Best Practices to Prevent Ransomware

According to Cybersecurity Ventures, it states that there will be a ransomware attack on businesses every 11 seconds in 2021. This does not include attacks on individuals, which occur even more frequently than businesses.  Businesses need to act now to shore up their cybersecurity to protect themselves from cyberattacks.

What is Ransomware?

Ransomware is a form of malware that is designed to encrypt files on a computer, making all the files and the systems that rely on them to be unstable and inaccessible.  Malicious actors then demand a ransom in exchange for the decryption key.

There are a number of best practices that a business can proactively implement before they are even targeted by bad actors.   If an attacker cannot easily gain a foothold into a business’ computing or networking environment, then they may pursue an easier target and move on.

 — Benjamin Franklin

The purpose of this first part of the three-part cybersecurity series is to present the best practices and strategies to implement to help your business to effectively defend against cybersecurity threats and ransomware.

Our second part of our series, Part 2: Cybersecurity Incident Response Plan will be released in a couple of weeks and will show how to create a plan for responding to a cybersecurity attack.

The third part of our series, Part 3: Ransomware Response Checklist will be released next to show what to do if a ransomware attack occurs

Are You Prepared for a Ransomware Attack?

Four actions to avoid a ransomware attack:

1. Prevention: Know what your essential digital assets are and employ protection of them.  It takes more than firewalls and antivirus on computers, but a mature data protection strategy and processes.  You need to train your users to see the social engineering tricks used to gain unauthorized access to your computers, networks and assets.
2. Remediation: You need to plan before you are attacked. The plan should cover how you will identify and neutralize a ransomware attack, restore critical systems, and get back to business ASAP.  The plan should be practiced and improved after each test.
3. Monitor, Detection and Maintenance: Employ reputable, next-gen endpoint security equipped with Artificial Intelligence (AI).  Endpoint solutions that use AI will be more effective in proactively and predictably at stopping cyber threats by continuously monitoring each endpoint(computers) day and night, 24/7/365.  Monitoring should include tools such as machine learning of user behavior to detect changes in file access and activity which might indicate suspicious traffic.
4. Gap Analysis: Identify the gaps in the security and remediate them in the least disruptive fashion to your staff.   Always be looking for a more efficient way to accomplish your goals so that you reduce the burden and cost of security.

Costs to a business from a cyber incident can manifest in many ways.  Such as lost business due to reputation damage, operations interruptions as well as legal costs associated with a breach and the costs to remediate a breach.  Trust of a client is hard to salvage after a grievous cyberattack.  Now is the time to put your best defenses up to monitor, detect and defend against this ever-evolving threat.

Ransomware attacks typically are focused on three fronts:

1. Exploitation of a security vulnerability in an internet-facing device, services, or applications.
2. Utilizing stolen credentials to gain privileged access on the target’s network and systems.
3. Utilizing social engineering and phishing to trick a user into installing malware and gain access to credentials.

With these attack vectors in mind, we will address the industry best practices to harden your cyber security to close these vulnerabilities and keep you ahead of the bad actors. 

Ounce of Prevention, Worth a Pound of Cure…

Because ransomware has become so multi-faceted, our protection methods against it must also be as well.  A single best practice or technology alone can never consistently prevent it.  Ransomware defense must be a layered and ongoing process.

The industry best practices below will provide the guidance to employ the security measures that will help to prevent ransomware from taking root and attacking your business.  Apply these practices to the best way possible given your assets and resources.

Backups, backups, backups:  One of the first steps to take will be to ensure you can restore the data and lost systems when breached.  Most businesses have a backup, but is it really configured properly? Is there a copy of the backups offsite?  Are backups ever tested fully?  It is critical to maintain encrypted backups of the data offline since it is a typical strategy of a ransomware attack to first attempt to find and destroy any backup capabilities.  A thorough test of the backups should be performed on a regular basis to ensure backup integrity.

• System Images: Maintain regularly updated “system images” or copies of critical system operating system and software disks to be able to rebuild an unrecoverable server onto physical or virtual servers.
• Software Media: Retain the software media and license information in case a server must be rebuilt onto a server with dissimilar hardware or platform, in case you have to rebuild from scratch.
• Backup Hardware: In case the rebuilding of the primary server is not desired, then rebuilding of a server(s) may need to be performed on another system lacking the backup hardware needed to restore a system. It is best to have the backup hardware on hand in case a restoration to another server with different hardware is used.
• Backup Continuity and Disaster Recovery (BCDR) Appliance: For most of our clients, we utilize an BCDR appliance that acts not only as a local backup device but sends a copy to a cloud-based server for safety, but also as a “virtual server platform”.  This BCDR backup appliance can back up the servers up to every 5 minutes.

When a server crashes and/or becomes unavailable, this BCDR appliance can take the last good backup as the “system disk image”, and in less than 3 minutes, it can use start up a new server. 

This virtual server running on this appliance takes the place of the out of commission server until the original server is repaired.

Why are the Number of Ransomware Attacks Increasing?

Ransomware attacks are increasing because it is becoming easier to launch attacks with more accessible and mature software, more profitable from new strategies and new alliances between cyber-criminal organizations.

Regardless of having current backups, ransomware attackers discovered a new strategy to make sure a victim will pay, by using a new tactic of extortion.

Hackers are adding a new strategy of extortion by threatening to sell or release critical business data to the dark net as well as naming and shaming the victims, has pressured many companies to fold to their demands.  Ransomware recently has grown exponentially due to the maturing and sophistication of the software and with the help of receiving their ransoms in Bitcoin, a new digital currency that is virtually untraceable.

Ransomware Rental (RaaS) – Enabling New Hackers

Ransomware-as-a-Service (RaaS) has emerged from the cyber attacker minds to offer a service that literally any beginner hacker with a list of emails, content for a ransom note and a small payment of a couple hundred dollars can rent their ransomware software to launch a ransomware attack.  This fact alone just multiplied the number of attackers exponentially and are successfully launching attacks with a mature software platform.

Attack Vector #1: Malware Infection

Malware (malicious software) is a general term that refers to software that is deliberately designed to cause damage to a computer, or computer network. Malware can include viruses and ransomware.  Malware is the tool of choice for bad actors to infiltrate a computing environment.  How malware is delivered and then executed may differ, but the goal is mostly the same, to gain unauthorized access to data or assets.

Viruses are malicious programs intended to spread from computer to computer (and other connected devices). Viruses are designed to give cybercriminals access to the victim’s system. Their ability to spread from one computer to another makes them a favorite with hackers that are targeting a small business because of their relationship with a larger target.

A robust ransomware defense is a layered process that will include the monitoring and detection of malware or nefarious activity at each of the workstations or servers, also called the “endpoints”.

1. Centrally Managed Antivirus: For speed and efficiency, utilize a centrally managed antivirus solution that updates automatically and that with viewing one screen, all the systems’ antivirus condition can be viewed at one time.

2. Deploy Next-Gen Endpoint Security: What if a cybersecurity alert occurred in the middle of the night?  Do you have staff to react quickly enough to stop an active cyberattack?  With attacks occurring 24/7/365, more intelligent and powerful software and services are needed.  This is why most businesses are employing the more advanced Endpoint Detection and Response (EDR) and Managed Threat Response (MTR) software and services.

Definitions to Know:

Endpoint Detection and Response (EDR) identify devices with performance issues or suspicious processes trying to connect on non-standard ports, then remotely access the device to take remedial actions.

Managed Threat Response (MTR) is a 24/7/365 threat hunting detection and response service that employs a team of cybersecurity experts to look for potential threats and indicators of compromise.

Consider deploying our Sophos Intercept X Advanced with EDR and MTR for endpoint protection to both desktops and servers. Intercept X Advanced will stop the latest cybersecurity threats with a combination of deep learning AI, anti-ransomware capabilities, exploit prevention and other techniques.

Sophos Intercept X Advanced includes:

• • • Anti-ransomware capabilities that detect and block the malicious encryption processes used in ransomware attacks. Files that have been encrypted will be rolled back to a safe state, minimizing the impact to a business. 
    • Works with the Sophos XG Firewalls to isolate infections and will signal the Sophos Security Operation Center (SOC) with human cybersecurity experts to actively investigate the emerging threat 24/7/365 protecting your business day and night.
    • Managed Threat Response 24/7/365 threat hunting and response service.
    • Provides detailed analysis on any cybersecurity event with what happened, where when and how the event was remedied.

3. Application Whitelisting: Use application whitelisting which is the practice of specifying an index of approved software applications or executable files that are permitted to be present and active on a computer system. The goal of whitelisting is to protect computers and networks from potentially harmful applications.

Application whitelisting is a great defender against two different kinds of security threats like malicious malware payloads like keyloggers or ransomware will not be able to execute if they are not on the whitelist.

Attack Vector #2: Humans and Phishing

Unfortunately, the weakest links in business security are the humans since the social engineering of sending bogus emails to employees will lead to exposing credentials and allowing access to cyberattackers. According to the 2021 Verizon’s Data Breach Investigative Report, 85% of data breaches involved the human element.  36% of the breaches involved a spear-phishing email, which are commonly used to infect organizations with ransomware.  Training and some important steps must be taken to shore up this weak area.

1. Educate Your Users: Training your employees with cybersecurity awareness programs will help them to recognize the latest phishing attacks. “Phishing” uses social engineering to gain access to your network, data or to obtain money. There are web-based phishing training modules that can present up to 200 of the latest phishing scenarios that your employees can take to better understand how phishing works and to recognize the tactics.  Management must emphasize to employees that sharing of their credentials can lead to cyberattacks.
2. Macros: Consider disabling macro scripts for Microsoft Office files that are transmitted via email since macros can be used to deliver a ransomware malware payloads.
3. SPAM Control/Email Filters: Utilizing email SPAM filtering services will filter out emails with known malicious indicators, such as subject lines or coming from known malicious domains.
4. Domain Based Authentication: To reduce the chance for spoofed emails from valid domains, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification. DMARC can allow both senders and receivers to improve and monitor protection of the domain form malicious email.

• Employ Windows Policies: Employ policies that force strong passwords, block select folder access and prevent select file extensions from executing, and to enforce access privilege.
• Physical Security: Physical access of the workplace and digital assets must be secure.  Credential theft or information may be discovered from sitting close to a computer screen.  ensure the visitors that come through are handled in a way that they cannot cull information…
• File Sharing Applications: Consider utilizing file sharing applications to share files instead of sharing with email attachments to reduce or eliminate phishing attacks.

Attack Vector #3: Internet-Facing Devices & Services

Internet-facing servers and network equipment needs additional attention to protect against attacks.

1. Enable Security Features: Ensure all devices have all their security features enabled and are properly configured.
2. Advanced Security Protection: Automatically enable firewall, data loss prevention on all endpoints, encryption, and advanced malware protection. The Sophos Intercept X Advanced EDR and MTR endpoint protection software mentioned previously is recommended.
3. Domain Protection: Employ a domain name system (DNS) layer protection that helps to identify and block malicious domains and IP addresses.
4. Disable protocols and ports not used for business. Remote Desktop Protocol (RDP) is a Microsoft proprietary protocol that enables remote connections to other computers, typically over TCP port 3389. Restrict RDP Access to avoid the brute force attacks commonly used to gain access through RDP.
5. MFA: Use best practices like MFA and enforce lockouts after failed login attempts to secure RDP and other remote desktop services. Cyberattacks typically gain initial access to a network through poorly secured remote services and then deploy their ransomware attack.
6. Patch and update all software on a regular and timely basis of all internet-facing servers and software such as document readers, browsers, and browser plugins for known vulnerabilities.
7. Periodic Vulnerability Tests: Conduct a periodic vulnerability scanning of all devices for vulnerabilities to limit the cyberattack surface. Contact an IT provider for cybersecurity scanning services if your IT staff is not trained or equipped in cyber security practices.
8. Block SMB: Block or disable all versions of Server Message Block  (SMB) protocol outbound and remove or disable outdated versions of SMB.  Block all versions of SMB from being accessible externally by blocking TCP port 445 and related protocols on User Diagram Protocol ports 137-138 and TCP port 139.
9. VPN Security: As more business have remote office or telework, Virtual Private Networks (VPNs) are used in providing remote connections. Businesses tend to not update the VPNs with the latest security updates and patches since they are a 24/7 resource being used.

With the event of more cyber attackers using phishing to steal usernames and passwords, the possibility of a malicious actor infiltrating through a VPN is higher as in the Colonial Pipeline ransomware attack in 2021.  Use Multi-Factor Authentication (MFA) for your VPN logins to reduce the chance of bad actors gaining access.

General Best Practices

There are a number of general best practices to employ to further increase your security for a business regarding the IT administration of local and cloud environments.

1. Patching: Keep your operating system, browsers, and all software on your systems up to date and patched.
2. Encryption: A business must implement policies and software to encrypt data that is in transit and at rest.
3. Network Map: Create and maintain a detailed network map of all your network attached devices and illustrate how the business data can flow on the network.  Depict the network topology, IP addressing schemes, and any other dependencies.  This will help you to visualize your network and help with planning as well as in defending during a cyber breach.
4. Network Segmentation: Ensure that there is a segmentation of the network topology necessary to provide separation between business units and prevent or slow a cybersecurity incursion effort.  Network design skills will be needed to optimize a network topology for an efficient separation of subnetworks.
5. Cloud Security: Employ best practices and enable security settings regarding cloud-based applications such as Microsoft Office 365 such as the following:
   • MFA: Enable Multi-Factor Authentication (MFA) for administrator accounts  since it is not enabled by default.  Also enable MFA for users since hackers, if they gain access, can send phishing emails, and attack other organizations using the apps the user would have access to.
   • Enable Unified Audit Log (UAL) that contains events from Exchange Online, Azure AD, Microsoft Teams, SharePoint Online, PowerBI and other services.
   • Microsoft Score: Utilize the Microsoft Secure Score built-in tool to measure an organization’s security rating in respect with its O365 services and it offers recommendations.
   • Set Alerts: Enable alerts for suspicious activity within the Azure/O365 environment to increase the effectiveness in identifying malicious activity and notifying the administrators of abnormal incidents.
   • Legacy Email Protocols: Disable any legacy email protocols if they are not required or limit their use to specific users.
   • Password Security: If using passwords, ensure they are strong passwords given best practices. Employ Multi-Factor Authentication (MFA) whenever possible with virtual private networks (VPN), webmail and accounts that access critical systems.  Some best practices with passwords are:
     • Employ a password manager to keep track of your passwords. A password manager is a secure way of storing multiple passwords and usually provide a way to auto-generate passwords to ensure complexity while allowing ease of use in use.
     • Use different passwords on different systems and accounts
     • Use a passphrase or the longest password permissible by each password system.
     • Do not use passwords that are based one personal information or are easily looked up in dictionary of any language.

6. Admin Privileges: Employ the principle of least privilege to all services and systems so only the services users need will be accessible. Hackers seek privileged accounts to be able to gain access to more assets. Restrict the user permissions to install and run software. Configure the local administrator account to not be able to access the system from a Remote Desktop Protocol.
   • Audit user accounts permissions on a periodic basis with special focus on the Remote Monitoring and Management accounts that can be accessed publicly. Limit local administration.
   • Unused Accounts: Remove any unnecessary accounts and groups and restrict their root access.
7. Secure your domain controllers (DC) since hackers’ target domain controllers to use them as launch points to spread ransomware and other tools to help with the incursion. Additional points to note with domain controllers:
   • Update and Patch: They must be patched on a regular basis and ensure that the domain controllers are running the most current operating system version.
   • Limit Admin Access: Access to the domain controllers should only be accessed by the Administrator group with the users within this group be limited and have separate accounts used for day-to-day operations that have non-administrative permissions.
   • Limit Internet Access: Domain controller firewalls need to be configured to prevent internet access because these DC do not have a valid need for direct internet access. Use other servers with internet connectivity to pull updates for these domain controllers instead of letting the domain controllers have direct internet access for safety.
8. Asset Management: Make sure the business has a comprehensive asset management approach to be able to track and understand the IT assets which usually involves hardware, software, data, and license management. An understanding of which systems and how the critical systems and software are involved in the operation, finances, communications and more in a business is needed to aid in restoration priorities when a cyberattack occurs.
9. Save the Logs: Ensure that you keep and secure your network device and hosts logs offline for a minimum of a year to be able to perform triage and remediation of cybersecurity events. There are software tools that integrate both the hosts and network logs in a management system to be able to better perform triage viewing logs from multiple systems and sources.
10. Employ Next-Gen security products that employ threat intelligence services focused on network traffic, file, and email analysis for more meaningful context and to aid in rapid investigation. Consider employing a Unified Threat Management (UTM) appliance such as our next-gen Sophos XG  Firewall which is a firewall with the additional properties of analyzing every network packet for malicious loads as well as the following features:
    • Can expose hidden risks with detailed, configurable, and centralized reporting of activities of risky users, unwanted apps, advanced threats, suspicious payloads
    • Protects against ransomware and advanced threats with a top rated IPS, advanced Threat Protection, Cloud Sandboxing, and full AI-powered threat analysis, Dual AV, Web and App Control, Email Protection, and a full featured Web Application Firewall.
    • Identify the source of an infection on the network and automatically limit access to other network resources in response.

What’s Next? – Part 2: The Cybersecurity Incident Response Plan

What is the best way to avoid having a cyberattack turn into a full breach?  Prepare in advance!  It is essential to being able to respond and defend against an active security breach to limit the damage.

A Cybersecurity Incident Response Plan will define how you would respond in case of a cyberattack.  A business must take steps to ensure that their information will not be corrupted or lost and can resume operations as quickly as possible.  Once your plan is created, then must be practiced, and evaluated and to then update the plan with any improvements. 

The goal is to be as efficient as possible in reacting to a cyberattack and to take the steps to stop and remediate the attack and resume business operations.

Our second part of our series, Part 2: Cybersecurity Incident Response Plan will be released in a couple of weeks and will show how to create a plan for responding to a cybersecurity attack.

By Paul Garrison/Founder of Crescent IT Systems