Ransomware is one the most damaging cyberattacks that a business can experience — and unfortunately, it’s only becoming more prevalent.
March 2021 saw 151 recorded incidents of cyberattacks, with ransomware gangs targeting small and mid-sized businesses (SMBs) in the local government, healthcare and education sectors. SMBs are a common target for ransomware, since they often lack the resources and visibility to detect and respond to security incidents.
What Is Ransomware and Why Is It So Damaging?
Ransomware is a type of malware that locks down data, infrastructure, and systems and demands payment (often in the form of cryptocurrency) in order to decrypt them. Sometimes a window will pop up on an infected computer, asking the user to pay a fee. Other times, the ransom note comes in the form of a .txt or .html file on the desktop and in every folder on the systems.
Ransomware is so destructive not only because of the financial impact — many companies have shuttered business operations due to the monetary losses — but also because a ransomware attack is expensive and time-consuming to remediate.
Dealing with a ransomware incident involves restoring systems and data (ideally from a backup solution), taking a productivity hit due to unusable machines, recuperating damage to company reputation, replacing infected devices and potentially hiring a IT consultancy to remediate the attack from a cybersecurity perspective. When customer data is involved in the breach, companies can incur legal and compliance fees, too. All of these factors bring up the cost of a ransomware incident.
All things considered, the average cost of a ransomware attack was $732,520 if companies didn’t pay the ransom, and $1,447,458 if they did pay the ransom, according to a 2020 Sophos report.
By now, it should be clear that you must avoid getting hit with ransomware at all costs. The good news is that even the smallest security teams can prevent ransomware. Let’s take a look at five best practices for ransomware prevention.
1. Know The Warning Signs
These days, many ransomware attacks happen in the blink of an eye; they can take only 12 hours to execute. Other ransomware attacks occur more slowly — within weeks or even months — as cybercriminals move laterally through the network to escalate privileges.
Either way, there will be signs of a ransomware attack. You should be on the lookout for certain cues that indicate that a ransomware attack is underfoot:
- Network scanners. You should be wary if scanners start mysteriously appearing on your company’s network — especially if those scanners are on servers.
- Active Directory access. Next, hackers will often use tools such as BloodHound and AD Find to infiltrate a company’s Active Directory.
- MimiKatz and Microsoft Process Explorer. MimiKatz, an open source credential stealing tool, should be a major red flag for IT teams — especially when used in conjunction with Microsoft Process Explorer.
- Software removal programs. You should quickly take action when software removal programs like GMER and Process Hacker disable security software like antivirus protection.
The more you familiarize yourself with the warning signs, the better your chances of stopping a ransomware attack before it creates real damage.
2. Conduct Security Awareness Training
Many ransomware attacks start with a phishing or social engineering campaign. In fact, 65% of ransomware infections are delivered via phishing. Oftentimes hackers use legitimate names and companies to disguise the real senders. That’s why it’s important to have phishing awareness programs for your employees.
Start with an explanation of why phishing is so problematic; you can deliver this information via an email newsletter, team meeting, or hands-on training, depending on your company’s culture. You can then simulate phishing campaigns to give employees a realistic experience and an idea of what phishing looks like in the wild.
Once users know what to look out for, they can work with you to identify suspicious emails and catch a ransomware attack in its early stages.
3. Deploy Multiple Security Tools
Ransomware is notoriously difficult to detect, which is why it’s important to use a layered approach to cybersecurity. Layered security leans on several methods and tools to protect an organization.
When it comes to ransomware protection, it’s important to have an endpoint security platform like Crowdstrike or Microsoft Defender for Endpoint, accompanied by a threat detection and response platform like Blumira for comprehensive security monitoring. Endpoint protection can block malware, allow IT to view compromised devices, and ensure that security updates and patches are installed.
A threat detection and response platform ensures that you have visibility into what is occurring within your infrastructure and alerts you of any suspicious activity. The best threat detection platforms aren’t overly noisy to avoid alert fatigue, and give you actionable advice on exactly how to respond to a threat.
You should also use tools to help secure remote access points, like Microsoft Remote Desktop Protocol (RDP), since many ransomware attacks enter through an RDP gateway. For example, RDP gateways should live behind a VPN and be secured by multi-factor authentication to prevent an attacker from stealing or brute-forcing passwords and accessing your systems.
4. Implement Data Backup
If a ransomware attack does occur, data backup and recovery solutions ensure that you can restore your company’s data and systems. Ideally you should back up your data in multiple locations, including a data center, on local disks and through a cloud continuity service. It’s smart to invest in cloud data backup services because they easily integrate with existing cloud applications and devices. You should send logs to a cloud SIEM, too, which ensures that the integrity of those logs remain intact, even in the event of a ransomware infection.
Offline backups are key, too, because ransomware actors will look for backup systems and encrypt those before hitting the overall environment with the encrypter.
5. Do Not Pay The Ransom
If you’re hit with ransomware, you may be wondering if you should pay the ransom and get it all over with. Unfortunately, paying the ransom does not guarantee that the fiasco is over; cybercriminals (unsurprisingly) are untrustworthy individuals and don’t always return your files and systems once the ransom is paid. Many ransomware groups are also beginning to exfiltrate data which potentially allows the group to continue extorting the victim, even if they’ve already paid for decryption of affected systems.
Plus, paying the ransom may result in having to pay noncompliance fees. On top of that, it encourages cybercrime and feeds into an already extremely profitable industry; cybercriminals rake in a staggering $1.5 trillion every year.
Try Blumira For Free
Many companies aren’t able to prevent ransomware due to a lack of resources, alert fatigue, and overly complex security tools, all of which can lead to security teams overlooking suspicious activity that points to a ransomware attack.
Blumira comes with several built-in detections to alert security staff of malicious activity on the network, in addition to playbooks that guide non-security experts through quick remediation.
Unlike a traditional SIEM, Blumira can deploy within hours, not days or weeks. Start a free trial to detect threats in your environment today, or contact the Cerium team to see what Blumira can do for you.