Actions for Ransomware Protection
Today we will talk in this article on Ransomware protection actions, how to reinforce defenses and recover post-attack.
Just the thought of ransomware is enough to keep CISOs and security teams up at night. Victims are faced with the terrible choice between paying a ransom to a criminal, who may or may not release their captured network and data, as well as potentially spending millions of dollars to remove the ransomware themselves. This is where the importance of maintaining good ransomware protection comes in.
According to reports recently published by CNBC, the cost of a single ransomware incident is about $$ 713,000. For this estimate we calculated the costs of paying the ransom, plus the losses related to downtime, value of any lost data or hardware, expenses to improve infrastructure, and finally, time and money to repair the brand image.
Consider also, this number can increase exponentially the longer critical systems remain offline.
And these costs are likely to increase. In a recent attack this year, for example, the attackers demanded a payment of 13 Bitcoin (more than US $ 75,000) for each computer affected by the attack so that users could regain access to their files - far above the normal ransom demand, which previously was just under US $ 13,000 .
Don't Fall Victim to Ransomware
Due to the financial success of ransomware, it continues to attract cybercriminals who launch large-scale attacks seeking to sucker in careless victims. They carefully plan highly focused attacks, aiming at specific targets most likely to pay off. Even less technical criminals are getting on the bandwagon through a growing number of ransomware-as-a-service portals available on the Dark Web.
Regardless of the approach, in today's digital world, a ransomware attack is more a matter of at the time of the which if.
Regardless of how grim this news may seem, organizations have ways to effectively defend against ransomware attacks.
10 Things You Can Do to Protect Ransomware
Here are 10 critical steps that every organization needs to consider as part of its anti-ransomware strategy:
Attack surface mapping
You can't protect what you don't know needs to be protected. Start by identifying all the systems, devices, and services in your environment that you rely on to conduct business and keep an active inventory. This process not only helps identify your most vulnerable destinations, but also helps map out the system baseline for recovery.
Fixing and updating vulnerable devices
Establishing and maintaining a regular patch and update protocol is just basic best practice. Unfortunately, many organizations simply do not do it. Obviously, not every system can be taken offline for patching and upgrading. In that case, they need to be replaced (when possible) or secured using strict proximity controls and some sort of isolation or zero-trust strategy.
Security Systems Upgrade
In addition to updating your network devices, you also need to ensure that all security solutions are running the latest updates. This is especially crucial for your secure email gateway (SEG) solution. Most ransomware enters an organization through email, and an SEG solution must be able to identify and remove malicious attachments and links before they are delivered to the recipient.
Similarly, an effective web filtering solution that leverages machine learning must be able to effectively stop phishing attacks. In addition, your security strategy needs to include things like application permission lists, mapping and limiting privileges, implementing zero trust between critical systems, enforcing strong password policies, and requiring the use of multi-factor authentication.
Segment your network and get more security
Network segmentation ensures that compromised systems and malware are contained within a specific segment of the network. This includes isolating your intellectual property and hijacking the personally identifiable information of employees and customers. Likewise, keep critical services (such as emergency services or physical resources like HVAC systems) on a separate, segregated network.
Protect your extended network
Ensure that security solutions deployed on your core network are replicated across your extended network-including operational technology (OT) networks, cloud environments, and branch offices-to prevent security breaches. Also take the time to review the connections of other organizations (customers, partners, vendors) that touch your network. Make sure those connections are hardened and that appropriate security and filtering are in place.
Then alert these partners about any problems you may discover, especially related to the possibility of malicious content being shared or spread over these connections.
Isolate your recovery systems and back up your data
Perform regular "backups" of your data and system and store these backups off the network so that they are not compromised in the event of a breach. Check the integrity of "backups"searching for evidence of malware.
Ensure that all systems, devices, and software required for a complete system recovery are isolated from the network. This way they will remain available in case of recovery from a successful attack.
Perform recovery exercises
Regular recovery simulations ensure that your backup data is readily available, the necessary resources can be restored, and all systems can operate as expected.
Also consider that all individuals and teams understand their responsibilities in this process. Issues raised during a survey should be addressed and documented.
Engage external experts
Establish a list of trusted experts and consultants who can be contacted in case of compromise to help you in the recovery process. When possible, you should also involve them in your recovery exercises.
NOTE : Organizations should also immediately report any ransomware events to CISA, a local FBI or to a Secret Service field office.
Watch out for ransomware events
Keep up to date on the latest ransomware news by subscribing to some threat intelligence and news feeds. The team should be aligned on how and why systems have been compromised, applying the lessons to the environment.
Educate your employees
Instead of being the weakest link in your security chain, your employees need to be your first line of cyber defense. O "ransomware" usually begins with a phishing campaign, and it is imperative to apply the latest tactics to combat cybercriminals, whether they target corporate devices, personal devices, or mobile devices.
In addition to the kind of regular annual security review that most employees should participate in, consider a regular cadence of awareness campaigns.
Quick 30-60 second video updates, phishing simulation games, executive team email messages, and informational posters help maintain awareness. In addition, running your own internal phishing campaigns can help identify employees who need additional training
Pass this on
When it comes to cybercrime, we're all in this together. Make sure you have regular meetings with industry colleagues, consultants, and business partners-especially those critical to your business operations-to share these strategies and encourage their adoption.
Not only will this ensure that they don't spread the ransomware infection up or down, creating liability for you and yourself, but it will also help protect your organization, as any network outage will likely have a cascading impact on your business.
Derek Manky is head of security insights and global threat alliances at Fortinet