Everyone wants to know how to protect against ransomware – 2021 is the year of ransomware! The Colonial Pipeline attack shutdown a major oil distribution line and held it for ransom. Kaseya, a software vendor, was targeted with a $70 million ransom in bitcoin on July 5th(1). Both of these incidents and others are still ongoing, but shouldn’t the real focus be on how to not become the next headline?
The cybersecurity industry is robust and varied with many elaborate platforms and tools that promise to protect against ransomware and everything else. Alluring technology, like machine learning and artificial intelligence, are touted to detect zero-days or other undetecables. Unfortunately, as well intentioned as these tools are, the peak effectiveness of a security program is not attainable without the implementation of some basic best practices.
Seventy five percent of companies infected with ransomware were running up-to-date endpoint protection(2). This demonstrates that it can be the small innocuous things that result in an intrusion, such as outdated devices connected to the network (2), or human errors. It is these holes and similarly simplistic avenues that basic best practices or the most basic features of your cybersecurity defense system are designed to cover. “Basic” in many ways is a misnomer. These are truly the foundations on which an entire cybersecurity system depends. CISA, the United States Cybersecurity and Infrastructure Security Agency’s, guide to ransomware lists these best practices as(3):
- Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
- Never click on links or open attachments in unsolicited emails.
- Back up data on a regular basis. Keep it on a separate device and store it offline.
- Follow safe practices when using devices that connect to the Internet:
- Improve password security(3):
- Create a strong password.
- Consider using a password manager.
- Use multi-factor authentication, if available.
- Use security questions properly.
- Create unique accounts for each user per device.
- Choose secure networks.
- Keep all of your personal electronic device software current.
- Be suspicious of unexpected emails.
These guidelines should be implemented by both individuals and corporations. Proper foundational tactics can protect against ransomware and its most common vehicles of delivery, such as phishing. Phishing through texts, messaging, or emails is one of the more common avenues in which ransomware is delivered. As recommended by UC Berkley, if you don’t know the sender, then don’t click (6) and consider adding a few checks to ensure you know the sender for familiar contacts or organizations that hackers may hijack, such as Microsoft or one’s own employer(6).
The bulk of these practices are meant to aid prevention of intrusion, but one step is your insurance against loss if an incident happens: data backups. Ransomware is essentially a hostage situation and there is no guarantee that your data and system will be returned in the condition it was seized in. For organizations, it is critical to have backups when auditing and re-uploading their data once they have recovered from the ransom situation. However, if there is a secure backup, then there is no need to pay the ransom at all.
Once these foundational practices are in place, build upon them with some well-known defense tactics, and add a few less well known ones. These include making sure anti-malware software is always enabled, running real-time scanning(5), and restricting privileges within an organization or network(3). These settings and tools can prevent malware from running or at least limit its capacity to spread. Additional practices recommended by CISA are(3):
- Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services[…].
- Use application allow listing to allow only approved programs to run on a network.
- Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
- Configure firewalls to block access to known malicious IP addresses.
This second layer of best practices to protect against ransomware can be further strengthened with threat intelligence. Armed with a variety of reputable IoC sources, your security tools will be able to recognize traffic to/from as well as to block access to ransomware and its control infrastructure. For example, Malware Patrol offers a feed of malware & ransomware URLs. Additional feeds include DGAs and C2s, which are domains and URLs/addresses that, once accessed, allow the malware or ransomware to establish contact with its control infrastructure.
A solid foundation in the basic best practices aids in the prevention of ransomware attacks for individuals and organizations. Cybersecurity is not just one singular thing, but is instead many layers that build and support each other. Ingrain these best practices until they’re a rote memory and utilize the tools that support and emphasize them in order to better support the rest of your cybersecurity system. Hacker attacks and ransomware threats aren’t going away, but by being diligent the undertow and its dangers are avoidable.