By Asher de Metz
Ransomware continues to be hackers’ bread and butter.
In the first half of 2020, global ransomware reports increased 715% year over year, according to Bitdefender’s Mid-Year Threat Landscape Report 2020. In October, government officials warned that hackers were targeting American hospitals as COVID-19 cases increased, looking to hold their data hostage in exchange for millions.
U.S. government entitles must be on the lookout as well. From January 2019 through June 2020, there were 151 reported ransomware attacks on state and local municipalities in 38 states. Ransomware demands are also on the rise, with demands in the first six months of 2020 averaging $886,625 compared to $366,292 during the same period in 2019.
Whether you’re a corporation or a city government, the message is the same: You must take action now before you suddenly find your devices locked down and your data encrypted.
Here are six steps to prevent and avoid ransomware attacks.
1. Keep your backups current – and separate
You should regularly back up your critical data. The frequency depends on the nature of the data. In some cases, you might need snapshots every hour. For other information, you may only need to back up once a day.
Make sure you separate those backups from the rest of your network so they won’t get locked down along with your other data and devices if you’re infected with ransomware.
2. Incorporate segmentation
We can’t emphasize this enough: Segment your networks. That way, if one segment gets hit, you can cut it off from the rest of your network to prevent the ransomware from spreading.
It’s also important to segment Active Directory (AD) so it’s harder for ransomware to propagate from less critical AD networks to more critical AD networks.
3. Patch and harden
Planning for an attack and taking the appropriate steps to thwart any attack attempts, is essential.
First, remove local admin and install rights from users. Second, make sure that no shared passwords exist between systems, whether cached or local. Implement Microsoft Local Administrator Password Solution (LAPS) and disable cached credentials. That way, the ransomware cannot utilize these credentials to access other systems and propagate around the network. Third, harden the systems by removing unnecessary software – such as PowerShell – from workstations and closing down ports. Fourth, have a solid vulnerability management program to patch vulnerabilities, such as ETERNALBLUE, to prevent the ransomware from propagating around the network.
4. Stay on the lookout
You can spot known ransomware using file-integrity monitoring, security information and event management (SIEM) and other services.
5. Prioritize testing
It’s important to test your disaster recovery (DR) plan and processes regularly to make sure they will hold up under a real-world attack. You don’t want to discover that your backups are out of date or you can’t recover from them when you’re under attack.6. Educate your employees
Recovering from a ransomware attack
If you’re hit with ransomware and you’ve taken the steps above, you only need to shut down or segment the infected devices or system, recover from your backups and go back to work.
If you haven’t taken the necessary precautions, however, there are often just a few options, and none of them are great.
The first option is to give in to the hacker’s ransom request. Paying is almost always a bad idea, as it tells hackers you’re willing to pay and puts a target on your back for future attacks. And now that the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued an advisory highlighting sanctions risks for ransom payments to certain entities, paying isn’t always an option.
Thankfully, most cities and municipalities have refused to pay ransoms. According to our research from January 2019 to June 2020, only 12 municipalities reported paying some or all the ransom demanded.
The other option is to recover your compromised data and rebuild systems from scratch. In some cases, this process can take weeks.
That’s why many companies work with an experienced partner to gain access to expert resources that can expedite a return to business as usual. But again, engaging with a partner is a step to take before you become the next victim of ransomware. The last thing you want is to be hit by a cyberattack and realize you’re not ready.
What are you doing to protect your data and your business?