Defense is the best option. Once users see the ransom notes, the damage has usually been done.
Training: Defense in depth starts with good security training for users: avoid suspicious links and sites, and don’t open attachments. Use 3rd party anti-phishing training.
Disable Macros: By default in both local installations and Office 365. Instruct users to only enable when necessary.
Edge Net Filtering: Use appliances or proxies that perform in-line scanning of web and email traffic to remove malicious attachments, and block access to nefarious sites and malvertising ads. Augment with real-time updates from cyber threat intelligence subscription services.
Endpoint Security: Deploy comprehensive endpoint security tools with
- Anti-Malware Signature-based anti-virus has become largely ineffective, with polymorphic malware able to change the characteristics of malicious payloads to evade detection. Implement endpoint security packages that use heuristic/behavioral analysis techniques to look for and quarantine suspicious code, e.g. code that calls encryption libraries.
- Privilege Management Enforce least privilege for users and deny malware access to advanced OS functions.
- Application Whitelisting Prevent malware from using common desktop applications to perform Just-in-Time malware assembly and encryption.
- Patching Reduce the attack surface by ensuring that vulnerabilities within OSes and applications are mitigated as quickly as possible with rapid and automatic patching.
Data backups: Data backups are essential to prevent information loss in case of ransomware attacks. Enterprises are usually very good at backing up server-based repositories, but sometimes miss data on desktops and laptops.
Sterilize and restore procedures: To decrease downtime in cases where ransomware attacks have succeeded, have automated procedures available to quickly flatten and reload operating systems and users’ applications, as well as user data.