaS providers that implement isolation.
Choose a SaaS provider who will put your instance of its application and data in a segmented, isolated, dedicated “cloud within a cloud.” Providers that architect their systems as a “big shared cloud” may risk wide-spread impact from a single ransomware infection if they are compromised. Insulate yourself to a large degree from being collateral damage of an attack on the provider or its other customers by choosing SaaS providers that enable you to isolate yourself from their other customers. This can be very important for security, reliability, and business continuity.
Consider using a provider that is aligned with the Zero Trust framework to limit the attack surface by keeping your data completely isolated and segmented from other customers.
8. Turn off services and devices that you do not need.
Every device and application that runs on your organization’s network increases your risk, by increasing the number of ways that an attacker could compromise your systems. Follow a best practice by turning off and removing devices that are no longer needed and remove software and applications that you do not use from servers. Additionally, always keep a full and up-to-date inventory of all software applications and systems. IT should approve all existing and new devices and applications and keep their software and firmware updated (see #5).
For example: does your company use “RDP” for “Remote Desktop?” If not, turn if off now because flaws in RDP are a common vector for ransomware attack and attack spread. If you do use RDP, make sure your systems are updated, consider limiting what has access to RDP, and never make RDP accessible directly from the public internet.
9. Keep tight control on which vendors you use.
It’s common for a company to use multiple different service providers for file storage and sharing, document editing, email, human resources, video meetings, chat, etc. Specify exactly which vendors are to be used by your organization and which are not to be used and make everyone aware of the difference. This enables you to: (a) ensure good vendor choices are made, and (b) prevent people from falling prey to phishing email messages that are related to other vendors. If your company never uses Google Docs, then no one should fall prey to a phishing email involving Google Docs. Clarity and restricted choices improve security.
10. Show hidden file extensions.
These days, workstations do not always display the full name of files that are downloaded. For example, if you download a file called “document.pdf.exe” it may be shown simply as “document.pdf.” Ensure that full files names are always shown in workstations to make such subterfuge visible. This protects against employees downloading and opening malicious files that are masquerading as PDFs or images, but are actually programs that can compromise your system when opened.
Following the above 10 tips will go a long way to protecting your organization against ransomware and minimize the impact of ransomware in the event of an attack. Ideally, these tips should slot into your organization’s information security program.
The security landscape is changing very rapidly. In the absence of a proactive program, dedicated resources, strict oversight, and implementation of best practices, the risk of your company falling victim to a successful attack is high.