1. Keep your backups current – and separate
You should regularly back up your critical data. The frequency depends on the nature of the data. In some cases, you might need snapshots every hour. For other information, you may only need to back up once a day.
Make sure you separate those backups from the rest of your network so they won’t get locked down along with your other data and devices if you’re infected with ransomware.
2. Incorporate segmentation
We can’t emphasize this enough: Segment your networks. That way, if one segment gets hit, you can cut it off from the rest of your network to prevent the ransomware from spreading.
It’s also important to segment Active Directory (AD) so it’s harder for ransomware to propagate from less critical AD networks to more critical AD networks.
3. Patch and harden
Planning for an attack and taking the appropriate steps to thwart any attack attempts, is essential.
First, remove local admin and install rights from users. Second, make sure that no shared passwords exist between systems, whether cached or local. Implement Microsoft Local Administrator Password Solution (LAPS) and disable cached credentials. That way, the ransomware cannot utilize these credentials to access other systems and propagate around the network. Third, harden the systems by removing unnecessary software – such as PowerShell – from workstations and closing down ports. Fourth, have a solid vulnerability management program to patch vulnerabilities, such as ETERNALBLUE, to prevent the ransomware from propagating around the network.
4. Stay on the lookout
You can spot known ransomware using file-integrity monitoring, security information and event management (SIEM) and other services.
5. Prioritize testing
It’s important to test your disaster recovery (DR) plan and processes regularly to make sure they will hold up under a real-world attack. You don’t want to discover that your backups are out of date or you can’t recover from them when you’re under attack.6. Educate your employees