#HowTo: Fight Back Against Ransomware Attacks

Written by

As a threat analyst and incident responder, much of my time is devoted to tackling ransomware. 

While we all might wish the scale of the problem was not so great, we are learning a lot more about how ransomware functions; valuable intelligence that keeps organizations more secure. For example, our own data from investigating real incidents reveals that the leading way attackers break-in comes from software vulnerabilities in almost half of all cases, followed by brute force credential attacks, stolen credentials and abuse of trusted tools. 

However, there is no need for a counsel of despair on ransomware because organizations can become more resilient and fight back. Here’s my 10-point plan: 

1. Stay Up to Date on the Evolving Threat Landscape

The ransomware threat landscape will undoubtedly evolve as threat actors apply new techniques to stifle business operations. Keep your security team and key executive stakeholders better informed of the current state of ransomware threats, potential impact on business and actionable steps you can take to prevent attacks. Keeping abreast of the latest developments will allow focused efforts in patching vulnerable applications rather than trying to patch everything.

2. Analyze the Business Impact of Losing Critical Data

To understand the impact of a ransomware attack, you must first gain complete visibility into your assets and understand where critical data lives, how it’s accessed and how it’s used across your organization. Complete a data mapping exercise, ensuring that access to confidential information is on a need-to-know basis. Next, conduct a business impact analysis on the risks of not having access to that data. At this point, it’s also worth ensuring your backup procedures are functioning and resilient to today’s ransomware attacks that attempt to sabotage them.

3. Assess Internal and External Readiness

There is an increased risk of a serious ransomware attack when there has been no consistent security posture assessment. So, evaluate the most significant risks ahead of you based on your unique combination of people, processes, technology and governance capabilities. Do not forget to identify any third-party risks. From this, you can establish a prioritized mitigation roadmap detailing the requirements to reach your organization’s security goals aligned with strategic business objectives.

4. Review and Test Your Incident Response Plan

Pressure test and update your incident response plan regularly, using the latest ransomware threat intelligence for tabletop exercises and testing simulations. This should also include testing and restoring backups, ensuring they are adequate to help respond to attacks.

Please involve your key stakeholders in the tests for their buy-in. Having tough conversations beforehand will save valuable time and ensure organizations focus on what matters most in a ransomware attack – maintaining critical operations and recovering to normalcy.

5. Implement Zero Trust

Deployed properly, a zero trust strategic approach to cybersecurity simplifies and unifies risk management by making security one use case across users, devices, sources of connection or access methods. Ransomware risks are addressed by how zero trust eliminates implicit trust and continuously validates every stage of digital interaction. Multifactor authentication goes hand in hand with zero trust to ensure that network communications across network segments are authorized.

6. Identify Your Exposed Assets and Block Common Ransomware Attacks

Adopt a system of record to track every asset, system and service you own on the public internet. This includes tracking across all major cloud service providers and dynamically leased internet service provider (ISP) space, using comprehensive indexing and spanning common and often misconfigured ports and protocols. For example, remote desktop protocol (RDP) accounts for the majority of ransomware infections since attackers can easily uncover RDP thanks to working from home now being more common. Again, multifactor authentication can help significantly here to ensure people using such accounts are who they say they are. Be mindful of multifactor bombing attacks where attackers may try and generate many approval requests (often push notifications or SMS messages) to trick the user into approving the wrong one. It would be safer to have users enter the one-time passcode number from their device only when they need to, at the point of accessing a given service.

7. Prevent Known and Unknown Threats

Aim to turn the unknown into the known and deliver new protections at a faster rate than attackers can respond. To prevent known threats, you must stop known exploits, malware and command-and-control traffic from entering your network. Blocking these increases the cost of executing a ransomware attack enough to help deter attackers. Also, focus on identifying and blocking unknown threats as more sophisticated attackers deploy new zero-day exploits and develop new ransomware variants.

8. Automate Where Possible

When alerted to a ransomware attack, many hours of manual labor are expended to stitch disparate information sources together from multiple tools. Implement tools that support the automated remediation of ransomware using pre-made playbooks for response and recovery. Security orchestration, automation and response (SOAR) products automate the whole process so response teams can quickly shut down ransomware, minimize data losses and limit the financial impact.

9. Secure Cloud Workloads

To secure cloud workloads against ransomware, ensure that all cloud infrastructure, Kubernetes and container images are securely configured and steps have been taken to minimize vulnerabilities, including any security features turned off by default. Check open-source packages and libraries for vulnerabilities that can be patched. Identify and remove overly permissive or unused IAM entitlements. 

10. Reduce Response Time with Retainers for External Expert Support

It’s critical to take swift action once a potential breach has been identified. With an incident response (IR) team retainer in place, IR experts become an extension of your team, ready to step in whenever you require assistance. 

What’s hot on Infosecurity Magazine?