How do Ransomware Infections Occur?
Bad actors that are looking to deploy ransomware attacks target the most vulnerable part of an organization: the people, and devices that are compromised.
Malware that is targeted at users can be distributed through malicious email attachments, links in phishing emails, and even hidden in ads taken out on popular websites. Once the malware is opened it activates and begins working behind the scenes.
Compromised devices are another way bad actors are making their way into an organization. Vulnerabilities in hardware and software that are not being properly maintained or have been exploited through zero-day vulnerabilities are becoming more common. Bad actors enter the organization through these holes and begin their attack.
These infections crawl from file to file looking for any files that can be opened and modified by the user. User accounts are either gained through phishing attempts or user attacks. For scenarios where access is gained through security holes, those systems are generally monitored and logged until domain-level credentials can be stolen. These malicious programs can easily crawl to mapped shared spaces such as server and backup repositories, carefully encrypting every file.
How Can We Protect Ourselves?
There are many ways to help minimize a company’s risk to losing data from ransomware attacks.
- User Training
Since the primary target of bad actors are the users within your environment, awareness training and education on how to identify and avoid potential attacks are key. Phishing training includes videos and random fake phishing emails to identify users that might need additional training.
Aside from email phishing attacks, other attacks can also be identified through this type of training. Social engineering attacks, physical attacks (where someone tries to gain access to a building without proper credentials), voice phishing, and SMS phishing.
Your users are not only vulnerable when they are at their place of work but wherever their data can be accessed or compromised.
- Access Rules
Experts agree limiting access across a network based on what a user needs to perform their job duties is the correct way to address access rules. This is called the principle of least privilege, meaning if the user does not require access to a file or folder structure, they should not be given access.
Enforcing proper passwords through group policy is another way to combat unwanted access to your systems. Passwords should be lengthy and have a mixture of letters, numbers, and symbols. Organizations should also require that every password granting access to company systems is changed at a minimum of every 90 days.
Many systems can now utilize Multi-Factor Authentication (MFA) to help facilitate authorized logins. Organizations should be looking to enable MFA for servers, email, and internal and external productivity software. Even when bad actors can gain authorization credentials, they will typically move on to the next target when faced with MFA.
Lastly, organizations should be aware of users that are using their personal devices for work-related activities. COVID-19 forced many people in the workforce to work from home whether they had a company provided device or not. Employee devices are not monitored by your organization and are susceptible to the patching performed by the owner of the equipment.
IT professionals have been touting the importance of backups since computers became a staple of the workplace. One way to evade paying for ransomed data is to simply restore it from the last viable data backup.
It’s important to note that not all backups are created equally. While it is important to have local backups, it is even more critical to have external cloud-based backups that do not have an immediate tie to the network. There are noted incidences where bad actors have gained access to a network. They collected the data they wanted, wiped the internal backup device, and deployed their ransomware before exiting the system. In instances where cloud backups were available, the systems were able to be restored and no ransom needed to be paid.
Local backup appliances can reduce downtime and have an immediate impact upon a company that is facing a ransomware incident.
- Antivirus and Updates
Not all antivirus software is created equally. Look for an antivirus package that monitors changes across the network. Some antivirus software will monitor fast changes to multiple files and will shut down access to the rest of the network, protecting non-local data and effectively quarantining the machine.
Processing software and firmware updates is also a critical step in protecting a business from malware attacks. In addition to targeting users, bad actors also exploit zero-day attacks. Zero-day attacks are vulnerabilities that have not been secured by the manufacturer. These attacks look for security holes and allow bad actors into a network. Ensuring that all firmware and software updates are performed across all devices on a network is an integral piece to network safety.
Being aware of bad actors, ransomware, and malware can seem daunting and time-consuming. ERGOS knows that businesses like yours need to focus on what you know best, which is your business. We partner with businesses to focus on their technology needs. All ERGOS plans contain antivirus and automatic Windows patching. Our subject matter experts can guide you to choose the access rules and backup plans that are right for your business. ERGOS also has user training phishing platforms available for your users. Contact ERGOS today to discuss setting a roadmap to success.