As you probably know, malware is a malicious software (file or code) which can:
- lock a device or make it unusable;
- take control of certain devices to attack the organization;
- steal, delete, or encrypt sensitive data.
Ransomware is a type of malware that prevents the users from accessing their devices or certain files. Ransomware most likely will spread to other machines within the network, as happened with the WannaCry malware.
Usually, the victim is asked to contact the hacker via an anonymous email address or follow instructions on an obscure web page, to make a payment. To unlock the device or for being able to access the encrypted data, the payment is usually requested in a cryptocurrency.
However, even if the ransom is paid, there is absolutely no guarantee that the user will get access to the device, or the files.
Sometimes, malware may look like ransomware, but after the ransom is paid the files may not be decrypted. For this reason, it is crucial to always keep offline backups of your most important files.
Here are a few aspects that should be considered in order to protect your organization and its assets.
Maintain multiple versions of file not just basic backups.
Companies will need to utilize systems that can create snapshots several times a day or maintain multiple versions of file created over the course of the day, to enable a quick restoration process to a specific moment. In the unfortunate case of a cyberattack, this effort considerably minimizes the productivity loss. Also, the IT security personnel will need to routinely test the backups to ensure the data is restorable and to determine the time it takes to restore. This way the organization will estimate the downtime it will need to handle in the case of a successful ransomware attack.
Use the principle of least privilege.
Limiting the file access rights to the minimum level of permissions that users need to perform their work is extremely important. This measure will reduce the number of files that could be encrypted in the event of a ransomware attack.
Limit the risk of initial attack vectors.
Ransomware attackers need access to your system to damage it. They obtain access through phishing schemes, unpatched software, and employee password reuse. Organizations should aim to reduce the likelihood of ransomware attacks by implementing and maintaining strong vulnerability management programs, reducing their attack surface, and providing security training programs for all personnel.
Plan for an attack, even if you think it is unlikely.
Even though they were not the intended targets, there are numerous examples of companies that have been indirectly hit by malware.
Develop an internal and external communication strategy. It is important that the right information reaches the right recipients in a timely manner.
Determine how you will respond to the ransom demand and the threat of your organization’s data being published.
Ensure that your incident management plan and supporting resources are available in case your network is compromised.
Improve your incident management plan. This will help clarify the roles and responsibilities of staff and third parties and prioritize system recovery.
Use Endpoint Detection & Response (EDR)
Nowadays, attacks are expanding beyond local machines trying to block entire systems. Botnets and IoT networks can be used to increase ransomware’s affects.
Modern antivirus solutions can identify and block new types of malware. However, hackers are constantly adapting their methods. Many types of malware are untraceable by standard solutions, such as polymorphic malware which is a type of malware that constantly changes its identifiable features to avoid detection, or fileless malware, etc.
Under these circumstances, to improve cybersecurity, an IT department should implement an integrated endpoint security solution. EDR security integrates the collection, correlation, and analysis of endpoint data, as well as alerting and responding to imminent threats.