Don’t be a victim: How to reduce the risk of ransomware.

Written by: Jon DiMaggio ✍️

Ransomware is one of the greatest threats companies face today and lead to the loss of sensitive data such as Personally identifiable information and the intellectual property. Today I want to share several tips on how companies can avoid becoming victims of a ransomware attack. However, I wanted to share an important misconception which many institutions, including Fortune 500 companies, have about ransomware.

Unfortunately, some cybersecurity vendors claim that an organization can avoid ransomware attacks by purchasing and deploying its security solutions. While these solutions absolutely help and do in fact make an organization less vulnerable to ransomware campaigns, they are not foolproof. Organizations can certainly take steps to protect themselves from ransomware attacks, but the reality is that anyone can be hacked and compromised. For example, in the past two years, cyber security giants like Mandiant and Microsoft have fallen victim to hacking campaigns. Those incidents did not involve ransomware, however, the attacker’s objective was similar; to steal sensitive data. To be fair both those incidents involved nation state attackers, but many organizations face similar threats from ransomware adversaries who’s motivation is to steal data for financial gain as opposed to espionage.

The truth is there is no shame in falling victim to a cyber attack, as it can happen to anyone. The difference is how an organization responds once they have become a victim. The best approach is to address the situation quickly with direct and transparent messaging about the events that took place. When victim companies attempt to hide the fact they were breached by a ransomware attacker, the situation becomes far worse. For example, organizations, such as Accenture and TransUnion, have attempted to deny that a ransomware attack occurred, when in fact it did occur. When a company tries to conceal the event, a common tactic is to slowly release information paired with their own narrative in an attempt to minimize damage. In the end, the truth always comes out, and the victim organization actually damages its reputation further than if it had addressed it with clarity from the start.

Often, the actual victim is not the company who suffered the attack but is the customers and clients whose information is now in the hands of criminals. Addressing these criminal acts quickly and with transparency is an organization's best approach to minimize the repetitional damage after a ransomware attack.

As stated, any organization can become a victim of ransomware, but there are practices companies can take to protect themselves and reduce the risk of becoming the next victim.

1. Minimize and protect all public-facing infrastructure. Attackers often gain access to a targeted company by exploiting its public-facing infrastructure, such as the servers and applications made accessible from the Internet. This infrastructure is often necessary and intended to provide access to an organization's resources for its employees and customers. However, while these services are designed for availability and ease of use, security is often an afterthought.
2. Companies must ensure they use up-to-date and secure services to prevent this situation. This requires maintaining the resource with current technologies and frequently applying software and security patches as they become available. Further, the organization should audit its public-facing infrastructure to ensure it is adequately maintained and monitored, making it less vulnerable to cyber threats.
3. Remove all default vendor accounts and passwords present in software and hardware within the organization's infrastructure. Many vendors provide solutions with out-of-the-box credentials to make it easy for customers to access and configure their products and services. However, if the default credentials are not removed prior to use in production environments, an attacker can use them to gain access. This happens more than you think. Even worse, default credentials are publicly available in the vendor's documentation and are accessible from most search engines.
4. Use endpoint protection to monitor and safeguard your organization's computers, servers, and network-based devices. Endpoint protection, also known as endpoint detection and response (EDR) is like computer antivirus on steroids. EDR solutions monitor for malware, suspicious behavior, and other abnormalities usually present early in an attack. Often these solutions also incorporate human monitoring and threat hunting services. These solutions make an attacker's job much harder and allow for a quick mitigation response before their data is encrypted or stolen.
5. Back up your critical data. Backup data must be stored off site or logically separated and protected from your corporate network and assets. Most companies either fail to separate backup data or they don’t want to spend the money to do it well. If backup data is easily accessible from your production network, there is a strong possibility the attacker who compromised the production network will also access your backup data rendering it useless. Back up your vital data, segregate it from your primary systems and networks and protect it like your company’s livelihood depends on it, because someday, it may.
6. This is the most important tip I can give. The day you become a victim of ransomware should not be the first time you begin thinking about how to respond to an attack. Having a well-planned, documented and practiced response is critical to controlling damage and reducing the recovery time after an attack. Much like a fire, you don’t want to try and figure out your plan of survival for the first time when you are panicked because you are surrounded by flames. Companies should have a ransomware response plan designed with a course of action. The plan should clearly assign areas of responsibility and map out the course of action you would take during and after a ransomware attack. Most importantly, it should be practiced and rehearsed annually (at a minimum) to ensure its effectiveness.