Ransomware protection and prevention steps
Back up critical data
Data back up is a crucial defense when it comes to the mitigation of ransomware attacks. Having data backed up in another location allows organizations to restore any encrypted files, negating the need to pay the ransom demanded.
Many organizations and institutions quote the “3-2-1 back up rule” which is a widely adopted set of best practices. This method involves maintaining three copies of data, using two different storage formats, and storing one copy off-site.
This framework not only safeguards against the threat of ransomware, but also ensures data can be quickly restored, allowing operations to return to some normality following a ransomware attack.
Incident response (IR) plans
In the worst case scenario that an organization has become the latest victim of a ransomware attack, it’s important that any incident response plans are put into action immediately to ensure the clean up and remediation of the attack is as quick as possible.
As per guidance from the National Cyber Security Centre, an incident response plan should cover five main points:
- Key contacts – IR, IT, Senior Management, Legal, PR, HR, and Insurance. If possible, aim to include two contacts from each group of roles in case of one of them being unavailable.
- Escalation criteria – A matrix could be included to determine the severity and priority of the ransomware attack to inform how quickly the incident needs to be handled.
- Full incident life-cycle process – Include a chart that depicts what should happen, or who should be involved, at each level of response and when certain actions should be triggered.
- At least one conference number – This should be a conference number that is only used for urgent incident calls.
- Basic guidance on legal or regulatory requirements – Include advice on when to engage legal support, HR, or follow evidence capture guidelines.
Employee awareness training
In all organizations employees are the first line of defense against cyberattacks, including ransomware. With 70 percent of data breaches involving a human element, it’s crucial that cybersecurity awareness training is provided to educate employees on how to identify and avoid cyber threats. When an informed and vigilant employee identifies a potential threat, not only could they prevent a ransomware attack, but they can also know to reach out to IT and cybersecurity teams immediately. Once the relevant department is aware of the incoming threat, they can react, investigate, and warn others in the organization.
Monitoring for signs of an imminent ransomware attack
Dark web monitoring is one way that organizations can take a more proactive approach to preventing ransomware by identifying warning signs of an imminent attack. For example, this can come in the form of Initial Access Broker (IAB) posts on dark web hacking forums. An IAB is a specific type of cybercriminal whose aim is to exploit vulnerabilities, gain access to a business’ network, and sell it onto other cybercriminals. We regularly observe ransomware associates interacting with Initial Access Broker posts and many groups are known to buy initial access for their attacks. Monitoring these posts can therefore give organizations an early warning that they are the target.
While an IAB post on a hacking forum won’t name the organization they have gained access to, they will use information that makes up the organization’s profile, such as:
- Industry
- Turnover
- Number of employees
- Location
Therefore, if an organization spots a post that matches their profile they can begin an investigation into whether they have been compromised, before the ransomware group has had the opportunity to exploit the vulnerability. The Initial Access Broker post will also often provide details of the compromise, providing security teams with a starting point for their incident response.
Monitoring for listings on ransomware group profiles
If an organization has been listed on a ransomware group, the likelihood is that a ransomware attack has already happened and data has been exfiltrated. However, as with any cyberattack, the faster a team can identify the incident the more likely they are to mitigate the damage. Monitoring these listings:
- Give organizations the opportunity to inform employees, customers, investors, and suppliers before they hear about the ransomware attack from another source. This can go a way to preventing loss of trust in an organization.
- Allow organizations to find the threat earlier enabling security teams to respond faster and incident response plans to be put into action quicker.
Gathering threat intelligence on ransomware groups on the dark web
To help prevent ransomware attacks, organizations must monitor ransomware groups to understand their tactics, techniques, and procedures (TTPs). Getting under the skin of a ransomware group and knowing the industries they target, the types of organizations they want to infiltrate, how, and when they are most likely to perform ransomware attacks, gives security teams the power to prepare for attacks.
As well as being prepared, threat intelligence can also aid incident response and remediation. Security teams can use the intelligence to understand where the attack originated and in some cases who the attack is from. Having access to this information allows organizations to monitor the particular ransomware group to ensure security teams have completely eradicated the threat.
