10 Ways to Protect Against Ransomware in Today’s Environment
Jonathan Broche, Director of Penetration Testing at MorganFranklin Consulting
Ransomware attacks are among the greatest concerns for organizations. As the negative ramifications of these attacks continue to increase, organizations are bolstering their investments in information security solutions.
Modern ransomware, especially exfiltrated information released to the public, forces us to think about recovery and reputational risks. The ransom’s costs (indirect and direct) are typically far greater than implementing contingency plans to prepare for such incidents.
The Current State of Ransomware
Ransomware is evolving and, in recent years, has become increasingly targeted. Many cybercriminal groups perform reconnaissance to target the organizations that they believe are most likely to make the ransom payment if threatened with leaking private information. This practice is known as doxxing.
Along with the traditional means (e.g., email, social engineering) of infecting systems, attackers now target externally-facing administrative services such as remote desktop protocol (RDP). Vulnerabilities including Log4j have been leveraged for ransomware infection.
Once inside, the ransomware often encrypts and moves laterally across networks while utilizing PowerShell and other open-source tools to exfiltrate sensitive data. This information is held by the cybercriminal group that then demands a ransom payment from the organization before it can regain access to its files.
Ways to Protect Your Organization
To strengthen your organization’s security and defense against ransomware, consider the following ten strategies and configuration changes.
Firewall and Service Configurations
Ensure your organization is not exposing administrative services such as SMB and RDP on the external network. Consider disabling services like the Windows Scripting Engine or PowerShell. To immediately reduce the overall attack surface of your organization and to increase security, block access to known malicious IPs and implement network segmentation and multi-factor authentication.
Modern ransomware quickly leverages an organization’s out-of-date software (or new exploits to publicly disclosed vulnerabilities) within hours of release. Therefore, to reduce the risk of attacks, it is imperative to keep applications, operating systems, and third-party software current.
With millions of threats identified each year, email attacks prove to be the greatest threat to organizations. Enabling strong spam filters will help prevent phishing emails from reaching end users. To prevent email spoofing, consider implementing inbound email authentication technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM).
Ransomware delivered through exploit kits often executes within the Downloads, Temp, or AppData directories. Therefore, strengthening an organization’s security includes limiting programs from executing outside of the Program Files directory. Consider implementing whitelisting, via Windows AppLocker, to stop unwanted programs from executing.
Prevent Registry Access
Several ransomware families leverage the Windows registry to establish persistence. Disabling writing to the registry, specifically the Run and SystemRestore keys, can prevent ransomware from running upon rebooting and disabling system restores. Due to poor coding practices, ransomware applications may crash if they cannot write to these registry keys.
Least Privileged Access
Applying the least privilege access principle reduces an organization’s overall attack surface and helps prevent the spread of ransomware due to the inability to escalate privileges. User access should be limited to the minimum level necessary to perform job functions. Local administrator rights should be removed from standard users. In addition, those requiring administrator accounts should only use them when necessary.
A robust backup program will help ensure data recovery in the event of a ransomware attack. Effective programs include encryption, immutability, air gap, and a 3-2-1 backup strategy. At a minimum, an organization should be creating backups on multiple media types and storing them in different geological locations.
Network segmentation protects against lateral movement, which in turn assists with the containment of ransomware. Organizations should create a plan to define the goals and architecture of network segmentation. Networks may be split up by critical infrastructure, function, and/or data type. Critical infrastructure or systems that can be life-threatening or cause physical harm should be segregated and air-gapped. Otherwise, networks can be segmented by functionality (e.g., human resources, technology, finance) and/or data type (e.g., sensitive information).
Defensive technologies are effective once properly configured. Endpoint protection systems, Intrusion Prevention Systems (IPS), and SIEM solutions all play an important role in ransomware prevention and detection. In addition, log collection is crucial to incident response and visibility. Ensure your organization is collecting logs from at least the firewall, IPS, web proxy, endpoint protection systems, operating systems, and DNS servers (if maintained in-house).
Additional strategies for strengthening an organization’s security posture include security awareness training, vulnerability management, honey pots, advance file monitoring, zero trust principles, and EDR solutions. Successfully implementing effective security programs and strategies can save organizations from the direct and indirect costs and risks associated with cyberattacks.
How MorganFranklin Can Help
The security of our clients is our top priority. From ransomware readiness assessments to tabletop exercises and policy/procedure reviews, MorganFranklin brings the needed expertise and agility to improve your organization’s ransomware readiness and response programs.