How to Reduce the Risk of Ransomware?

Today, one of the most significant cybersecurity risks has been ransomware. It has become challenging to defend against it, as it has grown even more targeted, using a combination of unpatched vulnerabilities in conjunction with malvertising, phishing, social engineering and other effective targeted vectors. 

The level of ransomware sophistication has risen to the point where attackers can access extremely sensitive information, even what level of insurance the targeted company has in place. Additionally, they even work with insiders to gain access to a computer or network to deliver a payload or malicious outcome.

The hardest part of deploying a ransomware attack is gaining access to a secure system. The harmful software itself is very easy to obtain. It’s even possible to buy ready-made ransomware-as-a-service on the dark web. In fact, without any programming knowledge, these criminals can deploy a network of lucrative attacks with only a few clicks and much tenacity.

The following combination of defence mechanisms will reduce the risk of ransomware.

Have a restorable offline backup

The most crucial line of defence against ransomware — and also the easiest — is to have a verified, restorable backup. The frequent testing of this backup is essential since having one that you can’t restore from would be pointless. Moreover, the backup should not be digitally reachable, meaning that once it has been made, it needs to be air-gapped from the digitally connected environment so that it’s not reachable by either insiders or outsiders. This zero-trust approach ensures that the backup cannot be modified at any time and that authentication for access will only be granted when required. Unfortunately, when we respond to incidents, in far too many cases, we find backups deleted before the ransomware payload is delivered through the attackers’ remote access.

Once you are confident that you have a restorable, verified, non-reachable backup, you can take the next steps. But a good, reliable backup — one that will be available in the event of a ransomware attack but remains inaccessible to attackers — is the first step in ransomware defence. Without it, chances of a graceful recovery are slim when an incident occurs.

Ensure that your endpoints and servers are isolated

If you have a flat network, meaning that all machines can talk to each other, there is a likelihood that lateral movement from machine to device can occur. To limit the damage, you need to create a firebreak – a network segment that confines each machine to its own little network. This network is controlled by a set of rules that governs allowable traffic and routing. In turn, this allows the control of lateral movement not only of user data but also malware like ransomware. This strategy works on many types of networks, including local on-premises networks, home networks for remote workers, and cloud networks, and helps organisations detect malware and ransomware. 

It is of particular benefit for the defence of wireless networks, which are particularly challenging to protect. Take a look at Airgap.io – this team has developed an effective methodology to manage lateral movement.

Scan all your emails

Over 50% of ransomware attacks enter an organisation through email vectors. At the time of this writing, Office 365 email scanning is ineffective in stopping ransomware., resulting in infection regardless of the perceived protection.

Organisations need a better solution that will limit the execution of any malicious link emailed to users. There are several systems available that remove links from emails, allowing only whitelisted ones to remain. These systems also install an agent on the machine that sandboxes these malicious links.

When every link could potentially compromise security, and every attachment could deliver a payload, you might think of this as mission impossible, but there is hope. 

Most ransomware cannot easily break out of the sandbox yet and can be detected and neutralised if scanned with effective tools. Mainstream technology is often ineffective since perpetrators have access to it. 

Security solutions such as O365 email are rudimentary at best and presently will leave your organisation vulnerable if not used in conjunction with a more advanced anti-malware solution. Re-writing links and whitelisting the URLs users can click on, along with robust attachment scanning, are acknowledged threat protection approaches.

Secure your web traffic

A user receives a targeted email, clicks a link, and is directed to a web page that automatically downloads the malware or persuades the user to do so. Allowing unrestricted access to the internet is like allowing a child to run around New York alone at night. 

A better approach is to whitelist only business-related sites and only allow access to these sites once they have been vetted. The best alternative solution is HP Sure Click Enterprise that creates a sandbox environment to open links in. This shields the device and the network from malware infection – it is like opening a new laptop every time you reboot. 

Ransomware has not yet been able to exit this sandbox, and it’s going to be a while before hackers figure this out as there are many easier targets.

Limit admin account access

Administrator accounts allow unrestricted access to your system. Therefore, limiting or even removing administrator privileges is an effective strategy in restricting access to the system. Using computers with the lowest privileges possible delays activity and makes incidents easier to detect.

Quickly patch all that you can

One of the most common ways for ransomware to spread is for a worm to exploit a vulnerability. Ironically, most of these vulnerabilities are well known. 

Due to hackers having development frameworks on par with commercial software companies, they quickly adapt their code to exploit the latest vulnerability. We saw this with the Hafnium threat actor group leveraging Exchange server zero-days earlier this year.

Therefore, vulnerabilities are exploited before they are patched since many companies are very slow at deploying patches, often taking days or weeks. 

Cybercriminals are always “sweeping to find a hole”, and when they do, they establish a strong foothold and then come back when they are ready to deliver the payload. Often, the access is traded on the dark web for crypto or just parked until they have found the most cunning way to take down the target.

This isn’t a game – it’s a business

It’s estimated that ransomware has grown into a $500-million industry, netting large sums of money with every attack. Due to its lucrative nature, malware groups are now developing robust attack suites sold as a service. 

The rise of cryptocurrency makes it easier to get paid, and payments are harder to trace, making it difficult for law enforcement agencies to catch and prosecute cybercriminals. It’s a cat-and-mouse game, with business being the mouse. 

Look out for our next article on building a robust incident response plan that, together with these steps, will help you to respond to a cyber-incident quickly and effectively.

Gerhard Conradie Co-Founder and Global Head of Solutions Architecture at Enhalo
Gerhard Conradie

Gerhard, Co-Founder and Global Head of Solutions Architecture, sees quality staff as the most important asset to any business, and believes that giving them the space to grow as much as they are willing and able to, motivates them to grow Enhalo as well.

Supply Chain Threat Detection

Cyber criminals have upped their game, so should you. We never underestimate or ignore your supply chain's security threats.

Security Operations Center

Financial losses, intellectual property theft, and reputational damage due to security breaches can be prevented.

SOC Assurance Service

Despite a mature Security Operations Center, you're still under threat. Our SOC Assurance mitigates the risk of unnoticed breaches.

Emergency Cyber Response

Regain immediate control, contain the damage, and eradicate the threat. Your bullet-proof, SOS rapid response.

Agentless Network Segmentation

Rely less on vulnerability management and rest assured that the threat won’t spread across your network.

Cyber Risk Assessment

Understand how vulnerable you are. We identify your threat sources and calculate your risks – likelihood and impact.

Endpoint Detection and Response

This solution is for customers that do not have extensive security budgets or staffing to implement and monitor an endpoint security solution.

Irregular Behavior Detection

Companies focus heavily on malicious outsider mitigation, while the biggest threat lies with those who already have access.

Penetration Testing Services

A penetration test is arguably the most important part of any cybersecurity journey, it tests an organization’s ‘final line of defense’ against attackers.

Security Awareness Training & Testing

With cybersecurity awareness training, the risk of human error can be reduced, turning human error into a human firewall.

Insights

360 Security
Must Know Cyber
Security Services

Resources

WEBINARS
MEDIA
SON OF A BREACH
CASE STUDIES
USE CASES

Cyber Security Services

Supply Chain Thread Detection
Security Operations Center
SOC Assurance Service
Emergency Cyber Response
Agentless Network Segmentation
Cyber Risk Assessment

Supporting Cyber Security Services

Endpoint Detection and Response
Irregular Behavior Detection
Penetration Testing
Security Awareness Training and Testing

Related Posts

Cyberattack Emergency

Are you experiencing an active cyberattack?

Get rapid response.

Call ENHALO’s International SOS no:
For Other Inquiries: