A ransomware attack is everyone’s nightmare. Nothing can cripple an organization like workstations locked and encrypted, demanding payment in cryptocurrency, promising a decryption key that may or may not ever be delivered. Data is lost. Critical operations halted. A nightmare.
The news is full of attacks like this against businesses in every sector, but MSPs and MSSPs are specifically targeted by ransomware gangs because they often represent an easy conduit to other targets.
How can we reduce ransomware risk? Is there a solution that is 100% effective? What is the ideal defense if we could start from a clean slate?
Can a product solve ransomware risk effectively?
No product is capable of providing complete protection against ransomware, and relying on a single product, tool, or a behavioral approach can still result in a successful ransomware deployment on your assets.
Like any solution to a challenging problem, there’s no magic bullet in the form of a product. Effective protection against ransomware is going to be a combination of defensive tactics, prescriptive controls based on likely attack vectors, and user awareness.
What steps should a business take to protect its assets from a ransomware attack?
A robust and effective defense starts with a layered approach that includes the following parts:
The idea that backups are in play for this type of threat is a little sobering. It implies that we will be writing off affected target machines as lost then wiping them clean. From this perspective, backups are an absolute priority. And for maximum resilience of data, they should be kept offsite. Even magnetic (tape) storage is even seeing a resurgence in popularity because of this.
The underlying cloud storage of modern SaaS applciations, and the assumed backup regimens used by distributed data centers they’re hosted on provides this element of protection.
2 Endpoint Protection (EPP)
The requisite frontline defense for endpoints is Endpoint Protection (EPP). Even with EPP it’s likely that an estimated 60% of cybersecurity threats will go undetected.
What exactly does ransomware do? Its first task is scanning or indexing the file system, including any network volumes. Once the indexing is done it will begin copying to a hidden drive to encrypt the data.
The goal of ransomware protection is to detect when the indexing starts and then begin backing up the files. If the ransomware detects the protection, it will kill the process. Solutions that use Windows shadow drives often fail because of this.
The best endpoint protection using a layered approach of non-competing EPP products. Removable devices should either be scanned first before mounting or prohibited by the organization altogether.
Threating hunting and monitoring should be implemented.
An EDR solution should be in place for Advanced Persistent Threats (APT); if running one is good then running more than one is better.
3 Email protection
It’s estimated that 90% of threats arrive through email. For this reason, it’s best that email protection has sandbox and detonation features.
An email product should also have click time protection capabilities that evaluate when a URL is clicked, not only when it sees it.
What’s even better is remote browser isolation as another method of stopping phishing. It removes much of the potential risk, something not possible without it.
4 Multifactor Authentication (MFA)
Why make it easier for a ransomware attacker by using simple password authentication only? The prevalence of data breaches and harvested credentials via other exploits makes for an easy step to deploy ransomware.
Enabling multifactor auth wherever possible can help avoid stolen credentials being used to enable delivery.
A common phishing attack to harvest credentials is by propping up a decoy website that looks exactly like the legitimate version. If an employee user clicks a bad link when prompted to authenticate to Microsoft 365 and expects a MFA code will be sent to their mobile device, they should catch on that the site isn’t authentic when that code doesn’t arrive.
5 SASE Model Proxy
Secure Access Service Edge, or SASE, is a multilayered methodology for securing cloud service access.
It extends all the network-based protections a user might enjoy while working from the physical office to the remote locations employees are often found today.
Avoiding a ransomware deployment might involved implementing a cloud-based proxy to give remote users the more stringent network protections of the office.
A solution that limits the scope of browsing by eliminating access to known bad sites, forces SSL encryption, and preemptively detonates downloaded files is what businesses should look for to achieve layered security.
6 Hygiene for Devices
Periodic health checks on devices is critical to establish a baseline for comparison.
Know with certainty where a device originates, if it’s encrypted, and whether it has antivirus (AV) running or not. These all are often prerequisites for patching and conformity should be a part of a mature program for vulnerability & patch management, configuration, and alerting and monitoring coverage.
7 Human Monitoring
Finally, a monitoring program that includes human eyes-on-glass watching telemetry data for anomalies helps round out all the layers necessary for maximum protection against a ransomware attack.
Sadly, there’s no sure thing in ransomware defense, purely by virtue of being in a defensive position.
The best defense is achievable by implementing a comprehensive layered approach, but attackers are clever, resourceful, and always ready to exploit the things we don’t expect.
And if most of the layers fail, that magnetic storage backup is still there to save the day.