Ransomware affects PC users big and small, with a number of municipalities recently severely hit and crippled for weeks by software which encrypts their data and demand payment to make the computing infrastructure work again. The ransomware often targets back-up systems also, making it impossible to restore to a known-good backup.
When faced with a ransom demand and with critical infrastructure and the administrative function of hundreds of thousands of people incapacitated, many cities have been tempted to pay the ransom, and some have in fact given in.
Microsoft is however clear in their advice to never give in to terrorists:
We never encourage a ransomware victim to pay any form of ransom demand. Paying a ransom is often expensive, dangerous, and only refuels the attackers’ capacity to continue their operations; bottom line, this equates to a proverbial pat on the back for the attackers. The most important thing to note is that paying cybercriminals to get a ransomware decryption key provides no guarantee that your encrypted data will be restored.
Microsoft, unfortunately, does not expand on what to do instead, rather suggesting that prevention is better than cure, saying:
… every organization should treat a cybersecurity incident as a matter of when it will happen and not whether it will happen. Having this mindset helps an organization react quickly and effectively to such incidents when they happen.
Microsoft advises the following strategy:
1. Use an effective email filtering solution
According to the Microsoft Security Intelligence Report Volume 24 of 2018, spam and phishing emails are still the most common delivery method for ransomware infections. To effectively stop ransomware at its entry point, every organization needs to adopt an email security service that ensures all email content and headers entering and leaving the organization are scanned for spam, viruses, and other advanced malware threats. By adopting an enterprise-grade email protection solution, most cybersecurity threats against an organization will be blocked at ingress and egress.
2. Regular hardware and software systems patching and effective vulnerability management
Many organizations are still failing to adopt one of the age-old cybersecurity recommendations and important defenses against cybersecurity attacks—
3. Use up-to-date antivirus and an endpoint detection and response (EDR) solution
While owning an antivirus solution alone does not ensure adequate protection against viruses and other advanced computer threats, it’s very important to ensure antivirus solutions are kept up to date with their software vendors. Attackers invest heavily in the creation of new viruses and exploits, while vendors are left playing catch-up by releasing daily updates to their antivirus database engines. Complementary to owning and updating an antivirus solution is the use of EDR solutions that collect and store large volumes of data from endpoints and provide real-time host-based, file-level monitoring and visibility to systems. The data sets and alerts generated by this solution can help to stop advanced threats and are often leveraged for responding to security incidents.
4. Separate administrative and privileged credentials from standard credentials
Working as a cybersecurity consultant, one of the first recommendations I usually provide to customers is to separate their system administrative accounts from their standard user accounts and to ensure those administrative accounts are not useable across multiple systems. Separating these privileged accounts not only enforces proper access control but also ensures that a compromise of a single account doesn’t lead to the compromise of the entire IT infrastructure. Additionally, using Multi-Factor Authentication (MFA), Privileged Identity Management (PIM), and Privileged Access Management (PAM) solutions are ways to effectively combat privileged account abuse and a strategic way of reducing the credential attack surface.
5. Implement an effective application whitelisting program
It’s very important as part of a ransomware prevention strategy to restrict the applications that can run within an IT infrastructure. Application whitelisting ensures only applications that have been tested and approved by an organization can run on the systems within the infrastructure. While this can be tedious and presents several IT administrative challenges, this strategy has been proven effective.
6. Regularly back up critical systems and files
The ability to recover to a known good state is the most critical strategy of any information security incident plan, especially ransomware. Therefore, to ensure the success of this process, an organization must validate that all its critical systems, applications, and files are regularly backed up and that those backups are regularly tested to ensure they are recoverable. Ransomware is known to encrypt or destroy any file it comes across, and it can often make them unrecoverable; consequently, it’s of utmost importance that all impacted files can be easily recovered from a good backup stored at a secondary location not impacted by the ransomware attack.
Microsoft also offers tools to simulate a ransomware attack. Microsoft Secure Score help organizations to determine which controls to enable to help protect users, data and devices. It will also allow organizations to compare their score with similar profiles using built-in machine learning while Attack Simulator allows enterprise security teams to run simulated attacks including mock ransomware and phishing campaigns. This will help them in learning their employees’ responses and tune security settings accordingly.
Microsoft of course also offers cloud backup tools which are designed to detect mass manipulation of user data and stop it in its tracks.
Read more at Microsoft’s Detection and Response Team blog here.