July 1, 2020
In Part 3 and final post in our Ransomware series, we take a look at how to defend against a ransomware attack. How do you best prime your defences?
Cyber crime is big business, often carried out on an industrial scale. While the financial implication of a ransomware attack varies, the business impact is unquestionably large.
The Phases of a Ransomware Attack
Regardless of whether it’s a mass distribution, or a targeted attack, there are 5 distinct phases of a ransomware attack.
Phase 1: Exploitation and Infection
Phase 2: Delivery and Execution
Phase 3: Backup Spoliation
Phase 4: File Encryption
Phase 5: User Notification and Clean-up
Now that we understand how ransomware typically works, we can prepare our defences.
5 Steps to Defend Against Ransomware
- Patch Aggressively – Malware often exploits known vulnerabilities.
- Protect Your Endpoints
- Create (and Protect) Backups – Ransomware destroys backup files and encrypts regular files.
- Assign Least Privileges – To limit damage caused by ransomware.
- Educate Users – An essential component of an effective defence.
- Connect with Intelligence Sources
- Prepare an Incident Response Plan – Specifically for a ransomware attack.
- Get Cyber Insurance Cover
- Prime Your Defences
- Screen Email – For Malicious Links and Payloads, such as phishing emails
- Blocks Executables – Where ransomware typically executes from (%APPDATA% and the %TEMP% folder).
- Look for Signs of Encryption and Notification
- Kill the Processes – Killing the running processes is the best method of containment.
- Isolate the Endpoint
- Replace, rebuild or clean machines. It is sometimes difficult to know if residual file remain – undiscovered. Complete replacement of the affected machine can often be a more pragmatic and efficient approach.
- Restore from back-up. A clean back-up.
- Investigate and understand the threat vector, to better protect yourself in the future.
Download the full guide:
Your organisation’s success in defending against a ransomware attack is largely dependent on your level of preparation and the tools you deploy to monitor your systems to detect, respond to and neutralise suspicious activity.