Ransomware Prevention: A Complete Update for 2023
A successful ransomware attack can shut down a stable and thriving business and devastate customers via financial losses and sensitive privacy breaches. No organization, private network, or individual is immune to the threat of cyberattacks, and the frequency of ransomware attacks has been rising for years. Companies must implement robust ransomware prevention strategies to minimize the impact of an inevitable breach.
According to the Verizon 2023 Data Breach Investigations Report, 83% of breaches involve external actors, and the primary motivation continues to be largely financially driven, at 95% of breaches. The report also states that ransomware remains one of the top action types in breaches, holding at a statistically steady 24%. Unfortunately, the threat and impact of ransomware isn’t going anywhere anytime soon.
Professional ransomware prevention plans mitigate potential threats with anti-data deletion technology, alerting and escalation rules, automation, and other innovations that secure company data and ensure disaster recovery. Companies manage ransomware prevention as part of an effective business continuity plan that prepares disaster recovery teams to act quickly and deliberately after an attack. It’s the convergence of a comprehensive business continuity and disaster recovery (BCDR) solution and a well-planned and practiced recovery plan that delivers ransomware prevention.
Small to medium-sized businesses (SMBs) typically partner with a managed service provider (MSP) that can support a ransomware incident response plan using its BCDR solution. With a security-first approach that includes built-in data protection, ransomware rollback, and guidance from a trusted MSP, businesses can prevent and withstand a ransomware attack.
Table of Contents
What is ransomware?
Ransomware is a type of malicious malware that encrypts the data on a personal computer, mobile device, or server, blocking access by the data’s owner. Attackers demand a ransom to decrypt the data and allow the owner access to their files. That is a best-case scenario.
In a worst-case scenario, malicious actors may steal data before returning access to its owners. The data might be modified or published on cyber black markets, leaving ransomware victims open to a new slew of cyber threats and assaults. A breached company’s customers may suffer victimization, identity theft, and exposure of private information. And businesses face various consequences, including additional ransom demands, litigation, operational chaos, permanent data loss or corruption, and reputational damage. Unfortunately, the worst-case scenario is the most likely: 80% of businesses that pay the ransom suffer a second ransomware attack, often by the same threat actors.
A cohesive and proactive ransomware recovery guide, developed in consultation with security professionals, is the key to ransomware prevention and survival. Due to the spike in targeted ransomware attacks on SMBs, business owners must confront the reality that an attack is imminent. It’s no longer a question of if a business will get attacked – but when it does, can it recover?
How does ransomware work?
A typical ransomware attack begins with a vicious ransomware infection. Infections are typically released in two ways: by baiting humans into opening an access point or via infiltration software that grants access to internal business systems. For example, phishing emails can contain links or attachments to fake websites designed to trick people into providing personal or financial information. Other attack vectors include malware, drive-by downloads, and brute-force attacks.
Once the attacker has infiltrated the system, mimicking the Trojan Horse attack strategy, the attacker encrypts the victim’s files or locks their systems, rendering them inaccessible. In the next stage, the attacker demands a ransom for the decryption key to unlock the files. Victims usually pay ransom demands in the form of an untraceable cryptocurrency like Bitcoin.
Businesses without ransomware protection must decide if they’re willing to pay the ransom and hope for completely restored access – although there are no promises when dealing with cybercriminals. Considering that the average ransom payout is almost $300,000, that’s not an easy choice for an SMB. At the same time, the risk of not paying a ransom may be tolerable for businesses providing essential services – like critical infrastructure, or where sensitive IP information is at risk of disclosure.
3 common types of ransomware
Common types of ransomware emerging in 2023 include digital, destructive, and triple extortion attacks.
Digital extortion
Digital extortion is the most common ransomware attack model today, according to the Definitive Guide to Ransomware 2023 by IBM Security. What appears to be a run-of-the-mill ransomware attack is compounded by bad actors already having exfiltrated data from the victim. Now if the victim resists paying the ransom, attackers threaten to sell or expose the data online. Coupling ransomware attacks with extortion and a potential data breach puts new pressure on businesses to update their disaster recovery strategies accordingly.
Destructive attacks
Destructive attacks are motivated not by financial gain but by the desire to ruin a victim by erasing system components, corrupting data, and leaving devices inoperable. Adversarial nation-state actors like Russia typically use this malware on their enemies. Ukraine suffered many cyber attacks using destructive malware after Russia invaded in early 2022.
Triple extortion attacks
Triple extortion attacks take digital extortion a step further. In addition to encrypting and stealing data, bad actors then threaten a Distributed Denial-of-Service (DDoS) attack. During a DDoS attack, servers are flooded with internet traffic to disrupt access to connected online services and websites. These attacks stop businesses from working and include the added risk of a data breach if the attackers sell or distribute the stolen data. While these attacks are less common due to the expertise required, cyberattacks are getting sophisticated fast, and businesses need to be aware of new threat vectors before becoming a victim.
Who is at risk of ransomware?
Ransomware attackers do not discriminate, so everyone – from individuals to businesses – are at risk. Government agencies, healthcare organizations, manufacturing, and critical infrastructure are particularly vulnerable due to their reliance on sensitive data and the potential for operational disruptions.
While you may think that large enterprises provide the best ROI for ransomware attacks, bad actors are opportunistic, and small businesses and vulnerable systems are irresistible soft targets. The easier it is for a criminal to infiltrate a business, the higher the risk that that business is hit multiple times. Similarly, paying the ransom the first time signals to attackers that you’re probably willing to pay again.
With that said global and national organizations are also attacked with ransomware. Despite big budgets and recognizable brand names, the San Francisco 49ers NFL team, the Australian telecommunications company Optus, multiple Toyota suppliers, and the Costa Rican government all fell victim to attacks in 2022. So, even with the financial capacity for the best in anti-malware security solutions, no individuals or corporations are immune from ransomware.
Why should my company prepare for ransomware attacks?
Due to the increasing sophistication, complexity, and frequency of cyberattacks in our ever-changing cybersecurity landscape, traditional backup and recovery plans are no longer enough. In order to protect, overcome, and continue business among today’s threat actors, companies must be prepared to defend, restore, and recover from ransomware.
Attackers may use remote desktop protocol (RDP) to infiltrate systems and find open, vulnerable ports where they can sneak in. They may also use address bar spoofing, a technique that makes a malicious URL look legitimate, to steal an employee’s system login credentials.
Once in the system, hackers bide their time hiding their suspicious activities, hijacking genuine credentials, and escalating the privileges they need to access the nethermost reaches of the system – including the most valuable prize: backups. Backups are a tempting target for ransomware attackers who want to cause maximum disruption. When backups are compromised and there’s no resolution for rollback, businesses have few options other than succumbing to ransom demands. But with ransom demands in the hundreds of thousands of dollars, not all businesses can pay that and keep their doors open.
How to prevent ransomware attacks
Best-in-class BCDR solutions utilize modern technology to prevent ransomware from causing permanent data loss. AirGap technology delivers that protection as a last line of defense against cyberattacks. Using proprietary Chain-Free backups, AirGap separates data deletion requests from the mechanics of data deletion with a firewall. Snapshots of data are stored in a protected archive and can only be deleted after a series of human-factor authorizations confirm the legitimacy of the deletion request.
AirGap uses “honeypots,” or fake signals that tell bad actors they’ve successfully deleted backups so they stop their attack. Of course, the data is safe in the archive, so you get the last laugh. Additionally, varying time gaps between when deletion requests are created, verified, and executed provide enough time to stop any malicious activity that may be suspected.
AirGap is a built-in, always-on feature in Axcient’s BCDR solutions for MSPs and their SMB clients. x360Recover solves most business use cases with both appliance-based and direct-to-cloud backup and disaster recovery (BDR) in one consolidated, efficient, automated, and protected solution. x360Cloud protects productivity suite data in Microsoft 365 and Google Workspace to ensure uninterrupted business continuity despite public cloud outages.
With AirGap, businesses can rest assured that while their systems may not be immune to attempted attacks, their backups are unbreachable, so they never pay the ransom. While AirGap is included in Axcient’s MSP-specific solutions, businesses of all sizes should speak with IT providers about ransomware rollback tools and backup protections for their company’s backup data.
10 best practices for ransomware prevention
1. Backup data
Regularly backing up data to a secure offsite location or using a cloud-based service provides an independent layer of security and a first line of defense. Backup data should be regularly tested for bootability, integrity, and health. Incident response plans should simulate “backup burn” to account for unrecoverable backups.
Axcient’s MSP partners reduce labor costs while accelerating productivity, ensuring recovery, and reinforcing cybersecurity with built-in AutoVerify. Rather than manually checking backups and risking disruption due to human error, MSPs can automatically backup, monitor, and verify backup integrity with a series of endpoint tests.
2. Keep systems and applications updated
The most notorious and successful ransomware applications target software vulnerabilities on unpatched computers. Humans should not be relied on to remember to check for new software patches on release dates. Automatic software updates should be enabled so they are installed as soon as possible without the risk of human mistakes.
3. Install antivirus and firewalls
Effective ransomware prevention involves a layered strategy, including implementing antivirus software and firewalls to detect and block ransomware threats automatically. Small businesses and individuals have no excuse – many quality open-source anti-malware tools are available for free.
4. Harden email gateway security
A company’s email gateway is the primary communication channel for employees and an organization’s customers. 35 percent of ransomware incidents involve email, such as phishing attacks.
Email security features to consider include sandboxing to enable attachment and content scans; automatic domain and sender blacklisting and whitelisting according to preconfigured rules; DomainKeys Identified Mail (DKIM) – an email authentication method that detects forged sender addresses; enforced transport layer security (TLS); and intelligent spam filters.
Furthermore, domain message authentication reporting tools can prevent email spoofing, and a sender policy framework can identify forged sender addresses.
5. Implement network segmentation
By segmenting networks into sub-networks, businesses can limit the spread of ransomware by reducing interconnectivity between sub-networks. Now, the infection cannot spread even if one sub-network is breached. Network segmentation is broadly divided into the physical separation of sub-networks, often in the form of firewalls, and virtual local area networks (VLANs), usually managed by switches.
6. Perform application whitelisting
Application whitelisting, or allowing listing, only lets trusted programs execute on a network to reduce the risk that ransomware will be successful. Allowlists need to be updated whenever new software is installed.
7. Establish endpoint security to reduce the attack surface
Forty percent of ransomware incidents involve desktop-sharing software, typically used by remote and hybrid employees. Endpoint security guidelines define rules for BYOD, and devices used by external system users, like suppliers, consultants, and freelancers. Endpoint security ensures that every endpoint runs anti-malware and security software, is fully patched, does not use default configurations, and is an approved device that enforces stringent role-based authentication.
8. Limit user access privileges
Restricting user access to sensitive data and systems can minimize the potential impact of ransomware attacks. Experts advise applying the “Least Privilege” principle to data access and services. This can mitigate the potential risks if a hacker hijacks a carelessly secured device and can thwart insider threats.
9. Run regular security testing
Regular audits, vulnerability assessments, and attack simulations can identify potential weaknesses in a security posture. Companies should create a well-rehearsed, step-by-step guide for disaster recovery that includes regular testing and updates.
Axcient’s Cybersecurity Readiness Bundle for MSPs includes the 5 critical pieces of a good cybersecurity playbook, best practices in disaster recovery planning and testing, and an MSP quick guide for surviving a total ransomware takedown. With these resources, MSPs can give clients the ransomware prevention tools necessary for recovery.
10. Educate employees about security protocols
Ongoing user training on cybersecurity best practices should include recognizing and responding to phishing emails and other potential ransomware threats, the dangers of public Wi-Fi, and how to secure home networks. Numerous free (and fun) training resources are available online to create custom security awareness campaigns.
What to do after a ransomware attack
In the event of an attack, an incident response plan is the first part of a cybersecurity playbook and answers the question, “What now?” This detailed plan starts with incident response team members completing the following tasks:
Contain the infection
Where is the damage, and what systems, data, and business functions are affected? Quickly isolate impacted systems and disconnect them from the network to prevent the spread of ransomware. This task will be made easier if the network is already segmented.
Initiate recovery
What must be recovered to maintain business continuity, prevent data loss, and protect sensitive customer information? Initiate recovery procedures to restore systems and data from secure backups to maintain business continuity and fulfill SLAs. Be sure to test backup data for infection before initiating recovery procedures.
Report the incident
Who needs to be informed about conforming to data and security compliance regulations? Report the incident to the appropriate authorities, such as law enforcement agencies and relevant regulatory bodies.
Record the incident
What events led up to the attack, occurred during the attack, and happened after the attack? Take screenshots of any ransom notes and record events surrounding the attack to expedite the filing of police and insurance reports and assist frontline forensic investigators.
Conduct assessment and improvement analysis
What was the Achilles heel in the system that created a window of opportunity for attackers? Conduct a post-incident analysis to identify weaknesses in the organization’s security posture and implement improvements to prevent future attacks.
Follow up with your MSP or IT provider
Where could these vendors have helped more? Did they live up to SLAs and your expectation of support? Contracts may need to be revisited, solution coverage may need to be expanded, or it could be time to change vendors for better services.
Wrapping up: how to prevent ransomware
Ransomware is malicious software that infiltrates personal computers and business networks, encrypting files and denying their owner access. Attackers demand a ransom to decrypt the data and allow the owner access to their files.
The effect of a successful attack can be ruinous. For example, attackers may steal personal information from individuals’ computers and threaten to expose it unless the victims pay a ransom. Business disruptions, reputational loss, and demands for exorbitant ransoms may permanently cripple organizations.
In this changing cybersecurity landscape, traditional backup and recovery strategies do not resolve the growing trend of ransomware as a service (RaaS), an insidious new type of ransomware. RaaS is a criminal business model where ransomware developers and operators charge criminals for ransomware tools and capabilities.
It’s a degraded version of the software-as-a-service (SaaS) business model. With RaaS, the theft of data and the threat of business disruptions become a black market commodity available to multiple buyers at a price. The result is the brute force battering of a company’s defenses from various sources until it breaks down irrevocably.
Ransomware prevention FAQs
Should a company pay a ransom?
Paying a ransom is risky for several reasons: a 2020 ruling by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) states in most cases, it is illegal; companies may not get their data back; it may break SLAs; it provides funding for criminal networks; and it may embolden attackers to strike again. Instead, companies should focus their energies on a robust backup and recovery plan and use tools like AirGap for ransomware rollback.
I’ve been the victim of a phishing attack! What now?
Before taking remedial action, victims of phishing attacks should disconnect from the internet. The following steps are: report the incident to IT security personnel, who will conduct a forensic investigation; change passwords and login credentials across all accounts, business and personal; scan the affected device to assess any malware damage; adjust spam filters to block similar emails; where relevant, contact the company whose identity was spoofed (the purported sender); and keep alert to the possibility of follow up attacks.
In the U.S., victims should report the incident to the Federal Trade Commission (FTC). Victims should research the nature of the attack and share their experiences with colleagues. Lastly, stay calm!
Author
Related posts
How well could you sleep with reliable cloud-based backups and recovery?
Take a deep dive into Axcient’s proprietary, automated security features to see how we’re ensuring uninterrupted business continuity — no matter what:
