Ransomware has become a major security concern for many organizations. Recent ransomware attacks against the Colonial Pipeline, Acer, and Kaseya have demonstrated the threat and impact ransomware has on organizations today. In 2021, the Verizon Data Breach Investigations Report (DBIR) also reported the financial impact ransomware had on organizations, with most paying an average of up to $1.2 million.
How to prevent ransomware attacks
With ransomware being a common threat, it is important for organizations to be prepared to best protect against it. Malicious actors use a variety of different techniques to deliver ransomware ranging from phishing to targeted campaigns. By following the five security best practices listed below, organizations can help reduce the threat and impact of ransomware attacks today.
1. Phishing protection
Phishing emails have historically been one of the leading delivery vectors for malware, and the same is true of ransomware. In fact, over half of managed service providers (MSPs) pointed to phishing as the top ransomware delivery vector in 2020.
Phishing campaigns may use an array of different techniques to trick end users into installing and executing ransomware. Ransomware can be obfuscated in an attachment or be delivered through a link within the email.
Spam and phishing protection solutions can help to block malicious emails from reaching end users’ inboxes. Organizations should also use technologies such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to help protect against spoofed emails. Implementing these phishing protection best practices will help reduce one of the leading causes for ransomware distribution. Lastly, it is recommended that organizations perform security awareness training to train and educate personnel on the risks of phishing attacks.
2. Disabling macros
Macros are small programs written to perform repetitive tasks within Microsoft Office applications. It is common for malicious actors to leverage macros within documents or spreadsheets to assist with the deployment and installation of ransomware. This is often combined with spear phishing attacks where malicious documents containing the macros are attached in an email. Once opened, the end user’s system will begin executing arbitrary commands or the code necessary for ransomware deployment.
Disabling macros in Microsoft Office will not only help disrupt the installation and deployment of ransomware variants using this method but also other malicious programs and viruses that leverage macros. In addition, it is recommended that organizations disable JavaScript files from running locally as Locky and other ransomware variants use JavaScript for execution.
3. Implement application whitelisting
Windows AppLocker allows organizations to implement application whitelisting, which can limit which applications run on a system. An organization could explicitly allow certain applications to run or can specify the locations from which applications are permitted to execute.
Oftentimes, ransomware delivered through phishing or exploit kits are located in the Downloads, Temp, or AppData directories. By only allowing applications that are digitally signed or located in the Program Files directory to run, an organization can help block the execution of multiple ransomware variants.
4. Prevent registry access
Ransomware variants commonly implement persistence mechanisms that help them continue to run after a system reboot. Many persistence mechanisms implemented by ransomware authors rely upon the Windows Registry. By limiting access to registry within systems, organizations can help disrupt or prevent ransomware persistency.
Applications listed under the Run and SystemRestore keys are automatically launched after a system reboot. Ransomware uses these and other registry values to achieve persistence and prevent system restores. Disabling edits to registry keys blocks these persistence mechanisms and can cause poorly coded ransomware to crash when it cannot access and edit these keys.
5. Backups
Ransomware’s business model is based on denying an organization access to its data. Organizations that pay the ransom do so in an attempt to gain access to their data and resume normal operations. However, if an organization can access its data, then there is no need to pay the ransom and that’s where backups come in.
A robust backup strategy is a core component of an organization’s ransomware recovery strategy. Backups should be immutable, encrypted, air-gapped, and follow a 3-2-1 backup strategy. If nothing else, companies should create multiple backups of their systems on different media types and store them at geographically distributed locations.
Protecting against ransomware attacks
Ransomware groups take advantage of security weaknesses to execute common attack vectors. Taking action with these security best practices and closing any identified security weaknesses within an organization decreases the risk of a ransomware infection. From there, an organization can develop and implement a strategy that provides more robust and comprehensive security by design against ransomware and other cyber threats.