8 Proven Practices to Protect Against Ransomware
Nowadays, ransomware is the most prevalent threat facing organizations of different sizes and in every industry. In fact, it is estimated that the damages done by ransomware attacks cost more than $20 billion globally in 2021 and this number is expected to reach $265 billion by 2031.
A ransomware infection can lead to data loss, financial and reputational damage or even the complete shutdown of an organization. However, all is not as grim as it seems. There are ways to minimize the chances of a successful attack and, more importantly, to recover smoothly after ransomware when a ransomware infection does hit your systems.
This post lists and explains the 8 proven best practices that help you ensure protection against ransomware infections and reduce the risk of cyber breaches.
What Is Ransomware Protection?
Ransomware protection usually covers all the steps organizations take to prevent ransomware from causing lasting damage to their IT infrastructures and bottom line. A comprehensive anti-ransomware plan should include protection measures, monitoring activities and recovery strategies.
- Ransomware prevention measures
Defending against ransomware should be the primary focus of an organization. It is better to deter a ransomware attack instead of trying to mitigate its impact or trying to recover your infected data. By implementing the necessary practices and using the right tools, you can minimize the chances of ransomware infiltrating your systems and the consequences of such a breach.
- Ransomware detection measures
Monitoring your environment against malware and ransomware is essential for early discovery. The sooner you identify a breach, the higher your chance of stopping it. There are several detection tools and best practices you can implement to protect against ransomware.
- Ransomware recovery measures
In case a ransomware attack breaches your defenses, it can encrypt or lock your data and subsequently interrupt normal business operations. Numerous ransomware recovery measures allow you to minimize data loss and downtime with a swift recovery of your workloads. Keep in mind that this process might be difficult and lengthy, so you should apply the preventive practices listed below.
Ransomware Protection Best Practices
The optimal approach to ransomware protection involves a multi-layered strategy. This model includes training your personnel, protecting endpoints, implementing the necessary technologies, developing a complete incident response plan and more.
-
Train your employees
Today, 95% of cybersecurity issues can be traced to human error and 43% of all breaches are threats from within an organization, whether malicious or accidental. A single device can be the starting point of a company-wide attack.
That said, it is recommended that you educate employees about cyber hygiene as soon as you hire them. In addition, you should conduct periodical training sessions to make sure users are continuously aware of the latest threats and they are implementing the required directives.
The following practices are essential in providing protection against ransomware and reducing incidents caused by human error:
- Do not open emails from suspicious sources or click on dubious attachments.
- Do not click on ad banners or unsafe links found on unknown websites.
- Use strong passwords, change them frequently and do not use the same password for different accounts.
- Enable two-factor authentication.
- Do not share your personal information or store it in an easily accessible location.
- Do not plug in an unknown USB stick.
- Avoid using public Wi-Fi networks.
- Follow your organization’s security policy and quickly report malicious activities.
- Provide more info to your employees about manual solutions and software that can help to get rid of the malware.
-
Implement network segmentation
The best way to safeguard your network and defend against ransomware is by implementing network segmentation. This is especially important in cloud and hybrid environments. Properly connecting several subnets and routers can limit the spread of a malware infection across the entire organization if one device gets compromised.
Consider using the IEEE 802.1X standard with supported authentication methods and configure access control to a network. This way, a signed certificate and valid credentials are required to connect to a network to pass authentication and establish an encrypted connection. There are three main components in the architecture: a client, an authenticator and an authentication server. A RADIUS server and 802.1X capable switch are needed to recognize a user for a wired Ethernet connection. 802.1X can be used for wired and Wi-Fi networks.
Moreover, you should perform network penetration testing if possible since it helps you detect vulnerabilities that can be used to access your network. Fix found issues to protect against ransomware and prevent potential attacks.
-
Configure routers and port settings
Improperly configured routers can be used as an attack vector since cybercriminals continuously scan networks for an open port that they can exploit. Blocking access to unused ports and changing standard port numbers to custom numbers can help you protect yourself from ransomware.
You can also configure URL filtering and ad blocking on routers providing internet access for users in your organization. Modern software can automatically add known malicious sites to content filters to keep the URL filtering system up to date.
-
Employ basic and advanced protection technologies
Most ransomware variants are well-known and can be detected using basic security tools. However, new types of malware are regularly discovered and existing variants are getting increasingly sophisticated which is why you should also employ advanced security software.
The list below includes numerous protection technologies that you can use to defend against ransomware attacks.
- Firewall protection. This is your first line of defense against cyber breaches. Web application firewall monitors and filters HTTP traffic to and from web services. You can also configure the firewall on routers to reduce the risk of ransomware infiltration.
- Antivirus software. In case malicious behavior is detected in Windows or macOS, the antivirus immediately blocks suspicious files and notifies you. Remember that you should keep your antivirus software up to date so it can identify new versions of ransomware. Some antivirus solutions can integrate with vShield and vSphere to safeguard VMware virtual machines (VMs) running on ESXi hosts.
- Endpoint Discovery and Response (EDR). Modern EDR solutions perform real-time threat intelligence and analysis to provide protection against ransomware attacks before and during a breach. You can automate the response and mitigation processes to minimize the damages as much as possible.
- Email security. Proper configuration of anti-spam and anti-malware filters on email servers prevents users from receiving email messages with harmful links or file attachments (or at least reduces that probability significantly). Attackers usually share links to malicious websites or attach Word and Excel documents with macros to spread a ransomware infection.
Filter configurations should be updated regularly by using databases of trusted vendors like Google and Microsoft. Depending on your security policy, you can configure anti-malware and anti-spam filters to display a warning message or delete a message before it reaches a user.
- Sandboxing. Sandboxing offers an additional layer of security since it allows you to analyze a code or link in an isolated environment on a parallel network. If a suspicious message passes through the email filters, it can be inspected and tested before it reaches your network.
- Intrusion Detection System (IDS). The IDS is an advanced tool that monitors your network and systems looking for malicious activity or policy violations. Once a threat is detected, the Intrusion Detection System automatically sends a report to security administrators so they could perform the necessary measures and defend against ransomware.
- Deception technology. When all else fails, deception technology can help you save your data from being stolen or encrypted. Using this technology, you can create a decoy that mimics your actual data and servers to trick cyber criminals into thinking that their attack was successful. This also allows you to quickly detect a threat before it causes any damage or data loss.
- IT monitoring tool. Real-time IT infrastructure monitoring allows you to swiftly identify a breach based on network performance. Suspicious processor load, abnormal disk activity and large storage consumption are clear indicators of a ransomware infection.
Consider configuring a honey pot (or trap) in case you detect strange behavior in your network. A honey pot (or trapping) is a technology used to catch anomalous activity. It is a set of special files stored in non-standard locations on a server. In case these files are accessed, the system administrator is notified because this should not happen in normal production operations.
-
Restrict permissions with zero-trust security
As its name suggests, the zero-trust model means that you should presume that any user, internal or external, trying to connect to the network cannot be trusted and is a potential threat. Access is granted only after undergoing a thorough verification and authentication process. This approach protects against ransomware and breaches by eliminating unauthorized access.
To further strengthen your security policy, you should give users only the permissions they specifically need to complete their work based on the principle of least privilege. For example, a regular user must not have the credentials of an administrator. It is important to note that you have to create a dedicated account to access the backup repository containing sensitive data.
-
Install security patches and keep systems up to date
Installing security patches for operating systems and applications in a timely manner reduces security gaps and vulnerabilities that can be exploited by attackers. It is recommended that you implement a patch management program and turn on auto-updates where possible.
-
Develop a response plan
It is essential for every organization to have a response plan ready in case the ransomware attack was successful. A business continuity and disaster recovery (BCDR) plan does not defend against ransomware but helps you reduce downtime and quickly recover your lost data.
Make sure you outline a set of actions that should be performed by your team following a breach. These tasks can include:
- Disconnecting infected devices from the network
- Deleting ransomware and infected files
- Recover data using backups
- Using a decryption tool if possible
It is important to note that whatever you do, do not pay the ransom! Each payment incentivizes the criminals to launch additional attacks and there is no guarantee that you will get your data back.
-
Perform backups on a regular basis
If a ransomware attack does infect your network, you can still recover with minimal damage and downtime using backups. Recovery from backups is the most effective method to restore corrupt or encrypted data and workloads.
Below are some of the best practices that you can follow to ensure a smooth recovery:
- Follow the 3-2-1 backup rule to eliminate a single point of failure and guarantee data recoverability.
- Store backups in immutable storage to protect against ransomware encryption and modification.
- Keep air-gapped backup copies on tape and other devices that are detached from the network.
- Perform backup verification to make sure that all the data is recoverable.
- Use a dedicated administrator account to access and manage backups.
Conclusion
Ransomware is one of the most dangerous threats to organizations all around the world. Fortunately, the best practices mentioned in this blog post allow you to reduce the risk of infection, limit data loss and provide optimal protection against ransomware.
Keep in mind that in case your network gets infected, you can rely on your backups to restore encrypted data. NAKIVO Backup & Replication provides comprehensive ransomware data protection to various environments. The solution includes a wide range of advanced tools such as incremental backups, granular recovery and disaster recovery orchestration.
