How to prevent ransomware attacks

“How to prevent ransomware?”

The question can keep anyone responsible for data security and business operations up at night. And with good reason.

There simply isn’t a single “silver bullet” technology that stops ransomware. No matter what technology you use, nothing offers 100% protection 100% of the time.

Fortunately, there are steps you can take to prevent ransomware attacks – and even contain and stop an active ransomware outbreak.

Let’s take a closer look at this multi-layered approach.

#1. Use an anti-spam solution to monitor email.

Ransomware and other malware attacks often start with a “phishing” email. “Phishing” is used to describe the email that is used to lure someone to click a link or open an attached file. Often, these files appear legitimate, often from a trusted source – at least, on the surface.

If you weren’t sure why your bank was sending you “that email,” for example, you could look at the actual email address (not the name you see, but the address itself). Often phishing emails are clearly illegitimate, with a meaningless mess of letters and numbers.

Of course, if the email seems ok, but you’re still not sure, you should still not open it. Instead, you should call the individual or organization who sent it to confirm.

An anti-spam solution limits the chance these emails get through. It inspects the contents of email attachments and checks the legitimacy of web links in emails.

If your organization uses Office 365, then Microsoft Defender for Office 365 does this job.

Using anti-spam can greatly reduce the chance ransomware will enter through your organization’s email. However…

If employees can access their personal email on corporate laptops, ransomware could still be delivered via the uncontrolled personal email to your corporate endpoints and file shares.

(We aren’t saying that you should not allow employees to access personal email. Your organization needs to make those policy decisions internally. Rather, we only wish to point out how that practice opens a possible door for ransomware infection.)

#2. Deploy endpoint protection software.

Each workstation and server must have endpoint protection. You might think of it as anti-virus software; however, endpoint protection delivers much more protection than a basic anti-virus solution.

An endpoint protection agent should be installed on all of your Windows™, Mac™, and Linux systems.

For example, we deploy endpoint protection to every device for our Managed Security Services customers. The application monitors files when they are opened and executed. Users also have the ability to perform on-demand threat scans. And every customer has access to detailed security reports in the customer support portal.

One of the challenges many organizations face with endpoint protection is the need for constant updates. Malware continues to adapt and change. In response, security patches and updates are being constantly released by Microsoft®, Apple®, and other applications to keep their security protocols current.

As a result, regular patching of operating systems and third-party applications running on workstations and servers is critical. Updates and patches remove known vulnerabilities that could be exploited to deliver ransomware and other malware.

This is one reason many companies turn to a managed IT service provider for additional support. The IT services company can help manage and complete the necessary but time-consuming tasks of server and endpoint updates.

#3. Keep employees’ personal devices on a “guest” network.

Many organizations allow some use of personal devices, known as a Bring Your Own Device (BYOD) policy.

These devices should be limited to a separate guest network. They should never be allowed on the same network as your workstations and servers, nor should they have full access to those workstations and servers.

You can secure personal devices through the full implementation of a Mobile Device Management (MDM) solution. This, however, requires individuals to accept the terms of MDM policy, which can include the locking, or even wiping of data, of a device identified as a security threat.

Without an MDM, personal devices will never be secured like your corporate ones. This leaves them at risk. And should they have access to your corporate network, then all of your devices remain at risk.

For example:

• If ransomware were executed (run) via a personal device that is on your network with a drive mapped to a file server;
• Then, all of your organization’s files could be encrypted by the ransomware – even if endpoint protection software was running.  

This threat also exists for personal devices that have full network access through a VPN tunnel.

Now, we find this often prompts a very practical question:

Why doesn’t the endpoint protection identify the threat?

There can be many reasons, but one of the most common is this – malicious processes are running on the personal device, manipulating files on the file server under the user’s permissions in a way the endpoint protection does not monitor. (The bad actors who create ransomware are very creative and skilled cybercriminals.)

For this reason, we always recommend that unless you have a fully implemented MDM, all personal devices should be restricted to a guest network. VPN connections used by personal devices should also be limited.

#4. Practice the Principle of Least Privilege for access and user permissions.

The Principle of Least Privilege involves providing end users only those permissions needed to do their jobs – nothing more.

While this is often practiced with file share, server, and application access, it is often not followed as strictly on workstations. Sometimes users are given local administrative privileges on the workstations they use.

This means everything they do has administrator rights. And if ransomware gets in, it will also have administrative rights on that device to change it at will, greatly increasing the damage that can be caused.

Restricting permissions is a vital step in protecting against ransomware.

Ransomware can only encrypt the files a victim has access to. Limiting access limits the potential damage.

For this reason, it is strongly recommended:

• End users should never be configured as administrators for everyday workstation use.
• The “Domain Users” group should never be in the local administrators’ group on workstations and servers. This would make all users admins on all machines.
• Permissions should be properly configured and limited on file server shares, SharePoint™, and other locations where files are stored.
• Unneeded shares on servers and workstations should be disabled.

#5. Have a good security awareness training program.

Organizations can benefit by training employees on how to avoid falling for phishing and other social engineering attacks, as well as how to handle sensitive data. Best practices recommend frequent training, in different and engaging formats, for the maximum benefit. Ideally, end users would also be regularly tested, such as with simulated phishing attacks.

#6. Store current backups offsite.

“Offsite backups” simply mean they are not accessible via your corporate network. This can be vitally important if a ransomware attack should get through.

If all other layers of protection fail, then you will need to have complete and current backups available to get back up and running again. You will lose some of your files, even if it is a limited outbreak. Having backups offsite keeps them away from the risk.

Active ransomware is aggressive. It will go after your files. It will also go after your backups – to make sure you have to pay the ransom to get your data back. Good offsite backups can save you tens of thousands, possibly even millions, of dollars.

#7. Add a containment solution to protect your organization against ransomware.

Containment is a new approach to protection against ransomware. An application monitors your file shares. If an outbreak is identified, it immediately isolates the workstation or device to contain the outbreak. Then, all you need to do is restore the device from your offsite backups.

Source:  RICOH USA