As cybercriminals grow more and more sophisticated, the imperative for businesses to develop a robust ransomware defense strategy has never been greater. In 2023, ransomware attacks impacted 72 percent of organizations globally, and almost 75 percent of those affected paid the ransom – often due to a lack of backup data and no other way to recover data.
Ransomware protection is a major concern for enterprises across all industries, as cybercriminals constantly develop new ways to breach established defenses. To limit current threats and ensure a prompt and thorough recovery in the event of an attack, we’ll break down the most prevalent vulnerabilities that companies face and go through the essential elements for developing a comprehensive ransomware defense strategy.
Common ways companies are exposed to ransomware
Unpatched systems and network vulnerabilities
When companies delay patching their systems, they create an open door for attackers. When bad actors breach a network, they can implant malicious software, often ransomware, into a victim’s computer or mobile device. Securing endpoints is crucial, as a single vulnerable endpoint can spread infection throughout the entire network.
Compromised credentials
Credential theft quickly elevates an external threat to an internal one. Without additional safeguards, an attacker armed with stolen credentials gains unfettered access to critical data.
Various attack vectors enable hackers to breach networks. Traditional approaches like password spraying and brute-force attacks remain prevalent. However, social engineering tactics, such as phishing, are becoming increasingly common.
Cyberattacks can be complex. For instance, attackers recently employed a two-stage social engineering campaign. First, they targeted Twitter/X employees who had access to internal systems and compromised their credentials. Then, they posed as the owners of high-profile accounts, promising their followers that any Bitcoin sent to them would be doubled and returned to the user.
Phishing
Phishing is a fraudulent scheme in which hackers send deceptive emails aiming to trick recipients into downloading malware-infected documents or files, disclosing personal information, or making payments. These emails are designed to appear authentic, often mimicking trusted individuals or organizations familiar to the victim.
How to develop your ransomware defense strategy
1. Document security and recovery plans and policies
A ransomware recovery plan is an organizational strategy used to combat the immediate threat of ransomware. It typically includes a response team, directions to recover data from backups, and communication plans to make sure all affected are informed. It’s vital for every organization to establish a solid ransomware recovery defense and plan, as a slow response can lead to significant financial and reputational loss.
A detailed ransomware defense strategy should have multiple components outlined so each area can be executed quickly by all those involved. Here’s an example:
Overview
- Purpose: Explain the purpose of the plan, which is to provide a structured response to ransomware attacks to minimize damage and recover systems efficiently.
- Scope: Define the scope, including which systems, locations, and organizational units the plan covers.
Roles and responsibilities
- Incident Response Team (IRT): Identify key members of staff and their respective roles, such as IT staff, management, legal advisors, and communications officers.
Communication plan
- Internal communication: Define how to communicate with employees when systems are down. Include guidelines for using alternative communication methods like personal emails, phones or messaging apps.
- External communications: Plan for notifying customers, partners and stakeholders. Include templates for press releases, approved social media posts and customer notifications.
- Law enforcement: Establish protocols for when and how to involve law enforcement.
- Regulatory bodies: Identify any regulatory bodies that need to be informed in case of a data breach.
Immediate response actions
- Detection and analysis: Describe the steps to detect ransomware and analyze the extent of the infection.
- Containment: Outline immediate actions to contain the spread, such as isolating infected systems from the network.
- Notification: Detail the process for notifying the Incident Response Team and other key personnel.
System recovery prioritization
- Critical systems identification: List and categorize systems and data by their criticality (e.g., Tier 0, Tier 1, etc.).
- Tier 0 (Mission-Critical Assets): Systems that are essential for basic operations (e.g., financial systems, customer databases, Active Directory).
- Tier 1 (High-Priority Assets): Important systems that support key business functions.
- Tier 2 (Moderate-Priority Assets): Systems that support less critical operations.
- Recovery steps: Detail the steps to restore each tier, starting with Tier 0 assets. Include dependencies and estimated recovery times.
Data backup and restoration
- Backup strategy: Define the backup strategy, including frequency, types of backups (full, incremental, differential), and storage locations.
- Backup testing: Regularly test backups to ensure data integrity and quick restoration. Schedule tests at least quarterly.
- Restoration procedures: Provide step-by-step instructions for restoring data from backups.
Decryption and data recovery
- Decryption tools: List available decryption tools and resources.
- Data recovery services: Identify third-party data recovery services and contact information.
Testing and drills
- Plan testing: Schedule regular testing of your ransomware recovery plan, at least bi-annually.
- Simulated attacks: Conduct simulated ransomware attacks to test the effectiveness of the plan and the readiness of the response team.
- Review and improvement: After each test or actual incident, review the response and recovery process to identify areas that can be improved.
Document and reporting
- Incident documentation: Maintain detailed records of the incident, including the nature of the attack, response actions taken, and recovery outcomes.
- Post-incident review: Conduct a thorough review post-incident to evaluate the response and update the recovery plan accordingly.
- Reporting: Prepare reports for internal review and, if necessary, for external stakeholders or regulatory bodies.
Legal and regulatory considerations
- Compliance requirements: Verify that the recovery plan aligns with industry regulations and legal requirements.
- Legal council: Include contact information for legal advisors to consult during and after an incident.
Preventative measures and improvements
- Security enhancements: Detail security measures to prevent future attacks, such as patch management, network segmentation, and endpoint protection.
- Employee training: Regularly train employees on cybersecurity awareness and phishing detection.
- Policy updates: Review and update security policies regularly to address new threats.
Other items
- Contact lists: Comprehensive contact information for internal team members, external partners, law enforcement and regulatory bodies.
- Resource inventory: List of tools, software and hardware required for recovery.
- Templates and forms: Pre-prepared templates for incident reports, communication and documentation.
2. Train employees
Require your employees to take regular security training courses and make sure that the training includes some strong advice on how to recognize the different forms of attacks that come in via email, which is predominantly the way that ransomware gets into organizations. Training will enable your users to spot potentially dangerous actions, for example, spotting a phishing email with the following common elements:
- Incorrect web addresses, slightly different from the real one
- A message that requires an urgent response, often about a financial or penalty issue
- A link or button in the email that directs to a website designed to capture a user’s credentials
Nowadays, many companies are adopting the concept of red teaming. Having a red team entails sending phishing emails internally and seeing which users are clicking on these links.
3. Implement multi-factor authentication (MFA)
Multi-factor authentication (MFA) is an authentication method that requires a user to provide two or more verification factors to gain access. This is a critical aspect of identity and access management and strong security that makes it much harder for threat actors to compromise accounts with stolen credentials alone.
Implementing MFA can significantly hinder an attacker trying to breach the backup console to modify your policies and jobs or delete existing backups. Even if attackers manage to obtain usernames and passwords through phishing or other means, they still need the second factor of authentication, such as a physical token or a mobile device, to gain access. This greatly reduces the risk of successful attacks.
If your backup repositories reside on systems that are run from other consoles, MFA is valuable there, too. Using a separate provider for access to your backup storage adds another layer of protection. With multiple layers to your ransomware defense strategy, your organization can better withstand and respond to intrusions.
4. Secure your endpoints
Today’s organizations have more endpoints in their environments than ever before, many of which remain poorly secured or unsecured. While enterprises have made significant strides to secure desktops and laptops, many devices still remain vulnerable. The rapid increase in the number and types of devices used within businesses, including desktops, laptops, smartphones, tablets, and IoT devices, makes it challenging to secure all endpoints consistently.
To strengthen your security posture, monitor the programs and assets installed by your users. Make sure all users are educated on safe browsing habits and the importance of not installing unauthorized software. Automate the patching process to keep all endpoints updated with the latest security updates. Unpatched systems are vulnerable to known exploits, and the manual process of updating can be time-consuming and prone to oversight.
5. Patch vulnerabilities and keep systems up to date
While software vulnerability exploits may not be as widespread as phishing and RDP attacks due to their complexity, their impact can be just as devastating. Misconfigured, outdated and unpatched software are primary culprits behind these vulnerabilities that hackers exploit. Given that organizations typically take 97 days to fully deploy patches, it’s no surprise that software vulnerability exploits rank among the top three ransomware attack vectors.
Even systems deemed less critical, such as print servers, require diligent maintenance to mitigate risks. Neglecting to patch or update them could make them vulnerable to exploitation, potentially serving as entry points for attackers. Automation is key to efficiently managing these tasks, reducing the risk of human error. For virtual environments, employing pre-configured templates that include necessary patching agents streamlines the process and enhances an organization’s security posture.
6. Limit user access and privileges
It is always a ransomware defense strategy best practice to limit access to the backup console and repositories. To accomplish this, you should consider creating more than one backup admin role and assign non-overlapping privileges and responsibilities to each role.
For instance, you could assign backup job creation, retention policies and reporting to different admins. We call this role-based access control (RBAC). With all the business data in the backup system, access segregation is critical.
Those that need to access it on a regular basis must have granular privileges assigned. Multiple users with correct privileges set can then be used with an audit trail. The use of an audit trail will help when you come to an incident review to see who is using, accessing, or restoring data and when. This way, access can be granted to areas of the backup system that are pertinent to the user’s normal role without requiring full administrative access.
7. Back up data properly
Apply the 3-2-1 rule
A fundamental IT principle warns that having just one or two backups isn’t foolproof because of the likelihood of failure. Hence, the 3-2-1 backup strategy was devised:
- Keep 3 copies of data
- Store 2 copies locally on different types of media
- Store 1 copy offsite, such as in the cloud, at a remote site, or on tape
This strategy mitigates risk by ensuring redundant copies are available for restoration in the event of a disaster. Implementing the 3-2-1 strategy is a necessary part of data protection. While it might seem cost-effective to bypass this strategy, doing so risks losing a valuable backup when disaster strikes.
Encrypt backups
Regardless of whether data is stored conventionally or in an immutable format, ransomware can still access and copy it. Encrypting backups, both during transmission and while at rest, provides an additional layer of defense against ransomware and reduces the likelihood of hackers comprehending the stored data.
Encrypting data significantly complicates cybercriminals’ attempts to read or misuse backup information.
Just a few years ago, it was common practice to encrypt only offsite backups, assuming local backups were safe since they remained within the network. However, current best practices dictate that all backups, whether onsite or in the cloud, during transit or at rest, should be encrypted.
Back up Active Directory
Active Directory (AD) is a database and suite of services where users can access network resources they require to perform their work. Backing up Active Directory is crucial for recovering it in the event of a ransomware attack or other disaster. Regardless of whether you need to recover a single object, attribute, or domain controller, or perform complete disaster recovery of an entire forest, AD backups are essential.
It’s important to note that AD backups differ from operating system state backups. While these backups cover the entire operating system, AD backups specifically focus on the components of Active Directory. AD backups include several domain controller components from Active Directory, such as the NTDS directory, SYSVOL (which houses logon scripts and Group Policies) and registry elements related to Active Directory.
Ensure backups are immutable
Immutable storage protects backup data from ransomware attacks by preventing any changes, deletions, or encryption attempts. This ensures the integrity of backups and shields them from unauthorized alterations.
Store a duplicate of your backup data in WORM (Write-Once Read-Many) storage, also recognized as immutable backup storage. This storage type prevents modifications or deletions of data, contributing to your recovery efforts. While you can establish a deletion date as part of your data retention policy, once data is written to WORM media, it becomes impervious to ransomware attempts to edit, delete, or encrypt it.
Air gap your backups
An air-gap backup involves storing your backup data on removable media that is physically disconnected from your network. These backups enable data to be kept offsite and create a separation between your production data and backup data. This isolation prevents ransomware from infecting your backup during an attack.
However, air gapping backups is neither elegant nor cost-effective for backup or recovery. It can significantly slow down recovery from a ransomware attack, as retrieving, transporting, mounting, and reading the data takes considerable time. Having a ransomware defense strategy that incorporates a combination of backup strategies, including both online and air-gapped backups, ensure both security and faster recovery times when needed.
Back up data continuously
Administrators can restore systems to a former state by using continuous data protection (CDP), which backs up any modified data and keeps a log of changes to the data. Frequent, full backups are key to enable quick recovery following a ransomware attack. For the best protection, it’s advisable to schedule backups daily to capture any changes, updates, or additions. Without regular, full backups, you’ll prolong recovery times and fail to meet recovery point objectives (RPOs).
Protect all your systems, applications and data.
A recent full backup that allows you to restore to a point in time where your systems were secure is necessary for a successful recovery.
Conclusion
Guaranteeing that your business will never suffer a successful ransomware attack is impossible. What is eminently possible, however, is investing in a multi-layered ransomware defense strategy – including not just technological defenses, but also practices like employee training and testing.
But even if those defenses are defeated, performing recurring backups is the most important anti-ransomware practice organizations can take— it’s truly your last line of defense. In the face of a successful attack, backups are the only way to restore business operations without paying threat actors.
A comprehensive ransomware defense strategy provides resilience and quick recovery, minimizing any negative impact to your business operations. Proactive measures today can save your organization from significant losses down the line.
