A new webinar from security firm Kaspersky, discusses the strategy and execution of a general ransomware attack and unpacks current best practices for safeguarding against ransomware attacks at the delivery and execution stages.
Previously, they say ransomware was delivered to individuals via email. Today’s ransomware attacks are much more complex and sophisticated, they add, with threat actors attempting to gain a foothold in victim’s systems by exploiting vulnerabilities, through brute force and password guessing and by buying stolen login details from the Dark Web. Attackers will then search for basic system and network information to understand the victim’s configurations (using various tools, including Windows command to collect the information) and look for high privilege hosts in the network.
Stolen information, not surprisingly, is often critical to the victim’s business operations, they add, and is generally used to increase ransom demands.
To prevent such attacks, Seongsu Park, lead security researcher, global research and analysis team with Kaspersky says they can be detected and prevented at three key points: delivery, malware execution and in the discovery phase of an attacker’s infiltration.
The webinar, Ransomware Prevention Strategies, makes the following recommendations:
- To prevent delivery of a threat actor’s tools, patching known vulnerabilities is critical. The process, Park says, should be repeated regularly as new vulnerabilities are discovered.
- Conduct regular penetrating tests to identify security weaknesses in the environment.
- Lock accounts from future login attempts when suspicious login attempts fail multiple times.
- Filter email and spam using sandbox technologies to check suspicious attachments and block malware before it reaches the user. “It is important to adopt this technique to filter inbound traffic,” he adds. “Many cyber attacks start with human error.”
- Provide current and regular cyber threat training with all employees.
- Prevent the execution of malicious tools using appropriate malware products.
- Block macros. “Many ransomware gangs still abuse the macros embedded in Office documents,” Park says.
- Block media and prevent auto run functionality in email which can be used to automatically execute malicious code.
- Prevent spread – network segmentation is crucial, he adds.
- Regularly review user accounts and permissions, particularly when employees leave the company.
- Consider time-based restrictions on permissions – not all employees need full privileges during nonworking hours.
- Implement the three, two, one backup rule: “This means keeping three copies of important data on two different types of media with at least one copy offsite,” Park says.
“Backups are particularly important in the event of a ransomware attack as some ransomware actors may attempt to disable or destroy the backup system before deploying their model,” Park adds. “To protect your important data and maintain service reliability, a comprehensive backup policy is essential.”