After a few very active years, news of yet another high-profile ransomware attack is becoming less and less surprising. But, while we may be feeling “crisis fatigue,” ransomware isn’t any less of a threat.
In fact, the FBI recently released an alert detailing a double extortion ransomware attack on Memorial Health System, which operates hospitals and health clinics across Ohio and West Virginia. The attack caused disruptions at several facilities, including canceling surgeries and radiology exams, diverting emergency care to nearby hospitals, and disabling electronic charting systems.
Despite assistance from the FBI and CISA, it appears that Memorial Healthcare System paid the ransom for the decryption keys so they could begin recovery efforts.
Security experts warn against submitting to ransom demands because it encourages further attacks and because a large percentage of those organizations that pay never get their data back. But with ransomware tactics rapidly evolving and attacks becoming more targeted toward critical infrastructure sectors, for many organizations, paying the ransom may seem like the best way out of a bad situation.
Fortunately, there are steps you can take to minimize your risk of attack and have options for recovery other than paying the ransom.
How to Plan Proactively for Ransomware
Many security experts say that in today’s threat landscape, the likelihood that your organization will be impacted by a ransomware attack is now a matter of when it will happen, rather than if it will.
Despite that dire outlook, there are ways to plan proactively for the inevitable that will help minimize damage, reduce recovery costs, and prevent data loss.
Taking a three-step approach to ransomware protection will help you deflect the threats you can, defend your critical data, and deploy a fast and effective disaster response strategy when your other mitigation efforts aren’t enough.
Prevent a Ransomware Attack
The most effective way to stop ransomware from causing damage and disruption is to prevent attacks from succeeding in the first place. This can be extremely challenging; new ransomware strains are becoming far more difficult to detect.
However, following a few best practices can make a huge impact on your cybersecurity and data protection capabilities:
Keep patches and updates current.
Missed patches and skipped updates have the distinction of being not only the most frequently exploited vulnerabilities but also the easiest to avoid. Citing a lack of time and staff to keep up with routine maintenance, many IT teams put off patching and updates.
To avoid leaving your systems wide open for attack, dedicate someone on the IT team to install updates and patches immediately after they are released. If that isn’t an option for your organization, consider hiring a managed service provider to help.
Practice good email hygiene.
Email is patient zero for many cyberattacks, including ransomware. Although the number of ransomware attacks that are delivered via email is lower than it was in years past, the trend is coming back in vogue.
Don’t assume your employees know how to spot suspicious emails. It is far safer for IT to build a security plan with the idea that at some point, someone will click the wrong thing. Implement stringent email content and whitelist filtering policies, train employees to spot red flags that help identify malicious links and attachments, and be sure every employee knows what to do if they make a mistake.
Re-evaluate identity and access management policies.
Today’s highly distributed remote workforce has rendered the traditional firewall obsolete. To help reduce data and network vulnerabilities, IT is making people the perimeter by implementing identity and access management policies and frameworks, such as least privilege and zero trust.
Minimizing the number of employees with access to the company’s “crown jewels” keeps unauthorized users from accessing sensitive information. Controlling who can go where within the network also limits how far a hacker can go if they enter your system using stolen credentials.
Review port settings.
Remote desktop protocol (RDP) accounts have long been a popular target for ransomware operators. However, with millions of new remote workers and students accessing their organizations’ data remotely, brute force attacks on RDP and VPN are on the rise.
To make it more difficult for ransomware operators to infiltrate your network via RDP:
- Make RDP access available to select IPs only.
- Change the port setting to make it harder for port scanners to find.
- Enable Network Level Authentication for an extra layer of protection.
- Install a Remote Desktop Gateway server with multi-factor authentication enabled.
Protect Your Data and Networks
The next step in minimizing the potential damage from a ransomware attack is protecting your data and your backups. These best practices can help prevent hackers from encrypting business-critical data and ensure you can recover quickly if a disruption does occur:
Back up frequently.
After a ransomware attack or other unplanned downtime, having access to a recent backup is essential for ensuring SLAs are met and that RTOs and RPOs are achievable.
The more frequently data is backed up, the less potential there is for critical files and records to be permanently lost.
Use 3-2-1-1 backup.
The traditional 3-2-1 backup strategy no longer provides the level of security needed to prevent data loss in the face of today’s evolving cyberthreats. In addition to the three copies of the data stored on two different media with one copy being stored off-site or in the cloud, IT teams are adding an additional copy either in immutable storage or air-gapped off-site and offline.
Segment networks.
Some ransomware strains enter a network but don’t announce their presence for days, weeks, or even months. During this time, the malicious application is drilling deeper into the network, collecting information and determining the best plan of attack.
Segmenting networks to separate the most valuable and mission-critical data from nonessential systems and data can help isolate damage to less-critical network segments and prevent potentially devastating data loss or exfiltration.
Encrypt data at rest and in transit.
Many organizations recognize the importance of encrypting their data when it is being moved from one point to another, such as when an email is in transit. However, there is significant value in also encrypting your data at rest so that in the event of a security breach, the exfiltrated data is worthless to the hacker.
Respond Quickly and Efficiently
No cybersecurity strategy can prevent ransomware 100 percent of the time. At some point, you will likely need to respond to a cyberattack. Proactively preparing your response will help ensure it goes smoothly with minimal disruption to operations and productivity.
Although each organization’s ransomware response plan will be tailored to fit its specific environment and systems, there are a few universal steps that every response plan should include:
- Isolate infected systems.
- Shut down and quarantine any computers or devices that share a network with the infected computer.
- Disable automated maintenance tasks.
- Scan backups to ensure they are ransomware-free.
- Change passwords.
- Report the attack to the IT security team.
Stay a Step Ahead of Ransomware
Ransomware currently tops the list of cybersecurity concerns for CISOs and IT security teams. Although there is a high probability that your organization will be impacted by ransomware, you can take steps to proactively limit damage and prevent data loss.
Download Don't Become a Statistic: Stay Ahead of Cybercriminals by Implementing a Holistic Ransomware Protection Strategy to learn how to take a holistic approach to cybersecurity in today’s rapidly changing threat environment.