Fighting against ransomware can be difficult—especially if your organization has limited IT resources to begin with. But Adam Kujawa, security evangelist and director of Malwarebytes Labs, has a few tips for overburdened IT folks looking to simplify their fight against ransomware.
In this post, we’ll break down Kujawa’s observations about ransomware and three tips on how businesses can have an easier time in preventing, detecting, and remediating ransomware.
Read Our Defender's Guide to Ransomware Resilience!
The importance of “knowing thy enemy”
Most ransomware attacks are not sophisticated, state-sponsored cyber operations, Kujawa says. Instead, there’s a team of seven or eight people sitting behind computers, trying to break into your network.
In other words, ransomware attackers are not usually using any advanced technology or tactics: a lot of times it’s simply an attack of opportunity. For example, your network might have had a vulnerability. Someone might have clicked on the wrong link. You might have misconfigured some port and there’s a brute-forcing campaign going on.
“So rather than thinking of ransomware actors as these highly sophisticated super hackers, think of them as common thugs. They expect you to be unprepared for their attack, which they believe will lead to a payoff for them,” says Kujawa.
The key takeaway here is this: Even smaller businesses with fewer IT resources can easily prevent or stop ransomware attacks with the right amount of planning. You don’t need a dedicated SOC or crazy enterprise-grade cybersecurity to deal with “attacks of opportunity.”
3 tips to simplify the fight against ransomware
1. Choose an effective and easy-to-use Endpoint Detection and Response (EDR) software
When it comes to ransomware, resource-constrained organizations with small-to-non-existent security teams are in greater need of EDR—but many EDR products are designed for large enterprises with large and highly-skilled security teams.
If we want to simplify the fight against ransomware, our EDR should not only be effective but simple and easy-to-use as well.
On the effectiveness front, Kujawa says that there are four main things to look at when trying to determine an EDR platform to deploy to combat ransomware:
- Being able to quickly identify and isolate systems that are infected with ransomware.
- Detecting ransomware-like behavior and being able to automatically kill and remove the threat from the system.
- A solution that provides options for file recovery (in case something does get encrypted)
- Finally, these features are valuable for detecting and thwarting all malware, not just ransomware:
On the ease-of-use front, Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes, also has four suggestions when choosing an EDR platform:
- Ask about the time required to set up the management console and whether it’s cloud-based.
- Get proof of the time required to deploy the endpoint agent across a given number of endpoints.
- Have a “single pane of glass” and an intuitive UI that gives you visibility into all activity across your entire organization.
- Easy, non-vendor-specific language describing the detected suspicious activity (MITRE ATT&CK)
2. Build out a comprehensive recovery plan
The simplicity in building out a comprehensive ransomware recovery plan isn’t in the development of the plan, but rather the plan itself makes things easier when an attack does occur.
“A huge issue for many organizations, when hit with ransomware, is scrambling to figure out how to stop it or reduce the damage done by the threat,” Kujawa says. “A recovery plan provides detailed guidance on who to call, system data classifications, procedures for preserving evidence, who your incident response or law enforcement contacts are, etc.”
An idea on how to make the creation of this simpler, is to provide a list of questions that stakeholders should answer when producing this plan. Then, as a group, answer some of these questions:
- What do you want your company and your employees to do right after the ransomware attack is discovered?
- What is the company’s policy on dealing with attackers? Is it going to try to pay the ransom, or is it just going to ignore the attackers?
- How do you restore from backups, and what backups are most important to restore from first?
- What data is most vulnerable, and how can you protect that data?
- What systems need to be recovered first?
- How does the business continue to run if the systems are down?
- Do you have resources that can help you, such as law enforcement agencies or a cyber insurance firm?
But who makes up this team that creates the recovery plan?
“Start with your CISO, COO and all department heads, as well as any security staff you have,” Kujawa says. “When you have all those people together, they can get a clear picture of the readiness of departments in recovering from an attack, what data is most valuable to them and what it would take to disable or continue operations if an attack occurred.”
3. Avoid common mistakes in prevention, detection and response
Often, a customer who gets hit with ransomware has security software but they either have it disabled or it’s outdated or limited in its ability, thanks to poor configuration, Kujawa says.
Because of the inconvenience, or maybe because it’s not compatible with the businesses operations, some aspect of the security gets disabled and that leads to an infection.
“A lot of organizations don’t run regular penetration tests or security audits, and not everyone has the funds to hire a pen testing firm. I get that,” Kujawa says. “But you can make sure that all your outward-facing services are up to date and that every possible entry into the network–like RDP or SMB–has solid authentication requirements. We often see people just leaving those ports wide open.”
Another common mistake Kujawa has noticed is not running regular scans to look out for threats such as backdoors, even if you don’t see anything suspicious.
“Many organizations are not aware that a backdoor infection that occurred months ago can and likely will be used to install additional malware at some point,” he says. “A backdoor could sit there for six months without you knowing about it. It may not do anything until it launches the ransomware.”
Don’t make fighting ransomware harder than it needs to be
Ransomware is a clear and present danger to organizations of all sizes–but fighting it doesn’t need to be complicated. Reducing ransomware can be as simple as leveraging an easy-to-use EDR, having a well-thought out recovery plan, and avoiding a few common mistakes. Even small-and-medium sized businesses with limited IT resources can simplify the fight against ransomware with these tips.
See how Malwarebytes EDR can simply (and effectively) stop ransomware in our demo blog post!
Want to learn more about how to protect your business against ransomware? Check out our free Ransomware Emergency Kit.