Ransomware has staked its claim as a major element of the cybercriminal ecosystem. Here are 5 tips for reducing your organization’s ransomware threat.
Ransomware and cyberattack risks have reached record levels for private American companies, which US authorities are urging take immediate steps to protect networks and data. Russia’s invasion of Ukraine, Western economic sanctions and anticipated retaliation by Russian intelligence agency hackers, as well as other malicious actors sympathetic to the Russian government, are conspiring to create unprecedented risk.
In response, the US’ Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) issued joint Alert AA22-057A, updated March 1st, urging American private sector businesses and other organizations to prioritize cybersecurity defenses. The seven-page bulletin emphasizes the importance of escalating destructive malware awareness and preparedness initiatives.
The alert also highlights five specific steps organizations should take immediately to help guard systems, networks and data:
- Implement centrally managed antimalware solutions and set antimalware programs to conduct regular scans.
- Enable strong spam filters to prevent phishing emails from reaching end users and automatically discard emails with known malicious components.
- Filter network traffic, tighten Access Control Lists (ACLs) and Virtual Local Area Network (VLAN) configurations and block suspicious IP addresses.
- Update applications, operating systems and firmware to the latest versions.
- Require multifactor authentication (MFA) for all services, especially email, VPNs and critical system accounts and applications.
All those elements are components of a broader set of security best-practice fundamentals. These initial steps, though not foolproof themselves, make it more difficult for ransomware and other cyberattacks to succeed.
Ransomware works by encrypting files and rendering them unusable unless the corresponding decryption credentials—typically a complex mathematical key that can’t readily be cracked or reverse engineered—are supplied. Subsequently, ransomware attacks can incapacitate businesses, government offices and other organizations. Because ransomware attacks often spread and infect backup systems, recovery can prove complex and time consuming, if even possible.
The five steps CISA and the FBI recommend organizations adopt immediately in March 2022 are complementary to the ransomware best practices CISA, working with the Multi-State Information Sharing & Analysis Center, published in September 2020. Those 2020 guidelines recommend the following ransomware prevention best practices:
- Maintain offline, encrypted data backups that are regularly tested, along with gold images of critical systems to enable rapid recovery, as well as legacy backup hardware and system images.
- Create and maintain a basic cyber incident response plan.
- Conduct regular vulnerability scanning to assist limiting attack surfaces.
- Ensure networked devices are properly configured and security features are enabled.
- Employ best practices for remote connectivity services.
- Disable or block outbound SMB protocols and remove outdated versions.
- Implement a cybersecurity user awareness and training program and a Domain-Based Message Authentication, Reporting and Conformance (DMARC) policy and verification.
- Consider disabling macro scripts for Microsoft Office files transmitted via email.
- Implement application directory allowlisting on all assets to ensure only authorized software is permitted to run.
- Consider implementing an intrusion detection system (IDS) to detect command and control activity and other potential malicious network traffic.
- Consider the risk management and cyber hygiene practices of third parties and managed services providers (MSPs).
- Beware malicious actors may exploit trusted relationships, such as those with MSPs, vendors, partners, customers and suppliers.
- Apply the principal of least privilege to servers, systems, services and software to help ensure users only receive the minimum rights and permissions needed to fulfill their roles.
- Adopt security best practices with all cloud services, including Microsoft 365.
- Develop and maintain a comprehensive network diagram to better understand systems relationships and data flows.
- Segment networks by employing logical or physical means of separating business units and departments, while also maintaining separation between IT and operations.
- Catalog and inventory all hardware assets, including data, software and hardware.
- Restrict PowerShell usage to specific users on a case-by-case basis, ensure the most current version is in place and enable enhanced (module, script block and transcription) logging.
- Secure domain controllers using a combination of the most current OS versions, logging, network traffic analyses, restricted administrator access, firewall restrictions and removal of all unnecessary software and agents.
- Implement a host of additional security-related group policy settings, such as requiring Kerberos for authentication, enabling audit protections for Local Security Authentication and requiring SMB signing between hosts and domain controllers.
As world events continue evolving, organizations should aggressively monitor government and cybersecurity agencies for updates and recommendations. The free and rapid flow of information between private-sector firms and authorities can accelerate identifying new vulnerabilities and implementing corresponding remediation steps.