Ransomware attacks are a serious global issue and getting worse – in fact, they are often considered the top cyber threat facing businesses today 1. Ransomware statistics are staggering:
- Damages to businesses and organizations are expected to be $20 billion in 20212
- Global ransomware reports are up more than 715% from 2019 to 20203
- Ransomware payments have increased 60% in value since 20194
Ransomware is a crisis that will only get worse as threat actors continue to grow in sophistication and expertise. Ransomware attackers often operate with the discipline and approach of a legitimate traditional business, except with criminal intent. Fortunately, there are strategies companies can take to reduce the risk of falling victim to a ransomware attack.
Consider these ten technologies and processes to help prevent and detect a ransomware attack.
Each of these steps aligns closely with how attackers create and consummate their criminal activity. While some are costly, proactively implementing these steps now can mitigate the costs of business interruption, reputational damage, incident response and/or a ransomware payment.
1. Phishing Awareness Training, to educate employees and end-users on how to spot phishing emails and know the red flags to drive down clicks on the malicious emails many ransomware attackers use to gain a foothold in a network.
2. Disabling Accessibility of Remote Desktop Directly from the Internet, to prevent ransomware attackers from brute-forcing Internet-facing RDP services to gain entry into a network.
3. Properly Configured URL Filtering and E-mail Attachment Sandboxing, to prevent malware contained in ransomware emails from executing or going unnoticed.
4. An Advanced Endpoint Detection and Response (“EDR”) Solution, to detect and potentially quarantine ransomware and other advanced malware, and also to facilitate enterprise forensics in the event of an attack.
5. An Advanced Malware Detection Tool that Inspects Network Traffic, to identify ransomware and other malicious packets or network traffic flowing over the wire.
6. 16+ Character Service Account and Domain Admin Passwords, to prevent ransomware and other hackers from cracking weak admin user names and passwords. Optimally, these strong passwords should be rotated regularly, using a Privileged Access Management (PAM) tool. Ransomware attackers use these cracked credentials to move laterally and deploy their ransomware.
7. Lateral Movement Detection Tools. After gaining a foothold, ransomware actors typically move laterally using compromised IT
credentials. Detecting that anomalous lateral movement normally enables the attack be shut down before ransomware is deployed.
8. A Properly Configured Security Information and Event Management (“SIEM”) Platform that aggregates event, security, firewall and other logs. Trying to respond to and recover from a ransomware attack without a SIEM is very difficult, as visibility through local, non-centralized logs is often poor.
9. A Continuous Security Monitoring Function, which provides continuous monitoring and threat hunting using collected logs and alerts.
10. Locking Down Software Deployment and Remote Access Tools (such as SCCM, PDQ, and PsExec) to a small set of privileged accounts with multi-factor authentication where possible. Once they have secured elevated privileges, ransomware attackers typically commandeer SCCM/PDQ/PsExec accounts to push the ransomware executable across the network.
About the Author
Eric M. Friedberg
Co-President Stroz Friedberg, an Aon Company
Eric M. Friedberg is co-founder and Co-President of Stroz Friedberg, LLC, a cyber consultancy and technical services firm acquired by Aon plc in 2016. Mr. Friedberg has 30 years of public and private sector experience in law, cyber-crime response, cyber-governance, IT security, forensics, investigations and e-discovery. His expertise is sought by boards, audit committees, C-suites, law firms and the courts.
1. Ransomware is number one cyber threat this year. Click here for article.
2. 2019 Cyber Security Almanac. Cisco and Cyber Security Ventures, 2019
3. Bitfender’s Mid-Year Threat Landscape Report 2020, page 1
4. Coverware Ransomeware Marketplace Report, August 3, 2020