As the world of technology grows, so should the cybersecurity practices that protect them. Having a ransomware defense strategy should be a priority for any individual or company. Without it, poorly protected users and organizations can put themselves at risk of losing important and confidential information.
A report from Cybersecurity Ventures estimates that there was one ransomware attack every 11 seconds in 2021, resulting in almost $20 billion in damages. These extortion schemes often target individuals or businesses that are most likely to pay the demanded sum to recover their data.
For many companies, that data is the most valuable asset they own. Losing it could mean irreversible damages that could cripple an entire operation. It's important to stay proactive with the best ransomware protection practices before potential threats have the opportunity to take advantage. Keep reading to learn more on how you can protect your data from any future attacks!
What Is Ransomware?
Ransomware is a sophisticated type of malware that can infect a computer and subsequently hold sensitive data or personally identifiable information (PII) hostage until a fee, or "ransom" is paid. Cybercriminals often use a binary encryption key to restrict data access to extort money from victims.
Ransomware attacks can be especially dangerous for businesses that rely on that information to function daily. In most cases, failure to pay the ransom can lead to permanent loss or exposure of confidential data.
Some of the most common ways people get infected by ransomware are:
- Phishing emails
- Visiting corrupted websites (drive-by downloading)
- Downloading infected file extensions or malicious attachments
- System and network vulnerabilities
- Remote desktop protocol (RDP) attacks
Types Of Ransomware
Ransomware attacks can affect anyone, from individual users to large corporations. This type of malware can lock up individual files, like documents or images, to entire databases, leading to huge data breaches or exposure of sensitive, personal information.
There are four main categories of ransomware:
- Encryption - Encryption is the most common type of ransomware, which encrypts data and makes it impossible to unlock without a decryption key.
- Lockers - Lockers restrict the use of your computer, making it impossible to work or use basic functions until the ransom is paid.
- Scareware - Scareware attempts to scare users into buying unnecessary software. In some cases, pop-ups will flood the screen, forcing the user to pay to remove them.
- Doxware/Leakware - Doxware or leakware will threaten to leak personal or company information unless the fine is paid.
10 Best Ransomware Prevention Practices
Luckily, there are many ways to protect yourself from ransomware infection. Because technology is constantly evolving, it's important to follow basic cybersecurity practices and stay proactive, so that you'll never put yourself or your business at risk of any ransomware threats.
1. Backup Your Data
Backing up your data to an external hard drive or cloud server is one of the easiest risk mitigation practices. In the case of a ransomware attack, the user can wipe the computer clean and reinstall the backup files. Ideally, organizations should be backing up their most important data at least once per day.
A popular approach to follow is the 3-2-1 rule. Try to keep 3 separate copies of your data on 2 different storage types with 1 copy offline. You can also add another step to the process by adding one more copy on an immutable (can't be altered), indelible (can't be deleted) cloud storage server.
2. Keep All Systems And Software Updated
Always keep your operating system, web browser, antivirus, and any other software you use updated to the latest version available. Malware, viruses, and ransomware are constantly evolving with new variants that can bypass your old security features, so you'll want to make sure everything is patched and up-to-date.
Many attackers prey on larger businesses that rely on outdated legacy systems that have not been updated for some time. Perhaps the most infamous ransomware attack occurred in 2017 when the malicious software WannaCry crippled major corporations around the world. It even forced NHS hospitals in Great Britain, Spanish telecommunications company Telefónica, and Apple chip supplier Taiwan Semiconductor Manufacturing Co. (TSMC) to shut down operations for four days. In total, over 230,000 computers globally were affected.
The attack targeted computers with outdated versions of Microsoft Windows. Despite a recently released patch that would have prevented the spread of malware, many users and organizations were slow to update and, as a result, became victims of the scam. Since this incident, security experts worldwide have urged companies to update their systems as soon as possible.
3. Install Antivirus Software & Firewalls
Comprehensive antivirus and anti-malware software are the most common ways to defend against ransomware. They can scan, detect, and respond to cyber threats. However, you'll also need to configure your firewall since antivirus software only works at the internal level and can only detect the attack once it is already in the system.
Firewalls are often the first line of defense against any incoming, external attacks. It can protect against both software and hardware-based attacks. Firewalls are essential for any business or private network because they can filter out and block suspicious data packets from entering the system.
TIP: Be careful of fake virus detection alerts! Many fake alerts pretend to be from your antivirus software, especially through emails or website pop-ups. Do NOT click on any links until you verify through the antivirus software directly.
4. Network Segmentation
Because ransomware can spread quickly throughout a network, it's important to limit the spread as much as possible in the event of an attack. Implementing network segmentation divides the network into multiple smaller networks so the organization can isolate the ransomware and prevent it from spreading to other systems.
Each individual subsystem should have its own security controls, firewalls, and unique access to prevent ransomware from reaching the target data. Not only will segmented access prevent the spread to the main network, but it will also give the security team more time and identify, isolate, and remove the threat.
5. Email Protection
Historically, email phishing attacks are the leading cause of malware infections. In 2020, 54% of managed service providers (MSP) reported phishing as the top ransomware delivery method. Another report released by the Federal Bureau of Investigation (FBI) listed phishing scams as the top cybercrime in 2020, resulting in over $4.2 billion in loss or theft.
There are a couple of different ways that ransomware can infect a user through email:
- Downloading suspicious email attachments
- Clicking on links that lead to infected websites
- Social engineering (tricking users into exposing sensitive information)
In addition to antivirus software, you can take additional precautions by using practices or technologies like:
- Don't open emails from unknown senders - Avoid clicking on attachments, files, or links from unknown addresses or unauthorized sources.
- Keep email client apps updated - Don't allow cybercriminals to take advantage of security vulnerabilities from out-of-date technology.
- Sender Policy Framework (SPF) - Email authentication technique to designate specific email servers from which outgoing messages can be sent.
- DomainKeys Identified Mail (DKIM) - Provides encryption key and digital signature to verify the email was not spoofed, forged, or altered.
- Domain Message Authentication Reporting & Conformance (DMARC) - Further authenticates emails by matching SPF and DKIM protocols.
6. Application Whitelisting
Whitelisting determines which applications can be downloaded and executed on a network. Any unauthorized program or website that is not whitelisted will be restricted or blocked in the case an employee or user accidentally downloads an infected program or visits a corrupted site. Using whitelisting software like Windows AppLocker, you can also "blacklist" or block specific programs and websites.
7. Endpoint Security
Endpoint security should be a priority for growing businesses. As businesses begin to expand and the number of end-users increases, this creates more endpoints (laptops, smartphones, servers, etc.) that need to be secured. Each remote endpoint creates a potential opportunity for criminals to access private information or, worse, the main network.
Whether you're running your business from home or working as part of a larger company, look to install endpoint protection platforms (EPP) or endpoint detection and response (EDR) for all network users. These technologies allow system administrators to monitor and manage security for each remote device. EDR is slightly more advanced than EPP, focusing on responding and countering immediate threats that have infiltrated the network.
EPPs and EDRs typically include a suite of protection tools, including:
- Antivirus & anti-malware
- Data encryption
- Data loss prevention
- Intrusion detection
- Web browser security
- Mobile & desktop security
- Network assessments for security teams
- Real-time security alerts and notifications
8. Limit User Access Privileges
Another way to protect your network and systems is limiting user access and permissions to only the data they need to work. This idea of "least privilege" limits who can access essential data. By doing so, you can prevent ransomware from spreading between systems within a company. Even with access, users may encounter limited functions or resources, as defined in a role-based access control (RBAC) policy.
Least privilege typically involves a zero-trust model that assumes any internal or external users cannot be trusted, which means that they will require identity verification at every level of access. Verification usually requires at least two-factor (2FA) or multi-factor authentication (MFA) to prevent access to target data should a breach occur.
9. Run Regular Security Testing
Implementing new security measures should be a never-ending task. As ransomware tactics continue to evolve, companies need to run regular cybersecurity tests and assessments to adapt to changing environments. Companies should continually:
- Reevaluate user privileges and access points
- Identify new system vulnerabilities
- Create new security protocols
Sandbox testing is a common strategy to test malicious code against current software in an isolated environment to determine if security protocols are sufficient.
10. Security Awareness Training
Because end-users and employees are the most common gateway for cyber attacks, one of the most important trainings a company can provide is security awareness training. Phishing and social engineering tactics can easily take advantage of unsuspecting, ill-equipped users. Having basic cybersecurity knowledge can greatly affect and even prevent attacks at the source.
Some basic security training practices to provide are:
- Safe web surfing
- Creating strong, secure passwords
- Using secure VPNs (no public Wi-Fi)
- Recognizing suspicious emails or attachments
- Maintaining updated systems and software
- Confidentiality training
- Providing an emergency reporting channel for suspicious activity
What To Do After A Ransomware Attack
Of course, despite all the security measures in place, it's still possible to become a victim of ransomware. Part of your security plan should include what to do immediately after becoming infected or attacked and the proper steps to limit the damage. Organizations should establish clear lines of emergency communication and response procedures ahead of time so all users understand what to do if an attack occurs. Some immediate steps that should be taken are:
- Do NOT pay the ransom - Security experts and law enforcement agencies strongly advise against paying the ransom because this only encourages attackers to continue their criminal activity. In many cases, there's no guarantee the attacks will provide a working decryption key. Even with a key, the data may become corrupted, resulting in permanent loss.
- Isolate infected systems - To prevent a further breach, users should immediately disconnect their device from the network and all wireless connectivity (Wi-Fi, Bluetooth). Although the ransomware may have already affected other users, isolation can limit the scope of infection in the network.
- Identify the source - Figuring out where the malware originated from can help locate the entry point of the ransomware. This information can provide the organization with valuable information to further improve security practices and training.
- Report attack to authorities - Ransomware is a crime that should be reported to authorities for further investigation. However, another benefit is that law enforcement agencies may have access to more advanced recovery tools and software not available to most organizations. In some cases, recovering stolen or compromised data and catching perpetrators is possible.
Good ransomware defense practice starts before any attacks occur. Waiting until ransomware attacks your network to take action may already be too late. From backing up your files to installing strong antivirus and firewalls to cybersecurity education, you'll want to stay ready for every possible scenario.