Ransomware is a type of malware that encrypts an organization’s data and demands payment as a condition of restoring access to that data. Ransomware can also be used to steal an organization’s information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public.
It is critical that organizations be prepared. That includes educating users, response teams, and business decision makers about the importance of processes and procedures for preventing and handling potential compromises before they occur.
BASIC RANSOMWARE TIPS (NISTIR 8374)
- Educate employees on avoiding ransomware infections
- Don’t open files or click on links from unknown sources unless you first run an antivirus scan or look at links carefully.
- Avoid using personal websites and personal apps like email, chat, and social media from work computers.
- Don’t connect personally owned devices to work networks without prior authorization.
- Avoid having vulnerabilities in systems that ransomware could exploit
- Keep relevant systems fully patched. Run scheduled checks to identify available patches and install these as soon as feasible.
- Employ zero trust principles in all networked systems. Manage access to all network functions and segment internal networks where practical to prevent malware from proliferating among potential target systems.
- Allow installation and execution of authorized apps only. Configure operating systems and/or third-party software to run only authorized applications. This can also be supported by adopting a policy for reviewing, then adding or removing authorized applications on an allow list.
- Inform your technology vendors of your expectations (e.g., in contract language) that they will apply measures that discourage ransomware attacks.
- Quickly detect and stop ransomware attacks and infections
- Use malware detection software such as antivirus software at all times. Set it to automatically scan emails and flash drives.
- Continuously monitor directory services (and other primary user stores) for indicators of compromise or active attack.
- Block access to untrusted web resources. Use products or services that block access to server names, IP addresses, or ports and protocols that are known to be malicious or suspected to be indicators of malicious system activity. This includes using products and services that provide integrity protection for the domain component of addresses (e.g., email@example.com).
- Make it harder for ransomware to spread
- Use standard user accounts with multi-factor authentication versus accounts with administrative privileges whenever possible.
- Introduce authentication delays or configure automatic account lockout as a defense against automated attempts to guess passwords.
- Assign and manage credential authorization for all enterprise assets and software, and periodically verify that each account has only the necessary access following the principle of least privilege.
- Store data in an immutable format (so that the database does not automatically overwrite older data when new data is made available).
- Allow external access to internal network resources via secure virtual private network (VPN) connections only.
- Make it easier to recover stored information from a future ransomware event
- Make an incident recovery plan. Develop, implement, and regularly exercise an incident recovery plan with defined roles and strategies for decision making. This can be part of a continuity of operations plan. The plan should identify mission-critical and other business-essential services to enable recovery prioritization, and business continuity plans for those critical services.
- Back up data, secure backups, and test restoration. Carefully plan, implement, and test a data backup and restoration strategy—and secure and isolate backups of important data.
- Keep your contacts. Maintain an up-to-date list of internal and external contacts for ransomware attacks, including law enforcement, legal counsel, and incident response resources.
What does your Ransomware Risk profile look like today?
The Goliath Cyber Advisory Team stands ready, working with you to understand and help Identify, Protect, Detect, Respond and Recover!
ALONE YOU MAY BE STRONG – TOGETHER WE ARE STRONGER!