What steps should businesses take for ransomware protection?
1. Ensure antivirus is installed and up to date across all endpoints within the business. Keep in mind, AV is based on signatures so new variants may and will slip through the cracks, but this could easily be a first line of defense. Additionally, it’s best to have a multi-faceted security solution that employs additional protective technologies such as heuristics, firewalls, behavioral-based threat prevention, etc. Digital Guardian offers an ‘Advanced Threat Prevention’ module that contains a suite of protection rules against ransomware based on how it behaviorally interacts on the operating system.
2. Establish security awareness campaigns that stress the avoidance of clicking on links and attachments in email. I literally ask myself these questions when receiving an email message with a link or an attached file: 1) Do I know the sender? 2) Do I really need to open that file or go to that link? 3) Did I really order something from FedEx?? Phishing is a common entrance vector for ransomware and because most end users never think twice, it’s extremely successful.
3. Backup the data. There are a ton of options here, from backing up to cloud providers to local storage devices or even network attached drives, but each comes with a certain level of risk. It’s imperative to remove the external storage device once a backup has been taken so that if ransomware does infect the computer, it won’t be able to touch the backup.
4. GPO restrictions are an easy and affordable method for restricting not only ransomware, but malware in general from installing. GPO has the ability to provide granular control over the execution of files on an endpoint, so adding rules that block activity such as files executing from the ‘Appdata’ directory or even disabling the ability for executables to run from attachments.
5. Patching commonly exploited third party software such as Java, Flash, and Adobe will undoubtedly prevent many of these types of attacks from even being successful in the first place.
6. Restrict administrative rights on endpoints. I know this is of course a highly political and even cultural request to make, however reducing privileges will reduce the attack surface significantly.


"If a business wishes to protect itself against ransomware, it needs to focus on..."
Both technological solutions and, more importantly, its people. One of the most important defenses against ransomware is to have a robust backup strategy in place that includes off-site storage and regular testing of images and other saved data to ensure their integrity.

Defense In Depth

Protecting yourself from intrusions and attacks requires securing your main layers of defense by utilizing Security Awareness Training and antivirus/anti-phishing software. If you consider a computer network (even a simple one, like your home computer) to consist of a series of layers that any malware or virus needs to penetrate, the outermost layer would consist of your users themselves. After all, it takes a user's interaction in order to initiate or allow a network intrusion. Only AFTER a user has clicked or visited a malicious link/site will your secondary and tertiary layers (firewalls and antivirus) come into play. Thus, the very first layer you will need to harden is that of the human operator. It is only in recent years that the importance of this layer of security has come to be recognized. In the past, software has been relied upon as a catch-all for these types of situations. Software just by itself is not enough anymore, users must be trained to prevent such attacks from happening in the first place.

HOW DOES RANSOMWARE ATTACK WORK ?



The steps below are a simplistic view of how a ransomware attack works to infect a network within an organization:
• Step 1: a threat actor sends an email with an attachment to a malicious link.
• Step 2: The email bypasses the spam filter hitting the users inbox.
• Step 3: A user receives the malicious email and clicks a link, or downloads an attachment.
• Step 4: The antivirus fails to block the threat.
• Step 5: Malware XYZ.exe is delivered and the payload is executed on to the user’s machine.
• Step 6: The victim’s files are encrypted by the malware.
• Step 7: A ransom note is sent typically asking for payment in untraceable bitcoin.
• Step 8: Attackers move laterally across an organization to spread the virus and maximize the effectiveness of the attack.
Once data has been encrypted by one of these algorithms, the only way to access it is with the corresponding encryption key.
• Cybercriminals take advantage of this fact by infecting target machines with malware. One of the most common ways of doing so is through spear-phishing emails. For example, an email with an attached Microsoft Word document will use Word macros (or other means) to download and execute ransomware malware.

How Do You Prevent & Protect Against Ransomware Attacks?


By the time the ransom message pops up on a machine, it is too late to save the system. Taking steps in advance can help to protect against and prevent a ransomware attack from occurring in the first place.

User Education and Training
Many malware types, including ransomware, are spread via phishing and other social engineering attacks. Training users to recognize these threats can decrease risk of infection.

Automated Backups
Ransomware attacks force targets to pay for access to encrypted files. If recent backups exist, there is no reason to pay the ransom.

Minimize Attack Surface
Malware commonly takes advantage of existing vulnerability, insecure services (like RDP), and tools like PowerShell. Keeping vulnerabilities patched, antivirus updated, and unnecessary services disabled reduces attack surface.

Incident Response Plan
In the wake of a ransomware attack, responding rapidly and correctly is essential. Having a plan in place ensures that the IT/security team properly handles a potential incident.

Endpoint Monitoring and Protection
Identifying ransomware infections early can make it possible to terminate the attack before too much damage is done. Endpoints should have monitoring solutions in-place and the ability to automatically terminate potential infections.