Five essential tips to prevent ransomware attacks

The frequency of ransomware attacks is drastically increasing. In Australia specifically, the cost of ransomware attacks increased by 40% between 2018 and 2019, with each attack costing organisations an average of $128,130, according to a report from Accenture.

If an organisation’s defences are breached, it is estimated that it takes just a couple of minutes before the ransomware has propagated the IT system with a large possibility of the files being encrypted.

With so little time to react, manual intervention just won’t cut it. Organisations need to be prepared, with the right technology and automated processes in place.

Here are five essential steps organisations can take to protect themselves from an inevitable ransomware attack.

1. Monitor lateral movement on the network

Gaining access to an organisation’s system is only the first stage of a successful attack. The attacker then needs to discover what information is worth stealing or corrupting. With the right tools and a knowledge of how legitimate employee accounts usually operate, an organisation can easily spot and block such exploratory activity.

To do this, there are several important activities organisations need to monitor, including the identity of the access device and the devices normally used by every account, the times when each account is normally active and what information they usually access. An organisation can then block any accounts that are behaving abnormally and investigate further.

2. Multiple lines of defence are critical

Ransomware is continually evolving. Earlier ransomware such as WannaCry did not discriminate. After being unleashed, it simply infected any vulnerable system it found. Now, ransomware is becoming targeted towards particular organisations, and is designed to steal data before it encrypts files.

Anti-virus software should be an organisation’s first, but not its only layer of defence. This software relies on blacklists of known threat sources, and attackers are of course wise to this. As a result, they continually change their malware to avoid detection.

In addition to perimeter defences like anti-virus software, organisations need tools within their networks that can detect and block abnormal behaviour and isolate the software responsible.

Software tools that simply provide alerts on potential breaches and require manual intervention are no longer adequate — businesses need software that employs machine learning to detect abnormal behaviour, and automatically take appropriate action.

3. Keep your eyes on the cloud

While cloud computing brings many advantages, it has also presented organisations with another attack surface, and an attractive one at that.

This is because compromised cloud resources provide attackers with an easier way to spread ransomware. For example, if an attacker was able to compromise Microsoft 365 and distribute a malicious link to multiple workers, the chances of it being clicked would be high because the workers would trust the source.

Another challenge for security teams is that many organisations use different security tools for their on-premise and cloud resources. This means organisations are unable to get a holistic view of their network, making it difficult to monitor network activity end to end.

Having a single view of activity in all data stores is critical, as it enables a security team to more easily and quickly spot abnormal activity resulting from an attack.

4. Limit data accessibility to those who need it

Individual users should only be given access to the company data necessary for them to fulfil their roles. This limits the potential for a compromised account to inflict damage.

Obvious as this may seem, ‘least privilege’ is a practice not widely followed. There have been many instances of cyber attacks that could have been partially or completely foiled if users had not been given unnecessary access to files.

The Varonis 2019 Global Data Risk Report found that on average, 22% of all data in a company is accessible to every employee, giving each on average access to 17 million files.

An often-overlooked area in the least privilege approach that can create unnecessary vulnerabilities is the accounts of IT administrators, which are frequently granted full network access (making them a prime target for attack). IT administrators should be given separate accounts for network admin and day-to-day work. Limiting their use of the full-access admin account will reduce the chance of it being compromised and spreading malware throughout the network.

5. Thoroughly investigate data and remove unnecessary files

It’s common for organisations to monitor employees’ email activity to help prevent successful phishing attacks and block access to dangerous websites. However, few organisations apply the same level of oversight to their sensitive data: who is accessing it, when they are accessing it and what they are doing with it.

Thorough oversight provides an audit trail that can be an extremely useful aid in the post-mortem of an attack, enabling security analysts to see what data has been compromised and take steps to recover it.

Such an audit trail also enables data that is no longer used or out of date to be deleted or archived. In a large organisation, these processes can be very labour intensive. As a result, many organisations are deploying automated tools to help them identify stale data and take appropriate action.

Ransomware attacks are inevitable. To beat them, organisations must act fast. In order to do this, organisations need to be very well prepared and equipped with automated security tools. A rapid response can make the difference between minor disruption and catastrophic compromise of an organisation’s systems.

Following these five steps can better prepare an organisation to deal with an attack, by bolstering up their cyber defences.

Adam Gordon is Country Manager ANZ at Varonis.

Image credit: ©stock.adobe.com/au/artbase