Ransomware Prevention: How to Shift from Detection to Prevention

Enterprises across the world dread coming under the crosshairs of ransomware operators. And the threat is growing. Ransomware operators struck a new enterprise every 14 seconds in 2019 and every 11 seconds by 2021. As of 2021, such attacks cost the global economy $6 trillion annually.

The traditional countermeasure to ransomware is detection, followed by containment and recovery. The IT team shuts down the network and restores the backup. But today’s sophisticated attacks frustrate such standard recovery plans. Ransomware intrusions may have started by stealth months before the actual attack triggers. By the time the attack becomes plain, the malware will also have infected the backups.

Even when enterprises have safe backups, many still pay the ransom. Third parties accessing sensitive data and making it public have severe implications. Loss of reputation, costly lawsuits, and back-breaking fines follow.

Ransomware operators use a part of the ransom to fund further research and evolve more complex versions of ransomware. The only practical solution to escape from such a vicious cycle is prevention. Here are the ways enterprises can prevent ransomware attacks.

1. Educate users

The biggest risk factor in any enterprise is users with access rights. About 90% of cyber attacks involve some form of human interaction.

Make employees understand the implications of a ransomware attack and how it will impact them. Without such an effort, other measures invariably fail. Offer security awareness training to all employees. Make sure the training:

Teach cyber hygiene. Often, careless users allow cyber criminals entry to the network through poor cyber hygiene. Examples include not logging out, using default passwords, and clicking unsolicited links.
Promote a security culture that makes cybersecurity everybody’s responsibility.
Equip employees to identify the tell-tale signs of a phishing attack so that they can avoid such dangers and report the threat.
Make users aware of the latest information on security threats and tactics.
Reinforce company policies on cyber security. For instance, the average employee needs repeated messaging to make them not share user credentials, even with the IT team.
Spread awareness of the risks of shadow IT. Often functional teams
bypass IT and download unauthorised applications to circumvent bureaucracy. Such unauthorised applications may contain spyware or keyloggers to steal passwords.

2. Control the data

Training users to be more vigilant is not enough to prevent ransomware. Trying to block malicious messaging no longer works either. Advanced phishing attacks circumvent email filters. AI-powered phishing emails mimic genuine emails with high accuracy and befool even the most alert of filters and users. Countering such attacks requires robust data management plans and good network control.

Classify data. Limit access rights on a strict “need-to” basis.
Do not be overzealous when eradicating data silos. Silos do impede analytics, but some silos exist for good reasons. The risks of opening sensitive data often exceed the gains from co-opting such data for analytics.
An effective data governance policy details the data at risk. Quantify the worth of each data and implement appropriate security around such data.
Encourage company-sanctioned file sharing rather than emails to avoid phishing.
Sandbox files before transfer or uploads.
Use email filtering for attachments.

3. Control the network

Enforcing good control over the network with robust protocols keeps ransomware operators at bay.

Implement multi-factor authentication wherever possible. Ransomware operators may steal or commandeer passwords using malware. Multi-factor authentication, which may include a one-time password, offers a strong layer of protection.
Put in place Zero Trust network segmentation. Restrict network access on a need basis, with the principle of least privilege for each user.
Limit access to sensitive information by segmenting the internal network.
Disable unnecessary and vulnerable services. The more the number of services running, the more the risk.
Limit the number of ports and servers connected to the network to have greater control over the network, and reduce the attack surface. When remote ports are inevitable, offer limited access with privileged access.
Where possible, use VPN with encryption for remote users such as work-from-home employees and suppliers. Use geolocation to block traffic.
Enforce firewall settings on all endpoints. Apply whitelisting for endpoints having access to sensitive data. Many users, such as work-from-home employees, now access the network from remote endpoints. Many such endpoints connect to unsecured public networks.
Prevent remote access directly between endpoints. Configure endpoints to prevent connection to and file transfer from external media.
Ensure timely patch management for all applications. Even typical desktop applications contain unpatched vulnerabilities. Monitor security update publications from hardware and software manufacturers. Attackers often use the time gap between the publication and the enterprise installing the patch to launch their attack.

4. Make proactive threat assessments and follow-up actions

Ransomware operators and other threat actors are persistent. Cyber security tends to relax after success, but most cybercriminals are relentless and keep coming back. Long-lasting prevention needs eternal vigilance.

Perform risk assessments to identify vulnerabilities and address threats promptly. Cover port and vulnerability scans in the risk assessment.
Log security incidents using security incident and event management (SIEM) tools. Transfer endpoint logs to the collecting server quickly to detect suspicious activity at entry points in real-time.
Conduct penetration testing regularly. Deploy white-hat hackers to test IT systems.
Invest in continuous security validation. Deploy advanced tests such as Breach and Attack Simulation (BAS). These approaches make explicit the vulnerable areas and offer detailed mitigation recommendations. New machine learning-based tools reduce false positives and negatives and make proactive protection viable.

5. Do not underestimate insider threats

Training and awareness can pre-empt the damage from careless users. But at times, cyber criminals cultivate rogue insiders. They may honey trap or blackmail an existing employee, or one of them may take up employment with the company to secure access credentials. Some disgruntled employees may establish contact with ransomware operators.

Even the best conventional security deployments do not catch insiders with legitimate credentials.

Do extensive background checks before confirming a hire. Many companies skip this crucial step due to the urgency to onboard employees. Enterprises often lose much more than they gain by filling vacancies in haste.
Deploy round-the-clock network monitoring that identifies suspicious behaviour. Tell-tale signs of suspicious behaviour include out-of-hours logins or unusual access requests. Integrate telemetry of access log and network activity. Telemetry data makes explicit who is accessing data and from where.
Do not overlook physical security. Rogue insiders resort to dumpster diving and shoulder surfing methods to steal passwords.

Implementing proactive measures makes the enterprise an unattractive target. Ransomware operators, like any commercial entity, make cost-benefit analysis. When they find it difficult to execute their plans, they seek an easier victim.

Andre Rodrigues

As a software and IT solutions advisor, Andre leads a team of technology consultants for implementing Account-based Marketing strategies to IT customers. In his 30 years of working experience, across the region, Andre has helped numerous clients improve existing business systems and IT infrastructure. This experience has helped Andre secure a unique knowledge and understanding of the challenges faced by these sectors.