How to Prevent Ransomware Attacks
Ransomware incidents are becoming prolific in Australia. We’re seeing an increased amount of businesses come to Cythera to help them respond to ransomware attacks or deploy preventative controls after resolving a ransomware attack.
The Australian government‘s announcement of an increase in risk around cyber attacks is being borne out in the field. Organised crime and state-sponsored actors are doubling down on ransomware based attacks, fuelled by a rise in payments of bounties by large corporates and insurers trying to recover data.
In this post we will summarise security measures you can deploy to prepare for a ransomware incident, or if you are unlucky enough to be in the middle of one, some tips in responding.
But first, let’s understand what a ransomware attack is.
What is ransomware?
The Australian Cyber Security Centre, branch of the Australian Governments Signal Directorate, has an excellent overview of ransomware described in this video [watch 1.39min].
Ransomware can be devastating to a business because it denies you access to your systems, files and sensitive data and information.
Often the hackers who lock you out of your systems demand a ransom for its release which both small businesses and large corporations are forced to pay if they have hope of resuming business operations.
How To Prevent Ransomware Attacks
Prepare
Preparing and deploying the below measures to prevent a ransomware attack is definitely better than the cure. Missing even one of the below suggestions can provide cyber criminals a foothold to exploit and breach your network security.
Train your staff – Upskilling staff on cyber security topics and ways to identify potential phishing and scams is a low cost, high return way of protecting your front line.
Deploy multi-factor authentication – Enabling multiple factors of authentication instead of just relying on passwords reaps big rewards from a cyber security standpoint. Deploying multi-factor is not simple and 100% coverage is difficult, but we suggest to start with your critical applications such as Office365 and anywhere client data is stored.
Patch your IT systems – This may seem easy but updating software is often forgotten or delayed when you’re focused on just doing business. Enforcing regular updates on endpoints and servers keeps you ahead of many network vulnerabilities hackers prey on. Be sure to include software such as Office and Adobe in updates.
Backup your files regularly – If you do suffer a ransomware incident, good backups are often the only way you can recover your business. Ensure backups exist in a separate network or offsite completely. Also utilise the inbuilt backup capabilities in Windows 10 and MacOS.
Protect endpoints and servers – Good next-generation antivirus can prevent malware from spreading, and combining it with Endpoint detection and response can help you find bad guys already on your network.
Segment your network – Attackers love big, flat networks. It allows them to move between machines with ease, and infect your entire organisation quickly. Segmenting your network provides controls and a ‘blast radius’ around critical parts of your network. Even separating your corporate IT from any infrastructure and guest networks is a good start.
Monitor – A big part of staying ahead of security incidents is ensuring you’re monitoring your environment. Desktops, servers, infrastructure and cloud environments should all be monitored for anomalies. If you don’t have the resources or cyber security expertise, Cythera’s Managed Detection & Response service is designed specifically to help you.
Incident Response to Ransomware Attacks
In the event you’re responding to a ransomware incident already, here’s a handy checklist of tips you can use to assist you in remedying the situation.
- Isolate affected hosts from the network and remove their network access completely. If you think you’re too late and intervening mid-attack, hibernate or power down the machine at once.
- If possible obtain a copy of the malicious code, ransomware note/email or a locked file. These will assist in identifying the ransomware variant.
- Submit any samples you have to help identify the ransomware and if there are any removal procedures. Malwarehunterteam has an ID Ransomware site, otherwise if you have a file sample you can also use Virustotal.
- Try to determine where the ransomware originated from. This can help you build file samples, email addresses or IP’s that you can block on your firewalls, mail filters and AV to stop continued distribution.
- If not using multi-factor authorisation: issue a mandatory organisation-wide password reset, including any admin accounts, to prevent ongoing or repeat cyber attacks.
- Reimage and recover infected machines and look to re-integrate them into the network once you have preventative controls in place.
This isn’t an exhaustive list by any means but part of Cythera’s mission is to protect Australian businesses from cyber threats and risk. We don’t want to keep seeing businesses crippled by these sorts of incidents.
If you need to better understand your security readiness to handle a ransomware attack then contact Cythera’s in-house team of Australian cyber security experts who offer:
- Consultation
- Independent review
- Cyber security platform distribution, reseller and installation
- Complete managed detection and solutions - Cyber Security-as-a-Service (Cyber SECaaS)
