Ransomware Prevention Best Practices: A Layered Approach

The ransomware plague is spreading uncontrollably and getting deadlier with no signs of stopping.

• IBM security found that the total cost of a ransomware breach was an average of $4.62 million in 2021, not including the ransom.

• SonicWall reported 623,254,877 known ransomware attacks globally in 2021 up 105% compared to 2020.

• Ivanti, Cyber Security Works and Cyware reported new ransomware families increased by 26% in 2021, bringing the total to 157 families.

We believe you understand how bad it is, the cost trade-offs, and the impact on business and reputation. That’s why you’re on this page.

The table of contents below helps you navigate to the part you want to learn about first. The important points in each section are in bold if you’re short on reading time.

TABLE OF CONTENTS

The #1 Misconception About Preventing Ransomware

Stages of a Ransomware Attack

1. Gain an Entry Point

2. Search and Scan the Network to Spread

3. Gain Access to Network Assets

4. Encrypt, Rename, and Download Files

5. Demand Ransom

Best Practices to Prevent Ransomware at Each Stage of the Attack

1. Preventing Ransomware from Gaining a Foothold

   • Spam Filters

   • Employee Education

   • Endpoint Protection

   • Vulnerability Scanner and Patch

   • Securing Remote Access

2. Block Searching and Scanning

   • Penetration Testing

   • Network Firewall

   • Intrusion Detection

3. Stopping Ransomware from Accessing Network Assets

   • Network Monitoring

   • Database Activity Monitoring

   • Privileged Access Management

   • Micro Segmentation

4. Protecting Files from being Encrypted

   • Encryption Rollback

   • Immutable Backups

   • Traffic Monitoring

5. Recovering from Backups

Other Important Best Practices

• Two Factor Authentication

• Patching & Software Updates

• Regularly Testing Your Data Protection Plan

How Mamori Stops Ransomware and Lowers Your Cybersecurity Insurance Bill

The biggest misconception is that ransomware attacks applications. Ransomware attacks do NOT target applications. That means securing application access using two factor authentication (2FA) does nothing to prevent a ransomware attack.

Ransomware is going after your files and data, and that includes documents, database files, or table data in your database. To get to your documents, they need access to your network shared drives. To get to your database files, they need operating system access via SSH or RDP (more on this below). To get to your table data, they need access to your database.

Thus, the first best practice is NOT to use an application security to defend against ransomware. None of the data is inside applications. Data is inside the database that these applications have access to. To get to those data, a ransomware attack’s first step is to gain an entry point.

Ransomware’s goal is to encrypt ALL your organization’s files and data and/or steal your data. But to do so, hackers need an entry-point. The most common entry point is through an employee

Cybercriminals commonly employ phishing through emails and other common social media or chat apps, drive-by downloads, fake login pages, file-sharing and more. Their goal is to obtain password credentials or infect the device to take over control, so they gain further access to the company’s network.

Another method is through an organization’s Virtual Private Network (VPN) or Remote Desktop Protocol (RDP) used for employee remote access. For instance, RDP connection is through port 3389 by default, and cybercriminals leverage this by using port-scanners to scour the web for exposed ports. Then, they can attempt access by brute force attacks or by exploiting other vulnerabilities. Once they gain access, they can directly deploy the malware onto machines under their control.

Infecting one device is an easy-fix. That’s why ransomware needs to spread across the company’s network to maximize damage, which increases their chances of getting their ransom demand paid. To do so, they need to move laterally from the point of entry.

After cybercriminals gained an entry point, their next step is to scan the organization’s network to spread. Their mission at this stage is to do reconnaissance. They need to learn more about the organization’s network, nodes, and applications surrounding the compromised device. Common methods deployed include port scanning, ARP scanning, or vertical TCP SYN scans.

At this stage, cybercriminals have knowledge of the organization’s network. Their next step is to gain further access into the network and other machines to maximize the assets they can encrypt.

This stage is when they begin harvesting other credentials, such as an IT manager, to gain administrator privilege to the organization’s network. At the same time, they will attempt to change registries, execute specific files or programs on the network, and breach the security console to disable or bypass the organization’s security software. At this stage, the attack becomes highly tailored and specific based on what they discovered about the organization’s network from searching and scanning. The goal is access, encrypt and download all company files and backups in order to carry out a successful attack.

When cybercriminals have access to mission-critical files, they begin encrypting them and replacing the originals with the encrypted files. Most ransomware variants do so without taking down the IT infrastructure. Backup files that they have access to will also be encrypted. Files will be renamed, and shadow copies of files will be wiped to hamper file recovery without decryption.

At the same time, they usually conduct data exfiltration and theft by downloading critical or sensitive files from your network. Cybercriminals will threaten to release those sensitive data to the public to extort the organization to pay the ransom.

At this stage, the ransomware has bypassed all your security parameters. Cybercriminals will demand a ransom payment once an organization’s critical files and backups are encrypted. In cases where they weren’t able to locate or encrypt the backup, they will threaten with other means to demand ransom, such as releasing sensitive information on the web.

Emails are the number one tool for ransomware to gain an entry point. An effective spam filter can prevent 99% of malicious emails from ever reaching an employee’s email inbox.

However, most spam filters use database to check on the sender’s IP address and domain reputation, which depends on the bounce rate of their email campaigns and whether someone reported those emails as spam. Thus, don’t be surprised when malicious emails pass spam filters.

There is a newer solution namely DMARC (Domain-based Message Authentication, Reporting and Conformance) an email authentication system that reduces your organization’s domains from spoofing, phishing and other attacks.  While this is more effective, to configure and use this solution is not simple.

Hackers have now moved on to use many other means to do phishing, Facebook, Linkedin any social media, and any messaging/chat/SMS facility are now prone to be used as a phishing tool.

Even when malicious phishing emails go through, an employee trained to identify phishing attempts can still prevent ransomware from getting a foothold. This training includes identifying the following:

• Email attachments: Malicious emails pretending to be legit may include attachments such as invoice, proposal, or other important business topics.

• Website links: These links can include fake login pages replicated to steal credentials and infected webpages that has drive-by-downloads.

• Sender name and domain: Cybercriminals who know the names of employees or management may use those names to send the email. Other times, when they’ve gained access to certain domains, they may use those domains to send notices from legal department, claiming that you infringed on their rights. This method is known as social engineering.

In addition, employees should be trained to report phishing attempts immediately, strengthen their passwords (including where and how they store their passwords), and only download files from verified and known sources.

Even so, employees can get careless or accidentally visit a website with a drive-by-download. When this happens, you next layer’s security will be put to the test.

A good endpoint protection helps stop malicious files from executing and infecting devices, such as drive-by-downloads or malicious email attachments. Some endpoint protection can even block file encryption and interrupt command-and-control (C&C) communication – a medium of communication for attackers to execute commands on the infected device.

The problem, however, is that most endpoint protection protects against known attacks and doesn’t protect the IT network and files from encryption. Similar to spam filters, the protection solution uses a database of what is known out there (such as URL reputation for drive-by-downloads), so newer attacks can still bypass this protection. Even if the solution’s database is up-to-date, the employee’s device protection software needs to be updated too.

This method scans and identifies all endpoints within a network where cybercriminals can potentially gain access to.

Here’s how this tool typically works. It first discovers all the devices connected to the network. Then, it scans each endpoint device in order to compile a software inventory. The scanned results will list all the software versions in each device. The tool will then notify the administrator of any outdated software or entry points in each endpoint that can be exploited by cybercriminals. Then, it is the administrator’s responsibility to patch the outdated versions.

Virtual Private Network (VPN) or Remote Desktop Protocol (RDP) for employee remote access is another entry point for ransomware. The minimum level of security employed here is either using two factor authentication (2FA) or restrict access by IP address.

At Mamori, we use a Zero-Trust security model for all remote access, which uses identity management, client IP, and integrates with log analytics. Try for free or schedule a demo to see how it works.

This method searches for vulnerabilities in an organization’s systems and network by simulating a real-life cyber-attack on your network. The goal is to find entry-points into the system and identify where the weakest points are so organizations can properly secure their network.

This practice is best performed by third-party experts familiar with the latest methods used by cybercriminals. Penetration testing should be conducted at least once a year to uncover network weaknesses, outdated security policies, insecure system settings, bad passwords, software bugs, configuration errors and more.

A network firewall provides many security features to help prevent ransomware. It can secure remote access, such as VPN or RDP, as mentioned earlier. It can eliminate non-essential open ports and secure essential ports. It can create a DMZ for web attachments and traffic so files can be properly analyzed before entering the network. It can also help with micro-segmentation and intrusion prevention (more on these below). It can create network traffic policies and stop the ransomware from contacting the cybercriminal on the internet.

A solid firewall can provide many layers of security protection against ransomware. However, many advanced threats can still bypass and remain hidden within a firewall’s security barriers. According to Domain Tools, 55% of organizations said detection of advanced threats (hidden, unknown and emerging) was a top challenge for their security operations center.

Some solutions analyze the traffic between devices on a network, including the firewall, by comparing it to thousands of known malicious signature. Once malicious traffic is identified, the activity will be reviewed and analyzed by experts to determine whether malicious activities was indeed happening.

Although this is the common best practice, the process relies on known malicious signatures, so newer attacks may bypass undetected. Plus, having an expert analyze the traffic takes time, and the ransomware may have gotten a foothold in the network by the time the expert finished analyzing the traffic.

A better approach is using Mamori’s Zero-Trust identity-based model to detect network intrusions. Using this model, network access can be identified as authorized or unsolicited, based on the device’s identity and permission levels. Any unsolicited attempts of a network scan will be detected and blocked. At the same time, the device making the unsolicited access will be locked, and the administrator and the device owner will be notified immediately of the unsolicited access. Try for free or schedule a demo to see how it works.

Image: How Mamori M4IP safeguards you from network penetration attacks or unauthorized insider access.

Network monitoring should monitor for signs of infection or access. Assuming the ransomware has full network access, network monitoring should be able to detect unexpected edits in windows registry on servers and devices, edits to registry keys. It should also detect unusual internal and external traffic, on a broader level than the previously mentioned intrusion detection. For instance, sudden, consistent traffic to and from an unknown external source should be flagged, which could be a sign of data exfiltration. Similarly, sudden, high-volume traffic between two internal devices that never communicates should be flagged.

In addition, network monitoring should also identify whether any new or unfamiliar processes and code are being executed, including file modifications so they can bypass security software or other security layers. Whether files are being destroyed should also be monitored because it is part of the ransomware attack process. This can be done by monitoring logs and processes for binary files involved in data destruction, such as vssadmin, wbadmin, bcdedit and wmic. (WannaCry uses these to disable operating system recovery features.)

Database Activity Monitoring (DAM) monitors all activity on the database, whether that be a data pull or a login. An essential requirement is for the DAM solution to alert users and admins whenever someone logs in and whenever an anomaly occurs, such as a large data extract.

In that case, however, the unauthorized data access might have already occurred. It is not a preventative measure. Instead, it is a reporting and alert mechanism that informs organizations of unauthorized access.

Mamori’s DAM has built-in preventative features that monitors all connection and SQL activity, with the ability to set policies for connection, statement and data access. Try for free or schedule a demo to see how it works.

For ransomware to spread, it’ll need more privileged access so they can access and encrypt more critical business data. If the organization implemented a Privileged Access Management (PAM) solution, then the ransomware damage is significantly reduced when it cannot access privileged accounts. Basic protection measures for PAM includes monitoring and recording all privileged sessions and single sign-on (SSO). An important practice when using PAM is implement principle of least privilege – only grant access to parts of the network that are necessary for the employee to do their job.

Mamori’s PAM module does all the above and more. Mamori uses a zero-trust methodology where all access has to be authorized, authenticated, and validated. That means using SSO and 2FA for RDP, SSH, and direct database access, using key-based access, masking data based on privilege, monitoring, least privilege access on-demand (a just-in-time security practice that grants access on an as-needed basis) and more. Try for free or schedule a demo to see how it works.

Ransomware loves an open network, and micro segmenting networks will make it much harder for ransomware to spread. Micro segmentation divides up an organization’s network into smaller networks, which greatly reduces the attack surface of ransomware. One practice is to segment a network for third party vendors or the less-trusted, more vulnerable parts of the network. However, there is no best way to segment a network because each organization have unique communication flows.

Network segmentation should have the ability to have separate zones of network topology within data centers and cloud environments. The purpose is to isolate access from the permitted users from one another for added security. This reduces the networking attack surface and contains breaches. At the same time, regulatory compliance is improved.

Traditional firewalls are decentralized and hard to configure. Mamori simplifies this by allowing IP and port level access controls. This provides many advantages for current network segmentation and application segmentation.

One such segmentation would allow our customers to isolate Dev, QA Staging and Production and Application access, especially when many are now employing external consultants to help with the development of new application and digitalization projects. These consultants can only access code repositories and not the test database. Protecting these environments from unauthorized internal and external access is one of the most important elements of network micro segmentation.

Legacy application security is cumbersome and almost impossible. While trying to implement 2FA on these systems may not be feasible, you can use Mamori to 2FA these as well as ringfence these application servers only to the people who need access to them, such as separating development, testing application and production application servers.

Using a zero-trust model, Mamori has the ability to further micro segment a network based on roles or identity workload. Agnostic to location, Mamori server can reside on-premise or on cloud. This provides flexibility in determining where to deploy micro segmentation. As one of our customers noted, “the real bonus is the fact that we can secure applications, all the way down to the individual services, on each host… It’s actually more granular security than we can get out of a traditional firewall.” Try for free or schedule a demo to see how it works.

This is a tool that detects instead of prevent. This tool monitors file changes within a system, and what program or process was used to change those files. When anomalies occur, such as files being modified, deleted, or encrypted by ransomware, this tool detects and automatically reverse that action. The downside of most of the rollback tools, however, is that it requires access to the organization’s backup files. In other words, if the organization’s backup files are deleted or encrypted, then most of these tools will be rendered useless.

Backup files and snapshots should be immutable. Meaning, the data cannot be overwritten, changed or deleted. This may seem like a saving grace and the best option to fight against ransomware. However, if an organization can successfully restore and recover from backups, then wouldn’t ransomware cybercriminals be out of business by now?

The problem with backups, even those that are immutable, is that the ransomware might attack the entire backup environment or lay hidden inside the backups. Once data is restored, the ransomware can be reactivated immediately if the ransomware is not properly removed. That’s why it is very important that the organization take preventative measures to block ransomware from getting a foothold.

As mentioned earlier, ransomware cybercriminals are increasingly extorting organizations by threatening to release their sensitive data to the public. To do so, they will need to download sensitive data from an organization’s network. This type of traffic anomaly can be detected by a traffic monitoring tool, which can also be part of the network monitoring as mentioned earlier.

If the ransomware carried out a successful attack, the only option left is to restore from your backups, assuming they are immutable or if the cybercriminals somehow didn’t encrypt it. The best practice here is as follows:

First, turn off and isolate the affected servers. It may be guesswork at this time, but you have to prevent the ransomware from infecting the entire network, if not already. The number one priority is to search for patient zero to begin the cleanup process.

Second, keep working from your backup files. If you have a backup appliance capable of operating as a production server, keep using it until you are fully recovered. If you have cloud backups capable to fulfill daily operations without delay, use it. It’s important to operate from a backup that you think is clean.

Third, thoroughly clean your systems and devices. Make sure your entire network and devices are free of malware. Your backup solution should continue to backup the latest work while you clean your systems.

Fourth, failback to production. Once systems are cleaned, failback to production with the latest work to resume work as usual.

Two factor authentication (2FA) strengthens security by using another method to verify ones identity and is usually used in conjunction to passwords. Popular 2FA methods include email verification, text message (phone number), or authenticator applications.

2FA or MFA can be the saving grace even when an administrator’s password is compromised. This added layer of security is estimated to prevent 80-90% of cyberattacks.  2FA can be used in many of the practices listed above, such as endpoint security, privileged access management, remote access, and more.

Patching, also called zero-day vulnerabilities, is critical to defend against ransomware. Aside from new releases, feature upgrades or bug fixes, some software patch is to close known vulnerability gaps exploited by cybercriminals, such as the Log4Shell incident. That is why it is critical for organizations to keep their software, applications, browsers and systems up to date.

Although patching can remove exploitable vulnerabilities, it can only do so for a period of time. Whenever developers release a new patch, both the developers and the cybercriminals are racing to find an exploitable bug. If the cybercriminals find it first, then countless organizations will fall victim before the developers can release another patch. Again, this is why it is important to have multiple layers of security in your organization.

Even when an organization adopts a layered security plan using all the best practices listed here, testing is still required to ensure that data is protected. The testing process should be continuous because of the ever-changing security and IT environment. A passing score in the initial test does not indicate that the data protection plan will receive the same passing score a year or a decade later. At the minimum, it is best to test your data protection plan annually.

Mamori prevents ransomware from entering and spreading across your network. Our solution includes Zero Trust Network Access (ZTNA), two factor authentication (2FA), Database Activity Monitoring (DAM), Privileged Access Management (PAM), SQL Firewall, or all of them integrated in ONE solution at a fraction of the cost of traditional solutions.

Our data security approach is proven to stop ransomware. That is why our clients can lower their cybersecurity insurance bill by 40-60% after they implement Mamori.

Not only can Mamori stop ransomware, our solution can also prevent unauthorized personnel from accessing and tampering with your organization’s sensitive data.

Try Mamori for free or schedule a demo to see how it works.