Cybersecurity In-Depth

The Edge

How Ransomware Defense Is Evolving With Ransomware Attacks

As data exfiltration threats and bigger ransom requests become the norm, security professionals are advancing from the basic "keep good backups" advice.

Be Prepared: Backup and Network Segmentation|
If you're not already regularly backing up data regularly, than you are missing one of the simplest, most effective ways to avoid being forced to pay a ransom.

Aleem recommends an offline backup solution that is reliable.

"We're usually notified after an attack has happened, so at this stage prevention isn't entirely possible. However, we've seen that ransomware does not encrypt all files at once, so we usually advise organizations to disconnect large file storage and systems while we identify the specific malware to block it using our EDR tools."

"The main thing that I urge every organization to do is to patch vulnerabilities quickly and to build a robust backup strategy for data in order to diminish the harm that ransomware can do," adds Jeff Horne, CSO at security firm Ordr. "Backup with redundancy, and offline backup specifically, and a strategy to restore systems quickly is ultimately the way you can defeat this."

Lateral movement throughout a network is another hallmark move for ransomware. But Sivan Tehila, director of solution architecture at Perimeter 81, says network segmentation can minimize damage.

"Network segmentation is key so that the attacker can't move laterally through the network and encrypt more data," she says.

Ensuring back up and segmentation are part of an essential, overall examination of how prepared a security team is to defend against an attack, says Sandra Joyce of Mandiant Threat Intelligence.

"What we advise organizations to do is really take a look at how prepared they are. This could be making sure that networks are segmented, ensuring you have a real plan that you've table-topped with your executive team. Do you have backups? Do you have a way to fall back to data that you already have that is secured?" 

Awareness Training
We all know the mantra: It starts with the end user. Phishing is still the easiest way in for ransomware. Training employees on what to recognize still goes a long way, says Rick Vanover of Veeam Software.

"Non-technical topics, such as training on social engineering awareness, email training and the simple steps of following established rules are very valuable," he says.

"The first line of defense is educating employees to ensure they can recognize phishing attempts and respond properly," adds Ordr’s Horne.

Evaluate Policies
A thorough evaluation of access policies, especially those concerning privileged access rights, is another area to look at when it comes to ransomware preparedness, says Adam Laub, general manager of Stealthbits.

"One approach that is proving quite effective involves organizations eliminating the troves of administrative accounts that maintain standing privileged access rights across all systems and applications enterprise-wide," says Laub. "Attackers and malware have come to rely on this condition to move laterally, escalate privileges and eventually gain unfettered access  to business-critical systems, accounts and applications."

Andy Michael, founder of VPN Testing, says to go further and revise policies to stop allowing employees on to sites that are known ransomware traps.

"Want to get real serious about defending against ransomware on company computers?" he says. "Then you should block all social media sites on company property. Most ransomware attacks come through social media activity, so limit social media activity on computers used for company work."