Ransomware Protection: A Guide

What Is Ransomware Protection?

Ransomware protection is a comprehensive cybersecurity effort that extends beyond detecting and preventing a ransomware attack. Ransomware protection also includes planning for remediation should an attack successfully bypass prevention efforts. Ransomware protection also includes the creation of critical backups and business continuity plans that allow organizations to quickly come back online in the event of a successful attack.

Why Protect against Ransomware?

The probability that an organization will experience a ransomware attack is rapidly increasing. In the first half of 2021, the FBI's Internet Crime Complaint Center experienced a 62 percent year-over-year surge in reports, with nearly 2100 complaints. According to one survey, more than a third of organizations worldwide suffered an attack in 2021, with ransomware attacks occurring roughly every 11 seconds.

Given the potential damage to corporate systems and workflows should a ransomware attack shut down access to data or applications, it is not surprising that many companies elect to pay ransoms. Typical ransom demands range from hundreds of dollars to well into the millions. The average ransom paid is approaching $250,000.

Recent, high-profile ransomware attacks have affected critical infrastructure and the supply chain, already strained due to the COVID pandemic. One of the most well-known attacks targeted the Colonial Pipeline, which was responsible for transporting more than 100 million gallons of fuel daily. The results were a spike in fuel prices affecting consumers across the U.S. 

Colonial paid a ransom of over $5 million ($2.3 million of which they later recovered), but the effects of the attack went further. According to company sources, remediation efforts extended into the tens of millions of dollars. Other attacks, including the CNA Financial and Kaseya attacks in 2021, had similarly catastrophic consequences.

Despite the growing ransomware threat, many organizations are unprepared to identify or deal with an attack; nearly half of all organizations lack effective incident response plans. Ransomware protection is essential to secure more than just enterprise networks and data. Effective ransomware protection also limits post-attack costs and reputational effects. 

How to Protect against Ransomware

There are many steps organizations can take to reduce the likelihood of a ransomware attack and to limit damage should an attack succeed.

Raise Awareness

Employees are the primary attack vector for ransomware. Poor password hygiene, overly permissive access policies, and susceptibility to phishing scams (which remain the primary source of most attacks) expand an organization's attack surface, making it easy for cybercriminals to insert ransomware files. Unfortunately, many organizations enable these bad practices because they fear employee complaints if they institute stricter policies.

Organizations must properly train their employees to be vigilant for the signs of an attack and to defend against attacks proactively. For example, keeping employees from clicking on links in suspicious emails (e.g., ones with odd capitalization or misspellings) can go a long way towards a better security posture. 

Just as importantly, organizations must make their employees understand the need for strict security policies. While employees may find it inconvenient to use strong passwords that they must change frequently, it would be far more inconvenient if they suddenly cannot do their work due to a successful attack.

Update Systems

Another common source of access for ransomware attacks is out-of-date and legacy software. Organizations must apply software patches quickly upon receipt, especially since many patches are explicitly correcting vulnerabilities.

Organizations should also create comprehensive digital asset inventories. Many enterprises have old, unused, and out-of-date applications still accessing corporate networks—without IT's knowledge. Eliminating or restricting these applications is another step toward reducing the company's attack surface.

Use the Proper Tools

Most free tools, such as antivirus programs and firewalls, offer insufficient protection. There is no "one size fits all" solution for ransomware protection; companies should implement the best tools for their given situation. Effective ransomware protection includes various tools from antivirus programs to advanced deep packet inspection tools that use artificial intelligence and machine learning to hone in on anomalous activity.

Back Up Frequently

Backups are another essential tool in defending against ransomware. While they will not prevent attacks, they can limit the negative impacts of a successful attack and minimize the total damage to a company and its customers.

Backups and a strong business continuity plan allow organizations to quickly restore access to files and get back up and running without needing to pay a ransom. Nevertheless, they are ineffective in preventing cyber criminals from misusing data they can exfiltrate.          

Ransomware Protection Best Practices

Specific best practices that organizations should follow to minimize the likelihood of a ransomware attack include:

1. Strong Password Policies and MFA

Compromised credentials are one of the simplest ways for attackers to gain an insertion point into company systems. As a result, organizations should enforce strong password policies and apply multi-factor authentication (MFA) protocols to harden endpoints and improve the enterprise's overall security posture.

2. Least Privilege Access, Zero Trust, and IAM Tools

By limiting users' access to critical systems and data, organizations can substantially reduce their attack surfaces and limit opportunities for ransomware to take hold or to spread laterally. Role-based access controls (RBAC) such as least-privilege policies ensure that employees' access properly reflects the needs of their positions. Coupling RBAC with Zero Trust policies, where all actors must constantly be authenticated, provides an added level of protection. And companies can effectively manage all these policies with Identity and Access Management (IAM) tools.

3. Spam Filters, Antivirus Programs, and Firewalls

Because phishing emails are the most common source of ransomware attacks, and employees are highly susceptible to phishing scams, organizations need to limit how many of these emails reach employees. Well-configured spam filters are an important part of the prevention arsenal. 

Similarly, antivirus programs are an effective first screen against known attacks. They should also be a part of a company's ransomware protection program.

Firewalls provide an added layer of protection when properly configured. Next-generation firewalls identify anomalies in network traffic using deep packet inspection, shunt aside suspicious files, and harden endpoints.

Misconfigurations of security tools create additional attack vectors, so organizations should be comfortable with their security personnel, whether it's an internal IT team or outside vendors, who are regularly verifying configurations.

4. AI and ML Endpoint Security Tools

Cybersecurity tools have advanced quickly, applying new methodologies as rapidly as they appear. Today's tools leverage artificial intelligence and machine learning algorithms to rapidly process and identify patterns in the ever-increasing amounts of traffic flowing through enterprise networks. Because they are uniquely adapted to big data applications and self-improve through use, these tools take up the slack where other tools fall short, particularly when identifying previously unknown attacks. AI and ML tools should be a part of every anti-ransomware effort.

FAQ

What is ransomware?

Ransomware is malicious software that restricts or prevents a user from accessing files on their device until a ransom is paid. Ransomware works by encrypting the files on a target device, effectively blocking the user's access.

In some cases, ransomware may go farther than simply blocking access. It may also allow cybercriminals to exfiltrate data they can distribute or sell. In addition, by gaining access to one device, they may be able to move laterally throughout enterprise systems, rapidly expanding the attack surface and potential damage to the organization.

What is ransomware protection?

Ransomware protection is a comprehensive cybersecurity effort that extends beyond detecting and preventing a ransomware attack and includes planning for remediation should an attack successfully bypass prevention efforts and the creation of critical backups and business continuity plans that allow organizations to quickly come back online in the event of a successful attack.

Who is at risk of a ransomware attack?

Everyone, from individual home users to corporate employees, is a potential victim of a ransomware attack. As long as there is a connection from a device to the outside world, whether a secured corporate network or a public wifi hotspot, cybercriminals will attempt to exploit it to insert ransomware.

What's the best protection against ransomware?

Organizations should apply several best practices to harden their systems against ransomware attacks, including:

  • Developing, implementing, and enforcing anti-ransomware cybersecurity policies, including email and internet usage policies and strong password and multi-factor authentication policies
  • Role-based permissions and least access policies to limit access to critical systems and data
  • Implementing tools to proactively identify potential attacks, both known and zero-day attacks, using advanced analytical methods such as artificial intelligence and machine learning
  • Training employees to responsibly use company resources and recognize the indicators of ransomware attacks
  • Creating and implementing business continuity plans, including constant redundant backups, allows organizations to limit attacks' damage
Does antivirus protect against ransomware?

Antivirus programs offer, at best, a partial solution for ransomware attacks. Antivirus tools can be very effective against known malicious actors and vulnerabilities, but it is limited against zero-day attacks.

In addition, antivirus programs only operate on the front end of the attack. If an attack makes it through and infects a device, there is little antivirus programs can do to mitigate or remediate the attack.

As a human-centric subscription-based 24x7x365 Managed XDR service, CylanceGUARD® provides the expertise and support businesses need to prevent and protect against ransomware attacks. CylanceGUARD combines the comprehensive expertise embodied by BlackBerry Cybersecurity Services with AI-based Endpoint Protection (EPP) through CylancePROTECT®, continuous authentication and analytics through CylancePERSONA, and on-device threat detection and remediation through CylanceOPTICS®. In short, CylanceGUARD provides business with the people and technology needed to protect the enterprise from the modern threat landscape.