“How do I prevent ransomware?”
This question could easily keep anyone responsible for data security and business operations up at night - And with good reason.
There simply isn’t a single “magic shield” technology that stops ransomware. No matter what technology you use, nothing can offer 100% protection, 100% of the time.
Fortunately, there are some steps you can take to prevent ransomware attacks – or even contain and stop an active ransomware outbreak.
At Cycrest, we implement 6 plus layers to help provide a higher level of protection.
Let’s talk about this multi-layered approach.
#1. Monitor your email with an anti-spam solution.
Ransomware and other malware attacks often start with “phishing” emails. “Phishing” is a term used to describe an email that is used to lure someone into clicking a link or opening an attached file. Often these files appear legitimate or appear to be from a trusted source – on the surface, at least.
If you weren’t sure why your bank would send you “that email,” for example, you could look at the actual email address (not the name that is displayed, but the address itself). Often phishing emails are clearly illegitimate, consisting of a meaningless sequence of letters and numbers.
If the email seems alright but you’re still not sure, you should still not open it. Instead, you should call the individual or organization who sent it to confirm that it is legitimate.
An anti-spam solution limits the chance that these emails will get through by inspecting the contents of email attachments and checking the legitimacy of the links in emails.
Whether your office uses Office 365, or your Organization hosts your own email on premise, Cycrest Email Protection System is the first layer of protection for protecting your accounts from malicious spam or phishing messages.
Using anti-spam software can greatly reduce the chance ransomware will enter through your organization’s email. However…
If employees access their personal email on corporate laptops, ransomware can still be delivered via the uncontrolled personal email and find its way into your corporate endpoints and file shares.
(This is not to say that you should not allow employees to access personal email. That is a policy decision each company must make internally. We only wish to point out how seemingly harmless practices can sometimes open a door for ransomware infection.)
#2. Deploy endpoint protection software.
Each workstation and server needs to have endpoint protection. You might think of it as anti-virus software; however, endpoint protection delivers much more protection than any basic anti-virus solution.
An endpoint protection agent should be installed on all of your Windows™, Mac™, and Linux systems.
For example, we deploy endpoint protection to every device for our customers. Endpoint protection application monitor files when they are opened and executed. Users also have the ability to perform on-demand threat scans and every customer has access to detailed security reports in their customer support portal.
One of the challenges many organizations face with endpoint protection is a need for constant updates. Malware continues to adapt and change. In response, security patches and updates are constantly being released by Microsoft®, Apple®, and other applications to keep their security protocols current.
As a result, regular updating and patching of operating systems and third-party applications running on workstations and servers is critical. Updates and patches are created to remove known vulnerabilities that could be exploited to deliver ransomware and other malware.
This is one reason many companies turn to a managed IT service provider for additional support. At Cycrest, our endpoint protection system not only scans and helps prevent KNOWN virus and malware instructions, it also uses advanced technology to help detect and stop many unknown ones too.
#3. Keep employees’ personal devices on a “guest” network.
Many organizations allow the use of personal devices, known as a Bring Your Own Device (BYOD) policy.
These devices should be limited to a separate guest network. They should never be allowed on the same network as your workstations and servers, nor have full access to those workstations and servers.
You can secure personal devices through the full implementation of a Mobile Device Management (MDM) solution. This requires individuals to accept the terms of MDM policy, which can include the locking or even wiping of data, of any device identified as a security threat.
Without an MDM, personal devices will never be as secure as your corporate ones. This leaves them at risk and should they have access to your corporate network, all of your devices remain at risk.
- If ransomware were executed via a personal device that is on your network with a drive mapped to a file server then all of your organization’s files could be encrypted by the ransomware – even if endpoint protection software was running. This threat also exists for personal devices that have full network access through a VPN tunnel.
This often prompts users to ask a very practical question:
Why doesn’t the endpoint protection identify the threat?
There can be many reasons, but one of the most common is that malicious processes are running on the personal device, manipulating files on the file server under the user’s permissions in such a way the endpoint protection can not monitor it; Those who create ransomware are very creative and skilled cybercriminals.
For this reason, we always recommend that unless you have a fully implemented MDM, all personal devices remain restricted to a guest network. VPN connections used by personal devices should also be similarly limited in what they can access. Cycrest can help you with setting up separate Guest networks for personal use and restricting access to devices that pose a potential threat to your network.
#4. Practice the ‘Principle of Least Privilege’ for user permissions and access.
The ‘Principle of Least Privilege’ involves providing end users with only the permissions needed to do their jobs and nothing more.
While this is often practiced with things like file share, servers, and application access, it is typically not followed as strictly in regards to workstations; Sometimes users are given local administrative privileges on the workstations they use.
This means everything they do has administrator access and rights. If ransomware gets in through one of these networks, it will also have administrative rights on that device, greatly increasing the amount of damage that can be caused.
This is why restricting permissions is such a vital step in protecting devices against ransomware.
Ransomware can only encrypt the files it’s victim’s device has access to. Therefore, limiting access is the best way to limit potential damage.
For this reason, it is strongly recommended that:
- End users not be configured as administrators for everyday workstation use.
- “Domain Users” never be in the local administrators’ group on workstations and servers; This would make all users admins on all machines.
- Permissions be properly configured and limited on file server shares, SharePoint™, and other locations where files are stored.
- Unnecessary shares on servers and workstations be disabled.
If this sounds difficult or overwhelming, reach out to Cycrest today to see how painless protecting your data can be with the right help!
#5. Have a good security awareness training program.
Organizations can benefit from training employees on how to avoid falling for phishing and other social engineering attacks, as well as how to safely handle sensitive data. The best practices recommend frequent training, in different and engaging formats, for maximum benefits. Ideally end users would also be regularly tested, such as with simulated phishing attacks.
#6. Store current backups offsite.
“Offsite backups” simply mean they are not accessible via your regular corporate network. This can be a vitally important safety net if a ransomware attack manages to get through.
If all other layers of protection fail, then you will need to have complete and current backups available to get your company back up and running again. You might lose some of your more important files, even if it is only a limited outbreak. Having backups offsite keeps the potential damage of this risk minimized.
Active ransomware is aggressive. It will go after your files. It will also go after your backups to ensure you have to pay the ransom to get your data back. Good offsite backups can save you tens of thousands, potentially even millions, of dollars. The Cycrest Business Continuity/Backup System is an easy and cost-effective way to protect yourself from ransomware attacks.
#7. Add in a containment solution to protect your organization against ransomware.
Containment is a new approach to protection against ransomware. As an application that monitors your file shares, if an outbreak is identified it immediately isolates the workstation or device to contain the outbreak. Then, all you would need to do is restore the device from your offsite backups to get it up and running again.