Just Paid the Ransom? Here’s How to Prevent It From Happening Again
Hackers can be relentless with their cyberattacks. While organizations can be vulnerable to many security threats, ransomware is especially ruthless since its attacks are completely automated. It doesn’t matter what industry or business you are in – hackers don’t care if your organization has “nothing of value,” their machines will try to attack anything that is vulnerable.
Ransomware is on the rise globally because it’s been proven to be an effective (and profitable) strategy for hackers. In the last year alone in the U.S., hackers’ ransomware attacks impacted county hospitals, local businesses and over 40 municipalities with attacks, often forcing these organizations to make the difficult choice between paying the ransom or losing their data.
While security professionals don’t want to reward these cybercriminals by giving in and paying the ransom, when business-critical data is at risk, the stakes are high and some organizations make the decision to pay up. Because many do pay the ransom to regain access to their sensitive data, hackers are incentivized to continue executing these attacks.
The challenge is that many security teams lack the staff and resources they need to confidently provide security for their organizations, leaving them no choice but to pay the ransom. That said, there are measures organizations can take to help reduce their attack surface and lessen the chances of falling victim to a(nother) ransomware attack.
These five best practices will help organizations fend off hackers and minimize risk:
- Conduct End-User Security Training: The best first step an organization can take is to educate its users on how to spot phishing and spear-phishing techniques. The IT and security team should educate staff on how to vet phishing emails, as these attacks can expose an organization to malicious web content or end-user actions that can infect devices.
- Setup and Test Reliable Backup and Recovery Procedures: In case of a ransomware attack, having a reliable backup of data will allow organizations to refuse to pay the ransom. Be sure to test recovery procedures before it’s too late. During testing, organizations will be able to investigate and refine problem areas, bracing for if or when an emergency occurs.
- Establish Good Hygiene Practices for Your Endpoints: Ransomware attacks often target endpoints because that’s where data lives and that’s what the user uses, thus the best fix for ransomware attacks is to improve your endpoint security hygiene. Patching, system/application updates, end of support/life platform migrations, user administration and configuration management can be tedious, but these actions will greatly reduce the risk of opportunistic attacks and help mitigate risk. Also, disable or remove any and all software that’s not necessary or critical to your organization.
- Implement Continuous Vulnerability Assessment: Regular and continuous vulnerability assessment scanning will identify application, OS and network vulnerabilities, so organizations can prioritize remediation efforts that can help prevent ransomware attacks.
- Block and Filter Inbound and Outbound Connections: If organizations block and filter inbound and outbound connections at the gateway, the ransomware is disrupted before it can affect the organization. Pro tip: set up a reputation feed that will help block known threats, alerting when connections are initiated so the organization can investigate and correlate connections with known bad actors.
The best defense against ransomware and other threats is a mature security program. If you have any questions about what additional protections could be needed, the NIST security framework provides great process guidance for assessing your gaps and priorities.
The only way to recover from a ransomware attack is for an organization to have complete backups of its systems, wipe them clean and start over. In any case, having backups is arguably the best defense in the event that hackers will still steal an organization’s data even after paying the ransom. Organizations should see to it that backups aren’t stored on its own network where it can be encrypted with the rest of the ransomed data.
Keep note that the speed of recovery is also critical, as business costs increase when businesses cannot fully operate, leading to system downtime and loss of productivity. If an organization is recovering from an attack, it should implement the above controls and invest in endpoint security, email and web gateways and intrusion detection systems, as those tools are helpful in identifying most ransomware attacks.
These tips are simple, but could save an organization’s data, money and, in some cases, its entire business. Attacks can happen at any time, so taking the necessary protocols now will help organizations ultimately be more resilient.