How do you prevent a ransomware attack?
Published on 09/04/2020 in Tech, tips & tricks
Ransomware is a piece of malware that cybercriminals install on your network via phishing, improperly updated software or USB sticks, etc. Their aim: to lock up your systems and data and make you pay a ransom. How do you prevent that?
Wouter Vandenbussche, Solution Lead Cybersecurity at Proximus, explains in five minutes how to protect your company against ransomware.
Provide security at three levels:
- Train your people: integrate cybersecurity into the way of working of all your staff, because cybersecurity concerns everyone. Make it clear to your staff that they have to give up their ‘old’ way of working and reevaluate permissions. For example, it is not done any longer to just give a layout specialist permission to download any software he wants.
- Invest in detection processes and an action plan
- Make sure your security technology is up to standard: use the right technology to protect yourself against the four phases of a ransomware attack.
How do you protect yourself against the four phases of a ransomware attack?
1. Penetration phase: phishing, bad patches and USB sticks
Everyone knows about phishing. Hackers try to convince you to click on a link in order to introduce malware via Excel, PDF or exe files or your browser, for example. But ransomware can also get in via leaks, poorly patched and maintained software. Malware can also enter via infected USB sticks that end users insert unsuspectingly into their laptop or computer.
How do you protect yourself against this?
First and foremost, user awareness is crucial. Limit users’ rights as much as possible, certainly on devices that are closely linked to sensitive processes. A good antispam solution protects your e-mail system, as well. You can sidestep infection of the network by securing your users’ devices more efficiently. Think about patch management and only run the latest software versions. End-point security must be dynamic and can protect against new and unknown attacks by using new techniques.
Questions? Talk to one of our security experts.
2. Infection phase: communication between your computers and the hackers
When a system is infected, there are signs that ransomware has embedded itself in a computer. Ransomware always contacts the hackers’ control center. That is abnormal communication for a computer.
How do you protect yourself against this?
By analyzing your logs and checking the behavior of your workstations, you will see that something is going on and you can intercept the communication. Make sure your systems use the latest software version. You can also detect known defects automatically using a ‘vulnerability scan’.
3. Dispersion phase: odd behavior by your computers and systems
Ransomware can wander around your network for weeks or months, among other things to find the data and systems that the bad guys can use to hit your company hardest.
How do you protect yourself against this?
To start with, segment the network: divide it up into zones and isolate them from one another. That way, an infection cannot spread easily to other devices. We stop malware spreading with a firewall that not only monitors the traffic coming in and going out, but also the traffic within a network. There are plenty of systems that show you the vulnerabilities of the network so that you can deal with them. By means of detection at end-point and network level, you can isolate and clean up laptops, for instance, and turn off protocols.
4. Encryption phase: game over
Once the ransomware has encrypted the files and computers, it is simply too late. Encryption takes place in an instant. All you can do is save what you can and restore your processes or rebuild them from scratch.
How do you protect yourself against this?
The only way to do that is with up-to-date back-ups. With Disaster Recovery-as-a-Service (DRaaS), you copy all your data to the cloud and with a recovery site or strategy you have emergency infrastructure ready and waiting, where everything is set up so that you can resume your activities as soon as possible. Of course, you can make back-ups yourself, as well. Store them in a place that is not vulnerable to the same ransomware attack, such as offline or in the cloud of an external partner.
Conclusion: detection and response as well as prevention
Prevention remains important but detection, too, is absolutely crucial. You need to analyze the behavior of your devices and users and search for anomalies and abnormal behavior. Enormous progress has been made with Security Information and Event Management (SIEM) software in the last few years thanks to artificial intelligence and machine learning. Software that responds to incidents automatically exists even now.
The Proximus Cyber Security Incident Response Team (CSIRT) analyzes your IT security. Suffered a cyberattack anyway? The team is there for you and your company.
Read more about CSIRTExperts
Our experts keep you informed on the latest news and trends for ICT professionals.