10 ways to prevent, detect and recover from ransomware and zeroday threats

Ransomware is a kind of malware that typically encrypts data, blocking access to it until a fee is paid to the attacker. While the hype used to outweigh the actual risk, ransomware has evolved, spread and grown rapidly more sophisticated in response to our efforts to defend against it.

There have been some high-profile ransomware attacks in the last few years, as part of a growing tide of threats. Ransomware volumes increased by 350% in 2017 alone, according to a recent NTT Security report. Security professionals tasked with safeguarding company data must have ransomware on their radars and it’s crucial to take steps to mitigate the threat.

Prevention is always better than cure, but no security system is perfect, so it pays to prepare for the worst by creating a recovery plan. We’ve got a list of 10 best practices here that will help you to prevent ransomware attacks, detect them when your defenses fail, and to bounce back from them with as little disruption as possible.

1. Security awareness training

There are a few different ways that ransomware can get into your network, but one of the most likely is via a phishing attack. As soon as an employee unwittingly taps or clicks on a link they shouldn’t or opens the wrong email attachment, ransomware may gain a foothold on their system and rapidly spread across your network. Launch a proper security awareness training program and reduce the threat of employee error leading to a ransomware infection.

2. Updates, patches and configuration

Proper endpoint security hygiene is essential in preventing ransomware. Attackers will typically look for vulnerabilities and misconfigurations that they can exploit to gain access to your network. Don’t make it easy for them. Ensure that devices and systems are regularly updated with the latest security patches, don’t make do with default configurations, and take the time to disable any features you don’t need.

3.  Up to date asset inventory

If you don’t know precisely what devices are legitimately connected to your public and private clouds, then how can you hope to recognize or prevent an attack? You need a real-time overview of all devices on your network and a clear understanding of what permissions each device should have based on the user. Do you know how many unmanaged devices you have in your network?  IoT is a big target.

4. Continuous vulnerability assessment

Cybercriminals will always take the path of least resistance and so ransomware attacks often exploit known vulnerabilities in popular software. You need a security system that’s updated with the latest revelations in terms of vulnerabilities, and this data must be cross-checked with your network to ensure you’re not offering an easy route in. 

5.  Real-time traffic monitoring

There’s a lot of focus on filtering and blocking inbound connections, but you should do the same with outbound connections as well. Ransomware will typically gain access and then dial home for further instructions. If you can block initial outbound attempts to connect to the attacker’s server, then you may be able to stop the ransomware attack before it gets off the ground. Any suspicious traffic in either direction should be flagged automatically and generate alerts for further investigation.

6. Intrusion detection

For proper protection, you need a system that can recognize the signs of a ransomware attack whether it’s communication with a known bad actor, sending data via a covert channel, or disabling firewalls or antivirus software. Suspicious updates to policies, unscheduled scans, and update failures can also all be warning signals. Spot them in time and you might be able to quarantine infected systems before the ransomware spreads.

7. File integrity monitoring

If you set up file integrity monitoring on business-critical data, then you’ll get automatic alerts if any critical file is accessed or altered. This can help you to spot a ransomware attack much more quickly and act to limit its impact.  Who has access and what are they accessing?  The best is understanding a user’s normal behavior.

8. Log monitoring and analysis

It is impossible for cybercriminals to launch and run a ransomware attack without leaving traces of their activity across your network. Consider employing security information and event management (SIEM) software capable of scanning system logs, app logs, and activity logs to collate and analyze data and flag unusual behavior.  User and entity behavior analytics (UEBA) is the next piece of the puzzle.

9. Continuous threat intelligence

You need to be monitoring your network in real-time to gain a clear picture of your security, but every monitoring tool is only as good as the information it has. The latest threat intelligence is vital if you expect to catch ransomware attacks swiftly and prevent them from spreading. Beyond specific known threats in terms of ransomware flavors, you also want to arm security software with an understanding of the latest types of activity and behaviors common to cutting edge malware. Artificial intelligence and machine learning are now being incorporated in many of the latest network security technologies to be your second set of eyes.

10. Reliable backup and recovery

Even if you take every possible precaution to try and prevent ransomware from gaining entry and to swiftly detect attacks, there may still be times when your defenses fall short. The single best way to safeguard against ransomware attacks and lessen the potential impact on your business is to maintain a regular, secure backup system alongside a clear recovery plan that allows you to restore a recent backup immediately should you need to.

As ransomware and zeroday attacks continue to grow more sophisticated and we see a rise in ransomware and zerodays used as diversionary, destructive tools, it’s vital that security professionals are conscious of the risks it poses. Take the right steps to prevent, detect and recover from ransomware and you can dramatically reduce its potential impact on your business.