The Rising Threat of Ransomware: Top 10 Tips for Prevention and Recovery
The risk of a cybersecurity attack on your business has never been greater. In this post, we'll look at what you can do to keep ransomware at bay, reducing the risk and impact of an attack.
The risk of a cybersecurity attack on your business has never been greater. Massive changes in working practices over the past couple of years have moved the security goalposts. With staff working from home, employers have been forced to bring in new cloud-based productivity tools virtually overnight.
This momentous upheaval has seen changes in technology use at breakneck speed, allowing little or no time to consider the full implications for security. As a result, companies have become far more vulnerable to attack.
At the same time, the attack model has changed. Individual hackers, whose sole aim is to cause disruption, are no longer the biggest threat. They have been superseded by organised gangs of criminals out for financial gain. This has led to a huge surge in ransomware attacks that are both highly sophisticated and highly destructive.
But what exactly is ransomware and what can you do to keep it at bay?
In this post, you’ll learn just that.
We’ll show you how to reduce the risk of a ransomware incident before looking at how you can minimise the impact of an attack in the event it does happen.
What Is Ransomware?
Ransomware is a specific type of malicious software that denies a victim access to their data and other IT resources until they pay the attacker a ransom. By far the most common type of attack works by encrypting data and withholding the encryption key needed to decrypt it.
However, other methods include distributed denial-of-service (DDoS) attacks, where a hacker floods your servers with spurious requests to connect to your services, overwhelming resources and making it impossible for your systems to function normally. They will then send you a message demanding a ransom to end the attack.
Another form of ransomware is doxware, where an attacker threatens to expose sensitive data, which could severely harm an organisation or individual.
No-one is immune to ransomware – with targets ranging from individuals and small businesses right through to large-scale enterprises and public institutions.
Phishing emails, which contain malicious hyperlinks or attachments, are the most widely used method of initiating an attack. Employee negligence and poor user practices are also widely exploited by ransomware attacks.
Should I Pay the Ransom?
The short answer is no. Ransomware payments aren’t the best use of IT budgets, company capital or insurance funds. But it can seem like the only, or even the most cost-effective option for companies who are caught out – criminals wouldn’t be pursuing ransomware to make money if not.
You must remember that you’re dealing with criminals, and by paying, you’re proving their business model and encouraging further attacks.
Even if you do pay, there’s no guarantee you’ll get your data back. Criminals can easily demand more money to release data they know is sensitive or high-value.
Finally, depending on the country you’re based, it may be illegal to pay a ransom. There’s an ongoing debate around this and what governments should or shouldn’t do to support/ protect organisations affected by cybercrime.
Ransomware Protection Measures
The following are the most important first steps any company, whatever the size, should be taking to minimise the risk of a successful ransomware attack.
1. Use Endpoint Detection and Response Software (EDR)
EDR is an advanced form of threat protection, which is often confused with antivirus software. However, antivirus products are only generally designed to protect known threats, whereas EDR is able to detect and respond to many new forms of attack as and when they happen.
EDR works by collecting data from workstations and other endpoints, and using that information to detect the signs of malicious behaviour.
Since the sudden shift towards remote working, EDR has become increasingly more important, as hackers seize the opportunity to exploit weaknesses in endpoint devices to get their foot in the door.
2. Follow the Principle of Least Privilege (PoLP)
The PoLP is an approach to IT security whereby you grant each user the minimum level of access to the data and resources they need to perform their role. For example, a member of staff may need to access personal data as part of their duties but doesn’t need to change anyone’s personal details. You should therefore grant them permission to read such data but not to modify it.
The PoLP can help lower the risk of a ransomware attack through social engineering techniques such as phishing emails. Because, if a hacker manages to steal an employee’s login credentials, it doesn’t necessarily mean they’ll have sufficient privileges to launch an attack.
3. Implement a Strong Password Policy
Password files are favourite targets for hackers. Although the passwords contained within password files are hashed, which makes them unintelligible, attackers have a number of tricks up their sleeve to crack them. However, the longer and more complex your passwords are, the harder they are to crack.
So it’s essential you enforce strong passwords by imposing a minimum length and requiring at least one number, uppercase letter, lowercase letter and non-alphanumeric character. That way, in the event someone stole your passwords, it would be very difficult for the perpetrator to crack them.
You should also rotate passwords as part of a robust password policy. In other words, you should prompt users to change their passwords periodically. This effectively limits the time attackers have to crack your passwords and make of use them.
4. Enable Multifactor Authentication (MFA)
If your systems support MFA, where users must go through an extra verification step such as entering a one-off code sent to their phone, you should enable it as soon as possible.
MFA acts as a layer of defence by putting up another barrier for an attacker to overcome to get into your systems.
In addition to one-time codes via SMS, other forms of MFA include:
authenticator apps for desktops and mobile phones
physical U2F security keys, which connect via Bluetooth or plug into your USB port
login confirmation codes delivered to your email address
biometric authentication, such as fingerprint, facial and voice recognition
5. Keep Software Up to Date
Software updates and patches contain fixes to vulnerabilities that attackers can exploit at any time. So you should apply them to your software and operating systems as soon as they become available.
But always remember to take backups before installing updates so you can quickly recover if you encounter issues such as a system crash or loss of critical functionality.
In cases where you cannot tolerate any downtime, you may need to administer updates in a test environment first in order to check for any potential problems before rolling out to your live systems.
6. Raise Security Awareness
According to joint research by Stanford University and email security provider Tessian, human error was the root cause of nearly 90% of all security incidents. The study also revealed that the younger generation were more vulnerable to phishing attacks – with 25% saying they’d clicked on a phishing link compared with just 8% of employees over the age of 51.
Your users are the weakest link in the security of your systems. So it pays to nurture a culture of security within your business.
Enrol employees on a security awareness course and back it up with your own advice about security best practices. If you periodically remind them of everyday risks, such as sharing removable media, clicking on malicious links and using public Wi-Fi services, you’ll be far less vulnerable to a ransomware attack.
Business Continuity and Disaster Recovery (BCDR) Measures
In addition to robust security procedures and processes, you should also have measures in place to get your business back on its feet as quickly as possible in the event of a successful attack.
This is what business continuity and disaster recovery (BCDR) sets out to achieve.
Whatever the nature of the disruption, whether through a ransomware attack, power cut, hardware failure, human error or unforeseen adverse event, BCDR will help ensure rapid recovery of IT systems and mission-critical data with minimal disruption and cost to your business.
The following steps are integral to a well-designed BCDR plan.
7. Follow the 3-2-1 Backup Rule
You should never just rely on a single backup copy of your data.
Restores can fail. Not only that but more advanced ransomware attacks also target your backups.
To ensure adequate protection you should follow the 3-2-1 backup rule whereby you maintain two local copies, your production data and a backup copy on a different medium, and another copy stored to an offsite service.
The local backup will be immediately available for simple and fast recovery. However, it will also be more vulnerable to attack.
The offsite backup, on the other hand, will be air-gapped from your on-premises systems. Hackers will therefore find it more difficult to attack, as they’ll likely need additional access credentials and also supplementary network information to locate it. This will be particularly so if you use a cloud backup service.
8. Take Immutable Backups
An immutable backup is a copy of your data that cannot be modified, encrypted or deleted. It uses locking technology that prevents anyone, including users with admin privileges, from making such changes until the end of a specified retention period.
Consequently, you can be confident you can always recover from a ransomware attack or any other type of data protection incident.
Immutable backups solutions are generally based on storage drives that use the WORM (write once read many) format. They are available as both on-premises appliances and cloud-based offerings.
9. Maintain Backup Hygiene
It could be some time between the moment an attacker first breaches your system and the point at which they actually trigger their attack.
During this period your backups will have also been infected. So make sure your backup system doesn’t just take copies of your data but also scans them for malware. That way, you can be sure they’re clean and safe to use whenever you need them.
And don’t forget to test your restore system on a regular basis, as you want to be sure it works properly when you need it and that backups are free from corruption or other problems that could prevent recovery.
10. Draw Up an Incident Response Plan
Recovery from a ransomware attack can be a huge undertaking, as you get services securely up and running while carefully purging them of all footprints left by an attack.
As part of your response, you may need to perform detailed forensic analysis to establish the full facts of the incident. If the attack carries a threat to the privacy rights of individuals then it’s likely you’ll need to report the crime to both the National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO).
In fact, you’ll have a lot of systematic steps to follow.
So it’s important to draw up an incident response plan so you’re properly equipped to deal with an incident. This should prioritise the recovery process.
For example, authentication services should be near the top of your list so users can immediately log back in once other services return. You should also prioritise internal email servers so staff can communicate with customers and each other as soon as possible.
The best defence for any organisation is to be prepared for a ransomware attack.
Review your security. Tighten up your security. Put backup and recovery processes in place.
And if you don’t have the right manpower, tools and expertise then consider partnering with a managed cloud service provider with the knowledge and skills to help you. Talk to us today to see how we can help – we have a range of security experts well-versed in preventing, detecting and recovering from ransomware. Plus, we’re a friendly bunch who are always up for a chat, so why not kick things off right away?
If you think you’re at risk, take action today. Because one thing is for sure.
If you don’t take all these measures before an attack, you’ll definitely be doing so afterwards.
Our specialists have the answer