Ransomware. It may be the most feared word of security and risk managers.
After countless headlines and costs of over 11.5 billion dollars in 2019 alone, organizations around the world are understandably terrified of being hit by a ransomware attack. Ransomware can be catastrophic.
Case in point: WannaCry infected more than 250 thousand devices across 150 countries… all within a matter of days. It caused an estimated $4 billion in damages. WannaCry put ransomware and its potential for destruction on the global stage. It also highlighted some simple yet painful truths. Companies were ill-prepared for such an event, lacking any type of actionable recovery plan, and for all of its devastation, WannaCry was completely preventable--affected systems were either running the long out-of-support OS Windows XP or they hadn’t deployed a patch Microsoft had issued two months earlier.
WannaCry is just one example. If companies want to avoid similar experiences, there are four easy steps they can take to protect themselves.
Step 1: Understand Your Environment
Business networks can be horrifyingly complex, with thousands of unique devices, applications and services running at any time. Since any weakness is a potential entry point for an attacker, the first step in preventing ransomware is knowing exactly what’s going on in your environment.
Service enumeration and asset discovery is critical here. Generally, this involves using an automated scanner to identify everything connected to a network, along with any known vulnerabilities or weaknesses associated with those assets.
Step 2: Practice General Security Hygiene and Patching
The world of cybersecurity is awash with exciting new products and cutting-edge technology. But if your ‘house’ isn’t in order, none of that will help.
Unpatched or out-of-date assets provide the easiest entry points for threat actors. Once you have a deep understanding of your environment, the next step is to ensure all of the mundane, business-as-usual security processes are in place. The top priority on that list is patching.
Are all of your applications and services up-to-date? Is everything properly configured? Have all known vulnerabilities been patched? If the answer to any of these questions is no, fixing that is the starting point. This is an ongoing process because new vulnerabilities are continually identified, and new patches developed. As such, patching and system hygiene must be handled persistently.
Step 3: Establish and Test Routine Backups
Part of any sound defense strategy is to prepare for how to respond if ransomware does manage to affect your systems. There is only one guaranteed way to recover: Restore encrypted files and folders from a recent backup.
You might wonder “What about paying the ransom?” In many cases, the encryption keys provided by threat actors simply don’t work. In some cases, crypto ransomware variants have been specifically designed to make decrypting files impossible, even for the attacker.
Backups, then, are the only way. And they have one huge advantage: If you can recover internally using your own backups, there’s no external cost to the recovery effort. There are, however, some things to keep in mind:
- Backups must be taken regularly so minimal data is lost in the event of a ransomware attack.
- Live backups are not a good idea because if backup media is connected to live systems it could be infected by ransomware. Similarly, unencrypted files could be overwritten by encrypted files during the backup process.
- Ideally, backups should be stored securely on a separate physical site and never connected directly to the Internet.
- Backups also MUST be tested regularly and you need a plan for exactly how you’ll recover that backup in the event of a ransomware attack. It is shockingly commonplace for organizations to try to restore from a backup only to discover it was corrupted or incomplete.
Step 4: Consider Endpoint Detection and Response (EDR)
EDR solutions continually monitor network endpoints like PCs, laptops and servers to identify and block malicious processes. In the case of a ransomware attack, an EDR solution would do one of two things:
- Identify a known malicious application and prevent it from executing.
- Identify malicious activity (bulk encryption) and shut down the application.
As with any higher-end security technology, EDR solutions aren’t appropriate for every organization. However, for organizations that have the resources, they are an excellent defense against many cyber threats.
The Ransomware Trade-Off
Whenever a well-known organization is hit by ransomware (or any other cyberattack) the same question is asked: Why didn’t they have security controls in place? The answer is always the same: security controls cost money.
Ultimately, protecting against ransomware boils down to a simple cost/benefit analysis-- so simple that it can be summarized by answering three questions:
- What is the cost of basic anti-ransomware protocols?
- How much would it cost (including reputation damage) to recover from a ransomware attack?
- How likely is your organization to be targeted with ransomware?
In the current climate, the answer to the last question is almost always ‘very likely.’ As a consequence, for nearly every organization, the results of this cost/benefit analysis are simply this:
Basic security controls are relatively easy and affordable. Recovering from a ransomware attack generally is not. Simple anti-ransomware protocols, such as those described in this article, can go a long way. As Benjamin Franklin once said: “An ounce of prevention is worth a pound of cure.” Develop your prevention protocol and test your ransomware recovery strategy - may you be spared from ever having to use it.