Ransomware Prevention Best Practices
How to Prevent Ransomware Infections
What Ransomware Is and How It Works
Ransomware. That single word is foremost in the mind of so many IT managers the world over, and for good reason. Ransome remains one of the most daunting cyber threats today. In 2023 alone, nearly one-quarter of attacks involved ransomware.
Ransomware is a type of malicious software that encrypts the sensitive files or critical systems of a victim, rendering them inaccessible and thereby disrupting business services and operations. Numerous types of ransomware strains exist with new variants constantly emerging.
The primary aim of ransomware operators is to coerce the victim into paying a ransom, often in hard-to-trace cryptocurrency, in exchange for a decryption key that can restore the files to their original state. But today, these threat actors often employ a dual extortion strategy, in which they exfiltrate an organization's data before encrypting it. Threatening to publish or sell the stolen data unless the ransom is paid provides additional leverage to ensure they are paid the ransom even if the victim manages to independently restore their files.
Given the steep financial impact of ransomware, many organizations prioritize ransomware protection as a key objective.
Top Targets of Ransomware Attacks
Ransomware has evolved into a business model, often orchestrated by highly organized groups with a singular focus: monetary gain. While these cybercriminals once indiscriminately targeted entities ranging from individuals to global companies, they have become more strategic: The attackers frequently target organizations that are likely to yield quick and substantial payouts. The manufacturing and healthcare sectors, along with small government municipalities that often lack adequate personnel or resources for self-recovery, are common targets of these calculated ransomware attacks.
How Ransomware Attacks Unfold
Ransomware attacks seldom occur all at once. The most effective ransomware attacks typically involve a multi-stage process that can span days, weeks or even months:
- Stage 1: Ransomware is delivered to the target, for example, through an email with an embedded link or an infected attachment. Interaction with these elements downloads the initial malicious payload, which establishes a connection with the attacker’s command and control (C&C) server.
- Stage 2: Attackers use the link to funnel in additional tools to execute the attack. They perform reconnaissance to survey the victim’s network, pinpoint high-value data and assess security measures. During this stage, they may copy sensitive information to an external location to be used as secondary leverage in the extortion process.
- Stage 3: This phase marks the commencement of encryption. Attackers might first target the victim’s backup systems, aiming to undermine data restoration capabilities. Once the encryption process is complete, a ransom demand is issued, detailing payment instructions. Negotiations may ensue, potentially leading to a reduced ransom payment.
Paying a Ransom vs using Tools to Prevent a Ransomware Infection
Deciding whether to pay a ransom is a challenging dilemma. Paying can seem like a quick solution, but it comes with no assurance that the attackers will provide a decryption key. Moreover, there's evidence suggesting that paying ransom can encourage future attacks. As a result, agencies like the FBI advise against paying.
Choosing not to pay, however, exposes the organization to the extensive costs and complexities of remediation. Recovering from a ransomware attack can take days or weeks, which can impact revenue and lead to lasting damage to the company’s reputation and customer trust. Indeed, the expenses associated with downtime and recovery efforts can surpass the ransom demand.
This reality underscores the importance of investing in robust security measures to detect and neutralize ransomware attacks in time to minimize damage.
How to Prevent Ransomware Attacks: Best Practices
There is no way to prevent ransomware attacks and no silver bullet technology for how to protect against ransomware. However, following these ransomware prevention best practices will help you minimize the risk of ransomware infections and limit the damage that a successful attack could do:
- Avoid giving users administrative rights on their machines, since any malicious files they download will inherit these elevated permissions. If a user needs elevated access, create a separate user account with the specific privileges needed.
- Develop a thorough incident response plan to quickly thwart ransomware attacks in their early stages. Regular review and rehearsal of the incident response plan are essential to maintain its effectiveness and preparedness of the team.
- Enhance cybersecurity awareness with regular training for all employees. In particular, teach them how to identify suspicious email attachments and weblinks, since phishing attacks are a primary method for distributing ransomware. It is also important to assess their mastery of the material with test emails.
- Ensure that your antivirus software, endpoint protection and other security solutions, along with their databases, are kept updated.
- Keep all operating systems and applications fully patched and current so that known vulnerabilities cannot be exploited. Always test new software updates in a lab before applying them in production.
- Disable the SMB v1 network communication protocol on all servers and workstations, as this will help prevent common ransomware strains like WannaCry from spreading across your network. The screenshot below shows SMB v1 disabled on Windows Server.
- Close all unnecessary ports in your firewalls. In particular, make sure that port 3389, used for Remote Desktop Protocol (RDP), is closed, as it is a common target for exploitation by hackers.
- Implement network segmentation. Dividing a larger network into smaller, isolated segments limits the spread of ransomware if one segment gets infected. Segmented networks also facilitate easier monitoring and quicker detection of suspicious activity.
- Keep your permissions structure clean and maintain a strict least-privilege model. Since ransomware can access only the files the victim account has access to, this strategy will limit the amount of data that can be encrypted.
- Confine user-owned devices to a guest network. This network should direct all traffic straight to the internet while blocking access to the internal network, protecting local resources.
- Block known ransomware extensions using File Server Resource Manager.
- Incorporate sandboxing and honeypot strategies into your security program. Sandboxing involves using a secure, isolated environment to run and analyze suspicious programs without risking the main network or system while Honeypots are decoy systems or resources set up to attract and analyze cyberattacks.
- Use a data loss prevention (DLP) solution to protect your on-premises and cloud data.
- Consider implementing threat intelligence-based management, which provides insights into emerging threats and attack patterns. This knowledge enables organizations to proactively strengthen their defenses, tailor their security strategies and swiftly respond to ransomware attacks, thereby significantly reducing the risk of successful intrusions and data breaches.
Best Practices for using Group Policy to Stop Ransomware
Group Policy provides a variety of settings that are available to help minimize the risk of a ransomware infection. Some of these include the following:
- Display file extensions. Attackers sometimes disguise malicious software with double file extensions. For example, a file named "invoice.pdf.exe" might appear as "invoice.pdf" if extensions are hidden, misleading users into thinking it's a harmless PDF. By displaying file extensions, users are more likely to spot suspicious files with executable extensions (.exe, .vbs, .scr, etc.) masquerading as safe file types. You can create a Group Policy object (GPO) using Group Policy Preferences to show file extensions on user workstations so users can see the double file extensions. An example is shown below.
- Disable AutoPlay and Autorun on all workstations. This important Group Policy setting prevents the automatic execution of potentially malicious software from external media like USB drives. You can use Group Policy Administrative Templates to disable Autoplay for external drives as shown below.
- Establish a secure password policy and an account lockout policy. Preventing adversaries from taking over user accounts reduces the chance of a ransomware infection. In Active Directory domains, this can be achieved through the default domain policy, which enforces standards like minimum password length, minimum password age and password complexity requirements.
- Block the use of removable USB drives. This Group Policy setting will not only reduce the spread of malware infections but also help prevent unauthorized data transfer.
- Use AppLocker to create allow and deny lists. These lists enable you to control what software can be used on enterprise machines and block the execution of unauthorized applications.
- Enable Windows Defender SmartScreen. This blocks access to known malicious sites, which reduces the risk of a user inadvertently triggering a ransomware infection by falling victim to a phishing email.
Best Practices for Detecting and Responding to Ransomware Attacks
In addition to prevention measures, you also need detection and response strategies. The sooner you can detect a ransomware attack, the quicker you can contain it and mitigate it to minimize damage to the business. The following best practices can help:
- Implement an intrusion detection and prevention system that performs monitoring and analysis of network traffic.
- Monitor your file servers for the modification of large numbers of files with various file extensions in a brief timeframe. If such activity is observed, promptly take the source computer offline.
- Maintain a complete and up-to-date inventory of all your servers, workstations, access points, cybersecurity devices and other business equipment, including their network addresses, so you can quickly find the source of an attack and isolate it.
- If you detect a rogue or unknown process on a server or user device, immediately disconnect that machine from the network or disable it. Then conduct a thorough investigation to understand and mitigate any potential risks.
- Beware of system notifications demanding money to decrypt your files — some may be fake cases in which no encryption took place.
- Even if you've already confirmed a ransomware infection, do not pay the perpetrators. You may not get your data back, and they are likely to keep attacking to get you to you pay them again.
Best Practices for Ensuring You Can Recover from a Ransomware Attack
To help ensure you can recover from a ransomware attack without resorting to the risky option of paying the attackers, follow these best practices:
- Make regular backups of all your sensitive data, systems and core settings. Be sure to keep several backup iterations and store them out of reach of ransomware (offline or in the cloud). Having reliable backups will help you to restore your critical files quickly.
- Enable WindowsFile History so users can restore files saved before the ransomware infection.
- Attempt to determine the specific strain of ransomware affecting your system. If it's an older variant, the IT community may have resources and information to assist in your recovery efforts.
- Be aware that successful ransomware attacks do not encrypt all your files. Carefully assess which segments of your network were compromised and which were spared.
- Look into specialized anti-ransomware decryption solutions that can restore your data, including the list of free tools maintained by the No More Ransom organization.
- If you do suffer an attack, after restoring your data and operations, analyze the incident to identify and remediate gaps in your defenses to help prevent future infections.
Get a Free Ransomware Prevention Guide
Anyone experienced in mitigating ransomware attacks will attest that you can use all the help you can get. As the adage goes, "an ounce of prevention is worth a pound of cure." Knowing best practices for how to avoid ransomware and how to stop ransomware is significantly less expensive than recovering from it.
Netwrix offers a complimentary ransomware prevention guide crafted by experts seasoned in combating this threat. Even if you feel prepared, this guide may provide strategies you might not have previously considered. Download it today as an extra step in proactively safeguarding against ransomware.