In recent years organizations have been investing a fortune in cybersecurity, but ransomware still remains as prevalent today (and maybe even more dangerous) as it has ever been. Ransomware attacks are, in essence, simple to prevent if the right security culture is in place. But, whilst organizations have implemented sophisticated security firewalls, the attitudes towards ransomware have not changed fast enough.
Recent ransomware attacks
Looking back at recent security breaches, we can see that Ransomware attacks have done serious damage in 2017; affecting many organizations worldwide. According to Webroot, the top 10 ransomware attacks that shook organizations worldwide in 2017 were WannaCry, Locky, NotPetya, Crysis, Nemucod, Jaff, Spora, Cryptomix, Cerber and Jigsaw. This amounts to billions of dollars’ worth of data being encrypted due mostly to employees not following standard IT security practices.
Mitigate the risks of ransomware attacks by following these tips
1. Be up-to-date
Analysis of previous ransomware cases reveals that the targeted computers were mostly not up-to-date. For example, in the recent WannaCry ransomware attack, many computers running Windows XP were affected. The reason being, in many cases, it was part of embedded systems (such as PoS, industrial equipment, and others) and either the organizations were not able to access the operating system, or the vendors were unable to provide an upgrade process. There are also some cases where the end users or organizations were not willing to replace Windows XP with an upgraded version of Windows operating system.
The WannaCry attack worked by encrypting files on your computers – these cases can be detected by LepideAuditor by creating threshold alerts for such activities; such as file format change.
Looking forward, in such cases of embedded systems where organizations have partial or no access to the operating system, vendors should provide an upgrade path and upgrade it at least to a version that is supported by its manufacturer. To be safe, assume that all such complicated and outdated software are vulnerable to ransomware.
2. Create isolated working environments
Create isolated working environments for different teams. Teams handling high-priority data should be kept completely isolated from others. In this way, even if some computers are affected, the ransomware will not spread to the entire network.
Suppose you work as an IT administrator in an organization that has many departments, including Software Development. Since the Development Department is engaged in developing software, you want to keep it entirely separate from other departments. Instead of relocating that department to a separate location, the best practice will be to create a separate Site in Active Directory and establish the replication policy so that the site of this department can be synchronized with Active Directory.
If you have already segregated the IT environment with different sites, LepideAuditor helps you keep track of all changes being made in different sites.
3. Audit everything to detect anomalous events
We recommend you audit your entire IT infrastructure to detect any abnormal activities at the earliest possible time. Make sure that your malware detection system is up-to-date and that your intrusion detection system is working correctly. Ensure that you are auditing your critical server components to track all changes being made. If you detect anomalous changes (such as large numbers of files being modified over a small period of time) it could indicate a ransomware attack. Native auditing, however, suffers from multiple drawbacks, including noise and irrelevant logs, making it difficult to rely on.
LepideAuditor, offers a single platform from which to audit multiple servers in your IT infrastructure. You can quickly answer vital audit questions; such as who made what change, when and where.
4. Follow a 3-2-1 backup strategy
Always assume that you are going to become the victim of a ransomware attack. Take the necessary precautions proactively and follow a 3-2-1 backup strategy. This means:
- Make at least three copies of your vital data.
- Store two local copies in two different mediums (devices).
- Make sure that at least one backup is stored offsite in the cloud.
As an example, you can use a RAID system that mirrors the contents of one disk to another. NetApp Filers are also trusted for backing up critical business data. This means every bit of data that’s written to one disk is immediately copied to the second. So, if the first drive fails, you have a completely up-to-date copy of everything in the second drive.
5. Be able to restore Active Directory and Group policy changes
Active Directory and Group Policy together act as the backbone most organization’s IT infrastructure. You need to ensure you audit changes to these settings appropriately, and notify administrators when critical changes are detected. Use an automated solution, like LepideAuditor, to roll-back unwanted changes and restore Active Directory and Group Policy to a previous healthy state.
6. Monitor the permissions and reverse them if necessary
Excessive permissions help ransomware to spread throughout your critical systems and data. If users have unnecessary administrative permissions, ransomware strains can utilize them to get unauthorized access to data and encrypt it. Monitor permission changes continuously to prevent such excessive permissions. You should also have the ability to revoke unwanted or unauthorized user privileges.
LepideAuditor tracks all permission changes and lets you rollback unwanted permission changes in Active Directory.
7. Monitor changes made in Files (even if by Ransomware)
Many strains of ransomware work by changing file formats on your computer. LepideAuditor lets you monitor the changes made to files and folders continuously. You can create threshold alerts to monitor critical changes made to the files and folders that store your sensitive data. If the solution sees multiple file format changes occuring within a short period, LepideAuditor will send instant alerts to the admins. Based on these alerts, you can run your own scripts to prevent further damage, such as disabling the infected user.
8. Use trusted anti-ransomware tools
As cybersecurity experts from governments agencies work against ransomware threats, they have succeeded in breaking up the encryption schemes of some of the attackers. Download and use the trusted anti-ransomware tools offered by these experts to defend your organization.
9. Educate employees on the dangers of ransomware
Train users not to open dodgy looking links, whether it is on a Web Page or in an email. In many past cases of ransomware attacks, research has revealed that it spread as users unknowingly clicked infected links. Employees may also unwittingly forward dangerous emails, unknowingly helping the ransomware spread. Educating your users on how to spot the dangers and what not to do can lead to the spread of ransomware.