Ransomware has emerged as a dominant threat in today’s evolving cybersecurity landscape. When ransomware targets an organization, it swiftly encrypts data across all machines, leading to an operational halt and often substantial financial repercussions. As organizations grapple with this sudden loss of access, they're confronted by threat actors demanding substantial ransoms in exchange for the possibility of data decryption. However, paying these ransoms offers no guarantees. There's always the lurking risk of threat actors leaving hidden backdoors, which could pave the way for future unauthorized access and subsequent attacks.
Given the devastating potential of such threats, a proactive stance is essential. Organizations must prioritize preparedness, equipping themselves with a comprehensive ransomware readiness plan to navigate and neutralize these challenges effectively. At CyberProof, our Advanced Threat Hunting team has developed a ransomware readiness plan, helping organizations establish robust, proactive defense against ransomware threats that operates in line with business priorities.
A ransomware readiness program can help organizations establish robust, proactive defenses against ransomware threats.
Here is our essential checklist to prevent and manage a ransomware attack:
The initial defense against ransomware involves ensuring that the ransomware doesn’t enter your organization’s digital infrastructure. Security teams must be aligned to ensure that threat actors do not have any access points to your organization. To do this:
Prevent initial access to your assets: Limit access controls and administration rights. The increase of remote work has expanded the attack surface, as remote endpoints are more likely to use unsecured connections. These remote connections can serve as entry points for ransomware attacks, allowing unauthorized access to essential systems.
Update security products: Keep endpoint and perimetric security products, such as email gateways and proxy caches, updated with the latest security patches. Validating and updating security products to protect against vulnerabilities can prevent malicious payloads from reaching the end-user.
Promote employee awareness: By educating employees about potential threats and safe practices, organizations can significantly reduce the risk of successful attacks. Cybercriminals often distribute fake emails and other correspondence, and malicious links are rampant. Developing training programs on trusted sources and safe communication can help improve employee awareness.
Implement a Zero-Trust policy: Any account can be compromised, and that means that strict policies must be implemented for all accounts across your organization. Across the organization, the principle of least privilege policy should be implemented, preventing ransomware actors from using a compromised account to move through your network. Only specific employees should be granted access to certain assets and privileges in line with business justifications, to prevent the proliferation of ransomware throughout your organization.
If ransomware has entered an organization, the focus of mitigation shifts to preventing its spread, to ensure that the ransomware doesn’t amplify the damage. The strategies here differ from the prevention stage, as the nature of the threat has evolved, and the response must adapt accordingly.
Utilize granular network segmentation rules: In the case that ransomware enters your organization, be prepared to immediately enact network segmentation solutions to limit access and communication between different network areas. While this may be complex to implement, its impact is significant. By isolating affected areas in your network, organizations can contain the threat and protect unaffected systems.
Automatically limit privileged access: Once ransomware has infiltrated your organization, user access must be limited immediately, across the board. Remove and restrict administrative rights whenever possible, as malware can only modify files that users have write or edit access to. In the case of remote connections, administrator privileges should be removed for users using external or Internet-facing Remote Desktop Protocol (RDP) servers.
Disable administrator sharing powers: Some ransomware variants will attempt to identify administrative or hidden network shares, including those that are not explicitly mapped to a drive letter, to bind to endpoints throughout an environment. In the case of an incident, be prepared to disable administrator sharing powers automatically across your network. Common administrative and hidden shares on endpoints include ADMIN$, C$, D$ and IPC$. Please note that this action can impact system functionality.
In the event of an attack, rapid recovery measures are essential. These steps ensure that your organization can recover with minimal damage and data loss:
Implement robust backup policies: The 3-2-1 backup policy is a recommended approach in data protection: Create at least three copies of the data, in two different storage formats, with at least one copy located offsite. By ensuring backups are frequent, tested, and stored in multiple locations (including off-site), organizations can smoothly restore operations after a ransomware attack. Connect your backups to live systems only when necessary. Never have all backups connected (or 'hot') at the same time to prevent threat actors from reaching all backup copies.
Conduct backups frequently and test your backups: Increasing the frequency that your organization conducts backups is important, as this frequency is the primary factor that will determine how much data could be potentially lost in a ransomware attack. Ensure that your organization tests and validates the ability to restore data from a backup periodically, so that you can guarantee that you will have access to data in the event of restoration.
Prepare updated golden image for quick restoration: Maintain regularly updated “golden images” of critical systems in the event they need to be rebuilt. This entails maintaining image “templates” that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server. Be sure to keep these OS templates secured so that they won’t be encrypted in the case of a cyberattack.
Review and update your strategy for handling ransomware attacks
As ransomware tactics evolve, so too must our strategies to counter them. By adopting a proactive approach to each stage of the mitigation process, organizations can fortify their defenses against the devastating impact of a ransomware attack. This method allows organizations to align security defenses with business priorities, rather than defaulting to emergency responses that can have an irreversible impact on your organization’s reputation.
To learn more about how a managed threat hunting service can help your organization build a ransomware readiness plan, contact us.