Ransomware attacks - 4 tips on how companies and organisations can protect themselves
by Tina Siering
Because it is so important, we will briefly go into what you should not do if it does happen - actually paying the ransom demand of the extortionists. As a reminder, ransomware encrypts data and only releases it upon payment of a ransom (usually in a cryptocurrency). In other cases, data may be stolen from the network. The attackers then threaten to publish this data or offer it for sale to other criminals. In the case of trade secrets or sensitive customer data, this can be significantly damaging to business.
Do not go along with the extortionists' demand. You have no guarantee that you will actually get your data back, and by doing so you will only open the door for further attacks, which will then also have to be settled again with a ransom demand. The basic rule for all companies is: Imagining yourself in an unproblematic business environment or one that is uninteresting to cybercriminals is a fallacy - the safe refuge simply no longer exists these days. We therefore show you four measures that you can take to protect yourself effectively against ransomware.
Tip 1: Set up backups and network segmentation
Regular backups of all important company data quickly take the wind out of ransomware's sails. A company without a backup concept is acting grossly negligent and is at risk of data loss at any time. However, even if a data backup is in place, this does not automatically mean complete security. In the course of a ransomware attack, the backup copy is repeatedly encrypted - a digital super-GAU for companies and organizations.
Therefore, if you mirror your data in a secure archive segmented by the network, encryption of the actively used data is practically ineffective. True, you may lose some time restoring the data from the backup - but that's still much better than paying a horrendous ransom demand. A well-designed backup strategy that includes all(!) important data and is available at all times is a key component of any IT security strategy.
Also useful is the segmentation of the in-house network. By dividing the network into several subnetworks, it is possible to compartmentalize data traffic. Not every device must necessarily be able to communicate with every other device on the network. Intelligent division into subnetworks allows security controls and services to be set up for each section of the network, which can significantly increase security depending on how it is implemented. In the best case, this prevents attackers from gaining access to sensitive data in the first place. Remember: in a ransomware attack, the cybercriminals' stated goal is to extort the victim. This can only be achieved if the encryption of the files, including the backup copy, is successful!
Tip 2: Multi-factor authentication for employees
People and their actions are often that weak point that opens the door for attackers. In the area of social engineering, cybercriminals repeatedly succeed in gaining access to employee accounts through phishing, for example, and thus successfully infiltrate ransomware, in the form of extortion Trojans (also known as crypto Trojans). Methods for sensible multifactor authentication to be considered by (all!) employees effectively counteract this.
Multifactor authentication (MFA) requires two or more credentials to gain access to a system as a user. Channel separation is the key feature of this authentication. The following features are eligible for authentication:
- Biometric features, such as a fingerprint, iris scan, or facial scan.
- Possession-indicating features (including digital), such as USB tokens, a smartphone app, or a card for scanning.
- Features based on "secret" knowledge, such as passwords or PIN codes.
So anyone who wants to log on to a service must now prove authentication via at least two channels - for example, by entering a password and connecting a USB stick. The best-known form of MFA is two-factor authentication (2FA). In this case, authentication takes place, for example, through a combination of password and push TAN, or security query, or PIN and identification card. The widespread use of this type of authentication is due to its good usability, which secures logging into protected areas without requiring a great deal of additional effort.
Tip 3: Increase awareness of employees
Software and machines are a relatively low insecurity factor by themselves, provided regular update cycles are maintained. Attacks often have to be "prepared" first, and often enough this happens with the unintended help of in-house employees. Even today, the old familiar mantras still apply: no clicking on unknown email attachments, no running unknown files, no visiting insecure websites.
A good remedy against ransomware is to not let it enter in-house systems in the first place. Employee awareness is therefore the best prevention. Proven measures include:
- Regular social engineering training that makes employees aware of what is dangerous and what is not. Pointing out potential damage is an effective way of demonstrating the consequences that threaten negligent behavior.
- Manuals or action catalogs work well to show employees how to act in the first moment of contact with ransomware. This simple tool can prevent multi-million dollar losses.
- Incident response readiness training. The prerequisite for an organization's ongoing incident response readiness is the development and implementation of a comprehensive cyber defense strategy that ensures the ability to detect, defend against and mitigate complex attacks.
Tip 4: Proactive threat hunting against ransomware
Due to the aforementioned threatening initial situation, numerous IT security solutions exist that take action against ransomware (and many other forms of malware). Log management solutions , such as a SIEM system, usually require a high level of personnel and cost on the company side.
However, there are much leaner solutions that can be managed by a small SOC team and provide effective protection against ransomware and other cyber threats at a manageable cost: Allgeier secion's Active Cyber Defense (ACD) service, for example. The 24/7 threat hunting and incident response service proactively and continuously analyzes the corporate network for anomalies. As a rule, attackers spend up to six months undetected in the target company's network. They use this preparatory phase to gather data and spread to other system layers. So time is a critical factor in detecting and eliminating cyber threats like ransomware. For this reason, in the event that systems are compromised, Allgeier secion's ACD team informs its customers immediately and provides concrete recommendations for action to avert damage from the attackers.
Conclusion: Protection against Ransomware is irreplaceable
Ransomware attacks and damage continue to increase worldwide. While home users are rarely in the crosshairs, for businesses these attacks are a significant factor in economic damage that occurs from cyberattacks. Many other types of malware can be neutralized after the fact, so the economic impact is less - but ransomware must be fought preemptively. This is achieved primarily through early detection of attacker activity on one's network
Backups with low time intervals, network security through segmentation and DNS authentication, social engineering training for employees: the best solution is holistic and addresses all areas. Proactive security solutions such as Active Cyber Defense further support this goal and provide early detection of potential attacks on the company's internal network. Compared to these positive effects, the ongoing costs are low, which is why this investment can be just right to protect your company in the long term.
Need help upgrading your IT security for 2022? Contact us!
Related articles
For several days now, there has been a strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide. We have also already identified successful attacks as part of our ACD monitoring. After infection, criminals can gain access to online banking accounts, leak user data, and reload further malware. As one measure to mitigate the risk, we urgently recommend adjustments to the Group Policy Objects (GPO).
Cybercriminals are true masters at constantly adapting their attack mechanisms to effective IT security measures. New tools and iterative changes to existing malware are used to mercilessly exploit security vulnerabilities. Among the numerous threats, ransomware stands out as one of the biggest. More and more companies have to face extortion Trojans. A completely new threat called LockFile now relies on intermittent encryption. LockFile not only encrypts much faster than previous ransomware, but also bypasses security solutions that work reliably. This article shows why criminals are increasingly relying on intermittent encryption and how companies should react to the new threat.
Read more … New ransomware trend: Why criminals increasingly rely on intermittent encryption
Due to the war in Ukraine, secion provides an assessment of the threat situation for companies and examines the question of whether increased Russian attacks on companies in Germany, Austria and Switzerland can be identified. There is currently no evidence of an acute increase in the threat posed by Russian state actors in Western Europe, but there is increased public awareness of these cyberattacks. In addition, "third-party actors" are creating a new dynamic.