Posted on Apr 27, 2021
Ransomware is one of the most common methods cybercriminals use to compromise organizations’ infrastructures and get at their most valuable data. According to Gartner, 27% of malware attacks in 2020 were the result of ransomware.
It’s also one of the most lucrative tactics used by bad actors. According to NetDiligence, while large corporations are likely to be hacked, they’re more likely to lose money to ransomware attacks.
Ransomware is malware, but instead of simply infecting a victim’s device or networks, it encrypts a victim's files. The attacker who sent it then issues a demand: pay a ransom to get a decryption key. Some attackers don’t keep their word of course, and others threaten to publish proprietary information on public sites if the ransom isn’t paid.
Likely because of their lucrative nature, ransomware attacks have been increasing. NetDiligence reported 19 ransomware claims in 2015, but by 2018, there had been 263. In the final quarter of 2020, ITR listed ransomware as one of the most common attack vectors.
The average ransoms have risen as well, according to NetDiligence. In 2018, ransom amounts crossed the $1M threshold for the first time. In 2019, they crossed the $3M threshold. According to Security Boulevard, ransomware attacks are changing; cybercriminals are doing deeper, more targeted attacks, an effort to get at more valuable information and data.
Most experts say no, although every organization needs to make this decision for themselves based on the details of the breach. This can be complicated by law enforcement and other government entities’ stance on ransomware. Last year, for example, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an advisory suggesting that companies who pay or facilitate ransom payments may be subject to sanctions.
Herb Stapleton, cyber division section chief at the FBI, was quoted last year by Decipher, telling a panel discussion at the CyberNextDC conference Wednesday not to pay the ransom.
“Paying the ransom from our perspective is a bad idea. It fuels further criminal activity and it’s bad for society in the long run. The reason this continues to happen is it’s profitable. Our position has to be that we do not recommend paying the ransom. The FBI would be remiss in the execution of its law enforcement duties if it said anything else,” he said.
Stapleton added that even if a company does decide to pay a ransom, however, they will still be treated as a victim by the FBI.
The best way, however, to avoid a ransomware attack is to focus on preparedness and early mitigation — once an attacker is too deep in your systems, it’s too late.
Knowing what exactly you're protecting is the first step in guarding your network against any attack, including ransomware. What assets — hardware and software — are connected to your network? Keep a list of all connected devices and solutions, so you know what (and where) your endpoints are.
Ransomware relies on the gullibility of human beings and is traditionally sent through phishing campaigns: an email is sent to your employees. It looks legitimate at first glance and claims to be from a trusted source. (Microsoft, UPS, Amazon, Apple, and Zoom are most often spoofed in these campaigns.) The email insists that your employee needs to act right now to change a password or download an important attachment. While some malicious attachments are in commonly-used file formats, like Word documents, many are in other formats that your organization may not use — such as .vbs, .exe and .scr. By customizing your anti-spam settings to recognize and block these extensions, you can keep employees from seeing and accidentally clicking on them.
Ransomware is delivered through social engineering attacks or cons, and companies often fall victim and have to pay large ransoms because employees simply didn’t know they were being targeted, or expected spam settings and anti-ransomware to filter out phishing emails for them. When people don’t know they have to remain vigilant, phishing attacks often succeed.
The best way to protect your business against social engineering attacks is to train your users, so they’re armed with the knowledge that will help them understand, not be tricked by, and report these scams. While some phishing attacks are quite sophisticated and may fool even savvy users, the most common phishing attacks can be combated by security awareness training and basic cyber hygiene. Ongoing training is the best way to keep employees secure; regular training will keep them up to date on the latest ransomware and phishing trends as well as remind them of their role in keeping your organization safe. Your training should regularly cover the best practices listed below.
A suspicious email might be sent by a stranger or an obvious fake company, but it can also be sent by someone you think you know. Sometimes cybercriminals compromise an individual’s email account and send malicious links to their contact lists. Phishing emails also often pretend to be messages from vendors you work with, such as delivery services, or banks. If the message seems odd, or if you don’t usually receive notifications like it, don’t open it.
So you’ve opened a malicious email or social media message before realizing it was suspicious. Now what? If any links look suspicious, don’t click on them, no matter who it comes from. A friend or colleague may be compromised. If a link looks suspicious, contact your friend using another method and ask them about the link.
Obviously, you should never fill out any form sent to you in an email, nor should you send sensitive email to a potential phisher through email, but this also applies to social media. When you post personal information publicly, cybercriminals may find it and use it to tailor phishing scams to you that may be difficult to separate from the real thing.
Many spammers aren’t exactly subtle. Set up your mail server to block the addresses of known and suspected spammers. They can’t attack if their emails can’t get through. Use strong spam filters and consider using tools such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM).
We mentioned file extensions earlier, but it’s worth repeating: pay attention to file extensions that might not be the sort of extensions you commonly use at work, like .exe, exe, .vbs, or .scr. Pay attention to file extensions that appear to be stacked, like .doc.exe. These are meant to confuse users and entice them to click on executable files like ransomware.
One way to see extensions easily is to use the Show File Extensions feature, a Windows feature that allows users to tell which sorts of files are attached to an email. This will help users from mindlessly clicking on a link without seeing its file extension.
Sometimes ransomware is hidden in attachments containing compressed or archived files. Adjust your security software to scan for these attachments, and don’t automatically unzip those files.
You wouldn’t open a suspicious attachment, so don’t download from sites you don’t completely trust. Look at the website addresses in the URL bar. If the prefix is HTTPS, it’s likely a secure site.
It’s not enough to educate users about proper cybersecurity hygiene. You should also be testing them. Regular phishing simulations are an excellent way to make sure everyone is steering clear of suspicious emails and attachments. After all, practice makes perfect.
Ransomware attacks can be debilitating for an organization, particularly if a ransom is paid and proprietary information is released anyhow. With this in mind, stress to employees that they don’t have to be sure an email is suspicious to report it. Whenever they see something odd, they should report it. It’s security’s job – not theirs — to investigate.
Bad actors are always looking for holes in your defenses, and they’re counting on your team not to patch your software and operating system in a timely fashion. The longer it takes to patch a vulnerability, the more of a chance a bad actor has of finding and exploiting one. Criminals write malware to exploit known security loopholes in software, so if you don’t update, you’re leaving yourself vulnerable to ransomware like the WannaCry cryptoworm, which was designed to exploit unpatched or older unsupported versions of Windows.
If you think you’re being compromised by ransomware, turn off your Internet immediately. Most ransomware needs to establish a connection with its command and control (C&C) servers in the early stages of an attack so that it can complete its encryption routine. If the ransomware can’t make contact with the Internet, it won’t be able to do that. That will also provide your team an opportunity to find and remove the ransomware before it can do any damage.
Another countermeasure that can help head off an attack in the early stages is anti-virus and anti-malware software. Installing anti-virus and malware software on your email server can help to stop those viruses before they get started.
Create an approved list of applications that you deem trustworthy. These are the applications your users can use and your systems can run. If there’s a new application a user wants to introduce, it should be rigorously vetted before being added to the allowed list. Those that aren’t allied should be blocked.
Cybercriminals often target plug-ins as a way of infecting your devices. This can be a problem because these plug-ins are often standard on some websites. Update them regularly, as you would with software, or block them entirely.
Firewalls are critical parts of a defense strategy. They keep unauthorized users out of networks and devices and can protect your network from ransomware attempting to infect your machines.
Use the principle of least privilege to make sure that while every user and every module in your network can access the information they need to perform their jobs, but no more. Access management will force you to review the permissions you’ve granted and will help you limit the number of endpoints through which ransomware can enter your network.
Programs like AutoPlay, Windows Script Host, and PowerShell may help ransomware do its job by automatically running .VBS files or executing ransomware. If you don’t use these applications in your daily work, consider disabling them and other macros.
Although many ransomware attacks happen through email, pop-ups can also be a common attack vector. Use a browser add-on to block pop-ups.
Bad actors expect weak passwords. They’re looking for weak or default passwords that will allow them to force their way into your system. Require your users to use strong, unique passwords, and implement password management strategies, like two-factor identification and other best practices, to attackers from getting into your system by typing one of the most common passwords: 123456. That’s a terrible way to have your most valuable information compromised.
People are curious. If they are sent a USB, or if they find one, they want to know what’s on it. The problem is, what’s on it could be ransomware. Cybercriminals often trojanize media devices like CDs and USBs and then attempt to get them into users’ hands at targeted organizations. Avoid this by educating your users and avoiding unfamiliar media.
Let’s say a user clicks a link they shouldn’t have and their machine is infected. By turning file-sharing off, you can isolate the infected device from the rest of the network and protect your organization and assets.
The last thing you want is to see your cursor moving on its own, and the horror of realizing a cybercriminal is in control of your machine. The Remote Desktop Protocol has long been used by bad actors to get into your network, so disable remote services to help keep them out.
If your machines have wireless settings you’re not using, like Bluetooth and infrared ports, turn them off so that bad actors can’t use those connections to infiltrate your devices.
By blocking known malicious Tor IP addresses, you can cut some ransomware off from their C&C servers, which may help keep them from infecting your network.
The threat landscape is always changing, and that applies to ransomware. Criminals are always changing their tactics, devising new attacks, and coding new ransomware. By keeping an ear to the Internet and threat intelligence feeds, you can keep up with the newest risks and changing threats.
If your organization has one big network, ransomware can access your entire organization’s digital infrastructure. Think of it as a building. If an attacker is in a building, they might be able to move around freely, but if the building is segmented into different apartments, they might compromise one or even two, but they won’t get into every apartment. Limit access by segmenting your network. You might use a different segment for every department, segment according to business processes, or even simply place easily-compromised devices (like IoT devices) on their own segments.
No matter how good your security and cyber hygiene is, you need to constantly monitor your systems for threats and vulnerabilities. By running scans regularly, you can detect suspicious behavior that may indicate ransomware early. Such monitoring is your second line of defense against ransomware; if you see malicious activity in your system, your team can then move to isolate the malware and protect your assets.
If an attacker does get into your systems and hold your data for ransom, it’s critical that you have back-ups of your system, locally, and off-site. The rule of thumb is to have three back-ups in different locations so that intruders won’t be able to access at least one of them. That will allow you to wipe your old system, and rewrite it with the backed up data, rather than having to pay a ransom and hoping the attackers keep their word and return your data.
Back-ups aren’t the only way to recover your data in the event of a ransomware attack. By creating regular restore points, you may be able to recover your system if an attacker locks you out of your network.
Your most critical data may benefit from not being connected to the Internet at all. This may seem unrealistic — after all, your business is likely to need the Internet. However, if your most important data simply can’t be compromised, you may benefit from keeping certain network segments, servers, or devices away from the Internet.
Your third parties, like vendors and partners, may have access to your systems and networks. Ransomware that affects them may affect your organization as well, or attackers may try to use a less-protected third party to compromise your data and networks. Combat this by vetting your vendors thoroughly before onboarding them, and by making sure they only have access to protected segments of your network.
It’s important to be able to see the vulnerabilities of your entire extended enterprise at a glance so you can see where, exactly, ransomware and other malware might be able to get into your network. Are your endpoints unsecured? Has it taken your team too long to patch your software? Have bad actors been talking about your organization online? SecurityScorecard’s Security Ratings let you see your security posture at a glance, giving you easy-to-read A-F ratings across ten groups of risk factors including DNS health, IP reputation, web application security, network security, leaked information, hacker chatter, endpoint security, and patching cadence. By understanding your security posture, and how to correct any issues that arise, you’ll be able to protect your organization against ransomware and other cyber threats.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.