By Michael Fimin, CEO and co-founder of Netwrix, the provider of visibility platform for user behavior analysis and risk mitigation in hybrid environments
According to the Verizon 2017 Data Breach Investigations Report (DBIR), ransomware was the top malware variant in Crimeware category in 2016. That trend is likely to hold this year. For example, the headline-making WannaCry ransomware attack, which will probably be marked as one of the greatest cyber attacks of the year, hit over 150 countries and affected hundreds of thousands of organizations worldwide.
Although the WannaCry attack seems to be contained, its success has inspired other hackers to jump on the bandwagon and develop viruses with similar impact. The latest example is the new strain of ransomware dubbed “Petya,” which uses the same EternalBlue exploit that WannaCry used to infect its victims.
Although researchers and industry experts offer many best practices for defending against ransomware attacks, practice shows that there’s no silver bullet against this threat. IT pros are more than familiar with backups, whitelisting and patch management — but these measures cannot guarantee that one day you won’t lose any of your critical data. So what else can you do to minimize the chance of being the next victim of ransomware?
- Seek support from senior management
- Develop a strategy to fight back
After getting executive buy-in, it’s time to start developing a coherent strategy that will enable your organization to quickly discover attacks in progress and limit their impact on your systems, operations and data. In order to withstand a ransomware attack, you need to focus on two key aspects: realizing that you have been hit by ransomware ASAP, and finding out where the attack originates from so you can disconnect this “patient zero” from the network to stop the spread of the attack. This will give you time for further investigations and help minimize the damage.
It is important to keep in mind that the growing sophistication of attacks and new evasion techniques combine to make detection of ransomware extremely challenging. Instead of phishing, which can be detected at early stages, hackers now widely exploit vulnerabilities in critical systems to infect numerous computers on the same network in a short period of time.
Therefore, rather than relying solely on common threat detection techniques, you need to also take steps to minimize the damage that an undetected ransomware attack can do. Here are key best practices that will help:
Limit user privileges — Continuous enforcement of the least-privilege principle will minimize ransomware’s ability to cripple your files via employees’ accounts. Therefore, grant access rights to modify files in strict accordance with employees’ duties.
Segment your network — Segregate your network into different zones with unique access to each. By logically regrouping network assets, resources and applications (e.g., separating accounting, sales and IT groups), and prohibiting internet access for areas that don’t need it, you will be able to limit the volume of resources that malware can access and remediate security issues more quickly.
Back up in read-only mode — Make regular backups of all your sensitive data and store copies offline in secure storage. Make sure that your backup process works automatically under a separate account, and that no one (including system administrators) has any right to modify or delete a backup copy, since some ransomware variants are smart enough to encrypt every backup they are able to locate.
Never pay the ransom — Although you may be tempted to pay the ransom, it’s never a good idea. First, there’s no guarantee that you’ll get your data back; in some cases, decryption keys are neither stored nor sent anywhere. Second, once you’ve been identified as someone who will pay, criminals will keep attacking you and demanding more ransom. Instead, check the name of the ransomware, as it may be a well-known virus that has been already cracked by IT professionals. If not, look for other recovery tools or restore from your own backups.
- Gain visibility into user activity to detect an attack in progress
To substantially reduce the damage a ransomware attack can do, keep a close watch on what’s going on across your entire network. There are threat patterns that indicate a possible ransomware attack in progress — such as excessive file modifications in a short period of time, and a spike in failed access or modification attempts above your usual baseline. Deep visibility into user activity will enable you to detect anomalous behavior like this, block the attack and start investigating before hackers inflict serious harm. It will also help you identify affected files more quickly to optimize the data recovery process.
To learn more about how to reduce the damage from crypto-ransomware, please visit: https://www.netwrix.com/encryption_ransomware_threat.html