Defense is still the best option. Once users see the ransom notes or notice that their data files are encrypted, the damage has usually been done. There are both organizational and technical implementation tasks required for optimal ransomware resistance.
To combat ransomware, we must conceptually focus on three major courses of action: prepare, prevent, and recover. The prepare element involves user training and developing and testing procedures. Prevention requires technical solutions. If attacked, recovery is the last phase, and success in this area requires both technical solutions and well-executed procedures.
On the organizational side, communication is key, and involves regularly educating users as well as informing executives on risks and mitigation plans. Having tested procedures ready-to-go in the event of an attack will help reduce losses. The organizational tasks to mitigate ransomware are:
Data backups (offline): Data backups stored offline are essential to prevent information loss in case of ransomware attacks. Some recent ransomware attacks have encrypted online backups, making it impossible for victims to restore.
Training: Defense-in-depth starts with good security training for users: avoid suspicious links and attachments. Use 3rd-party anti-phishing training.
Disable Macros: If possible, disable macros by policy in both local installations and Office 365. Instruct users to only enable when necessary.
Sterilize and restore procedures: To decrease downtime in cases where ransomware attacks have succeeded, have automated procedures available to quickly flatten and reload operating systems and users’ applications, as well as user data.
Regarding technical solutions to protect against ransomware, the following security products and services are recommended:
Edge Net Filtering: Use appliances or proxies that perform in-line scanning of web and email traffic to inspect and detonate, and then remove malicious attachments, and block access to nefarious sites and malvertising ads. Augment with real-time updates from cyber threat intelligence subscription services. Preventing malicious payloads from reaching the desktops and inboxes of users should be the goal. However, malware can slip by. This is why Endpoint Protection is necessary.
Endpoint Protection (EPP): Deploy comprehensive endpoint security tools with
- Anti-Malware Signature-based anti-virus has become largely ineffective, with polymorphic malware able to change the characteristics of malicious payloads to evade detection. Implement endpoint security packages that use heuristic/behavioral analysis scanning techniques trained by large volumes of data against machine learning (ML) algorithms to look for and quarantine suspicious code, e.g. code that attempts to encrypt or change extensions on massive numbers of files, perform multiple copy-on-write ops, or delete the volume shadow copy. Every endpoint in every organization needs anti-malware in place. If you are unsure of the overall efficacy of your current anti-malware product, it may be time to re-evaluate. Choose modern anti-malware solutions that have a mix of malware detection technologies, and which consistently score at the highest levels in independent tests. For more information, see the latest KuppingerCole Buyer’s Compass on Endpoint Protection.
- Patching Reduce the attack surface by ensuring that vulnerabilities within OSes and applications are mitigated as quickly as possible with rapid and automatic patching. Many forms of ransomware exploit known vulnerabilities for which patches are available.
- Application Whitelisting Prevent malware from using common desktop applications to perform Just-in-Time malware assembly and encryption.
Privilege Management: Enforce least privilege via policy for users and deny malware access to advanced OS functions. This is a good zero-trust practice.