How Companies Can Protect Themselves from Ransomware

I was recently asked about ransomware and how companies can defend themselves. The most common vectors of infection for ransomware are via email, such as attachments and malicious links in the email,  and exploit kits, which are usually executed when a victim visits a compromised websites.

Some organizations assert that approximately 60 percent of ransomware infections result from email vectors. To address this, we encourage our clients to fully implement the recommendations of a well-established security framework such as:

  • ISO 27002, Information technology – Security techniques – Code of practice for information security controls
  • The Center for Internet Security’s (CIS) Top 20 Critical Security Controls
  • NIST’s Cyber Security Framework (CSF)

A subset of the controls defined in the above that are directly relevant to defending against ransomware infections are:

  • Server side anti-virus software on incoming email gateways
  • Endpoint anti-virus software on all user’s desktops, laptops, tablets, and smartphones
  • Email and web browsing should only be read from non-privileged accounts
  • Keep up to date with security patches on servers and endpoints
  • Implement DMARC, SPF, and DKIM to reduce the likelihood of receiving ransomware

Security awareness training: Train users to be cautious about the use of email and the Internet:

  • Don’t open any unexpected attachments, even those apparently from people you know
  • Don’t click on any links in email received from unknown third parties
  • Examine the sender’s email address to see if the email really originates from the person you think sent the email

Note, in addition to traditional signature based anti-virus software, consider deploying next generation (aka signatureless) anti-virus / anti-malware tools. Techniques in these tools include sandbox detection, data mining, behavioral detection, artificial intelligence, machine learning, and cloud-based file detonation.

Organizations should also assume that they will still occasionally get infected with ransomware. There are critical steps to take to reduce the impact:

  • Perform frequent backups of all critical systems
  • Perform table top exercises to help determine:
    • What needs to get backed up
    • How frequently backups should be performed (recovery point objectives)
  • Test your ability to recover from backups, this ensures employees know the procedure and validates that backups are being performed correctly
    • Know what your practical recovery time objective (RTO) can be
  • Segregate backup storage, if one of your system administrator’s accounts is infected you don’t want the ransomware spreading to the backups. (Remember,  email and web browsing should only be read from non-privileged accounts)

If your organization is infected by ransomware and restoration from backups does not resolve all of the problems, then try to determine if the decryption keys are freely available from a third-party.  See: