Ransomware is a threat for individuals as well as companies. A ransomware attack can destroy important data and cause financial and reputational loss. The number of ransomware attacks across the globe is growing each year, with petabytes of data lost. Nobody wants to be a victim of ransomware attacks. For this reason, it is important to know how to protect against ransomware. This blog post covers the best ransomware protection methods to safeguard your data.
The Anti-Ransomware Strategy
The anti-ransomware strategy can be divided into two main stages:
- Preventive measures
- Recovery measures
Ransomware Protection measures are used to prevent infections with ransomware. It is better to prevent a ransomware attack rather than mitigate consequences of the attack. Preventive measures can be done without downtime or with minimal downtime and include antivirus software and email protection.
Recovery measures are taken during and after a ransomware attack, especially when such an attack causes data loss and interruption of normal operations. Recovery measures require more efforts and time comparing to preventive measures because recovery involves restoring data and workloads. If you are not prepared for disasters and ransomware attacks, recovery may prove too difficult or even impossible.
Consider the tips below that cover both preventive and recovery measures to protect yourself from ransomware.
Use Antivirus Software
Install antivirus on all Windows machines to detect infected files and malicious injections in the memory of devices and block infected content and pages on websites. This is not to say that macOS users are safe. Lately, macOS devices have also been attacked by ransomware.
It is best if you use antivirus that supports behavior-based detection of ransomware and heuristic analysis. If a malicious behavior is detected, an antivirus should block suspicious files and display alert notifications. Consider using antivirus that can monitor common locations where ransomware can create or modify files.
The following anti-virus functionality is important because it provides much better protection than simple signature-based scanning (which uses anti-virus signature databases).
- Detection of suspicious processes attempting file encryption
- Protection of selected folders against unauthorized access and file modification
- Real-time protection
- Exploit protection
Update antivirus databases regularly at least once a day. Ransomware creators usually test ransomware before starting an attack to ensure that a new version of ransomware cannot be detected with antivirus software. Hence, it’s in your best interest to have the freshest available virus database in your antivirus to detect the newest viruses.
You should also use antivirus for your virtual machines. There are antivirus solutions that support integration with vShield and vSphere and provide agentless antivirus security for VMs running on ESXi hosts (if you have a VMware virtual environment). Consider using such antivirus to optimize workloads on ESXi hosts rather than traditional antiviruses that should be installed on each VM.
Configure anti-spam and anti-malware filters on email servers. Email is one of the most popular methods used to spread ransomware and infect computers to propagate infection to other computers connected to the network. Attackers like to provide links to malicious websites and attach Word or Excel documents with macros to infect devices. Proper configuration of anti-spam and anti-malware filters on email servers prevents users from receiving email messages with harmful links or malicious file attachments (or at least reduces that probability significantly). Filter configurations should be updated regularly by using databases of trusted vendors to perform ransomware protection.
Depending on your security policy, you can configure anti-malware and anti-ransomware filters to display a warning message or delete a message before it reaches a user. Popular vendors who provide cloud services and email services such as Google (G Suite) and Microsoft (Microsoft 365 Exchange) protect customers against spam.
Read these blog posts about Exchange Online Protection, Advanced Threat Protection and Threat Intelligence for Microsoft 365 to learn more how to protect users who work with email.
Routers that are configured improperly can be used to start ransomware attacks. Attackers usually scan standard ports for widely used services to detect which port is open and try initiate an attack using that port.
That’s why it’s important to configure firewall on routers to protect against ransomware infiltration. You are also advised to block access to unused ports. Another thing you can do is change standard port numbers to custom (unused) port numbers if possible.
What you can do next is configure URL filtering and ad blocking. Advertising can be used to infect with malware. Malicious advertising is known as “malwertising”. Websites with a bad reputation that are used to distribute malicious content should be blocked by using URL filters on routers providing internet access for users in your organization. Modern software can add new malicious sites to configuration of content filters dynamically to keep the URL filtering system up to date.
Train Your Employees
A single user’s device can be the entry point for a company-wide ransomware attack. Human error ranks at the top of ransomware statistics. It is important to train employees in your organization so that they understand and recognize ransomware threats and infection methods.
By conducting cybersecurity trainings for employees at your organization, you can reduce malware infection incidents related to human error and inadvertent breaches, and, by that, you improve ransomware protection at your organization. Tell users that they should not open suspicious emails, click all links provided in emails, click ad banners on websites, enable macros when opening documents attached to email messages, click executable files or open other potentially risky content. Provide them with examples of social engineering techniques. Users should use strong passwords and enable two-factor authentication.
If you don’t raise employee awareness about ransomware attacks and cybersecurity threats in general but just block everything for them on your side, users can still bypass that protection. For example, employees can use their USB flash drives to copy information from/to work computers, connect personal laptops to a network of an organization, etc. So you should strike a balance between a strict security policy with hard restrictions and employee awareness. Otherwise, a strict security policy can make working processes hard and may interfere with employees’ daily work.
You should also ensure that employees are using strong passwords and respect the password change policy. Keep in mind that if complex passwords are changed too often, users usually can’t remember them unless they save these passwords in files as plain text or write down them on stickers attached near computers. This creates the threat of password leaks.
Give users only those permissions that they strictly need to do their work based on the access policy. This means that a regular user must not have credentials of a domain administrator to write some files in a shared folder used by their department. If part of a user’s work is to back up their data, you can create a separate account and a separate backup repository for that user. The principle of least privilege allows you to reduce the risks of unauthorized access and improve ransomware protection. Use a dedicated account to access a backup repository where data backups are stored.