In Part 3, the final post in our Ransomware series, we examine how to defend against a ransomware attack. How do you best prime your defences?
Cybercrime is big business, often carried out on an industrial scale. While the financial implications of a ransomware attack vary, the business impact is unquestionably large.
The 5 Phases of a Ransomware Attack—Whether it’s a mass distribution or a targeted attack, there are five distinct phases.
- Exploitation and Infection
- Delivery and Execution
- Backup Spoliation
- File Encryption
- User Notification and Clean-up
We can prepare our defences now that we understand how ransomware typically works.
5 Steps to Defend Against Ransomware
1. Prepare
- Patch Aggressively -Malware often exploits known vulnerabilities.
- Protect Your Endpoints
- Create (and Protect) Backups -Ransomware destroys backups and encrypts regular files.
- Assign Least Privileges -To limit damage caused by ransomware.
- Educate Users -An essential component of an effective defence.
- Connect with Intelligence Sources
- Prepare an Incident Response Plan -Specifically for a ransomware attack.
- Get Cyber Insurance Cover
2. Detect
- Prime Your Defences
- Screen Email - For Malicious Links and Payloads, such as phishing emails
- Blocks Executables - Where ransomware typically executes from (%APPDATA% and the %TEMP% folder).
- Look for Signs of Encryption and Notification
3. Contain
- Kill the Processes - Killing the running processes is the best containment method.
- Isolate the Endpoint
4. Remove
- Replace, rebuild or clean machines. It is sometimes difficult to know if residual files remain undiscovered. Completely replacing the affected machine can often be a more pragmatic and efficient approach.
5. Recover
- Restore from backup. A clean backup.
- Investigate and understand the threat vector to better protect yourself in the future.