15 best practices for fighting ransomware

Published
  • May 18 2017, 6:36am EDT

How best to protect your organization from attack

The rapid proliferation worldwide of the WannaCry ransomware in the past several days has heightened interest among organizations for following best practices in improving cyber defenses. Here are some key suggestions from cyber security experts on how to prevent ransomware events.

Accelerate network testing

Organizations should conduct frequent vulnerability scans of external and internal networks, network devices and web applications to identify security holes or any known security vulnerabilities, according to results of a survey from software vendor Malwarebytes and Osterman Research. Conduct penetration testing to identify potential points that could be exploited.

Content Continues Below

Raise user awareness and education about risks

Organizations should develop an ongoing educational campaign so that everyone understands the importance of security best practices. Instruct users to not open attachments from unknown sources or in emails that appear to be legitimate but are suspicious or unexpected; instruct users to avoid enabling macros from email attachments; and warn users to never click on Web links in unsolicited emails.

Ransomware is dangerous because your defenses against it are often only as strong as your least cautious employee—when one person clicks on an email, the entire network is compromised, says William MacArthur, threat researcher at RiskIQ. Often, ransomware charges per computer, so paying to unlock each machine on your network can add up quickly. Ransomware actors are getting savvier with social engineering, creating more convincing lures by leveraging brand names and picking up on the common language, software and processes used by certain organizations.

Limit access to dangerous web sites by implementing a whitelist

Rather than just blacklisting websites that are known to be malicious, some organizations might opt to use a "whitelist" that would limit access only to websites that are known to be secure. Doing so would limit the risks of users inadvertently clicking on dangerous links that might download malware to their computer.

Customize email settings and filters

Organizations should adjust email filter and spam filter settings to block emails with suspicious attachments. Guidance from Advisory Board notes that most ransomware arrives via email, so organizations should set up their email gateway to screen as many malicious messages as possible. Organizations should also change Windows operating system's default script file associations. Modern malware takes advantage of Windows script files, such as JavaScript (and others like .js, .jse, .wsf, .wsh, .lnk, .hta, .vbs and .vbe) to execute easily on most systems. If you change the default behavior of those file types on all your systems to a benign application, such as Notepad, the ransomware won't be able to run.

Spam and virus filtering should be used for both inbound and outbound risks. The best approach is a package that scans both user desktops and the mail server in real-time. You can reduce the risk of unwittingly introducing a threat to your IT environment by stopping harmful emails before they hit user inboxes.

Content Continues Below

Keep current on patches and updates

Patch and keep operating systems, antivirus, browsers, Adobe Flash Player, Quicktime, Java and other software up-to-date. For example, organizations that weren’t current with Windows operating systems patches were susceptible to the WannaCry malware—Microsoft released a patch to address the critical vulnerability back in March, but many organizations failed to update their systems to prevent such the attack, says Varun Badhwar, CEO of RedLock.

Organizations often lack tools to quickly monitor all IT assets or workloads to discover which have the highest security risk. If that information were effectively procured in real-time, they would have a much simpler way to find and mitigate threats quickly, such as identifying which systems are running without the latest security patches and updates.

Manage device vulnerability

Internet-connected medical devices that are running older versions of the Windows operating system are particularly vulnerable to the WannaCry exploit, says Moshe Ben-Simon, co-founder & VP services at Trapx. Because of compliance regulations, healthcare network administrators cannot easily update Internet-connected medical devices with the newest operating systems and patches. These devices are sealed to protect the equipment from failure in the event a software update inadvertently affects the operation of the device. While this protects patients from potential harm from a malfunctioning device, it has the potential to leave the network open to attackers. If these devices aren’t updated by manufacturers, they will continue to be susceptible to malware attacks, Ben-Simon says.

Keep anti-virus software installed and current

Maintain anti-virus software and keep it updated with current versions. Scan all software downloaded from the Internet prior to executing. Anti-virus products are updated as soon as threats are identified, so organizations must ensure that all patches are installed on all devices automatically.

Content Continues Below

Make use of permissions management

Restrict user permissions to prevent the installation and execution of unauthorized software applications. In addition, apply the principle of “least privilege” to all systems and services. Restricting these privileges to the minimum required for each user may prevent malware from running or spreading quickly through the network.

Limit access points

While server access for clinical nursing stations is imperative, it’s not crucial that these machines be used for regular email and web-surfing functions that could increase an organization's exposure to an attack, Advisory Board recommends. Isolate or segment an Internet-connected, non-clinical workstation that users can use for checking email and surfing the web.

Regularly perform data backups

Employ a data backup and recovery plan for all critical information. Regularly back up servers and network shares with multiple restore points. Also, consider backing up critical data on two different media, including one off-site backup.

Providers need tested and trustworthy backup capabilities, says Ben-Simon of Trapx. They need a robust, tested, disaster recovery process that ensures core IT systems can be brought back up in a few hours. Most hospitals have backup in place to support compliance, but they really cannot restore key applications and recover operations fast enough in the face of a ransomware attack. When an environment faces a true disaster, even a well-planned disaster recovery strategy will typically take days until full operations are restored. When faced with ransomware, recovery needs to take only a few hours.

Content Continues Below

Understand the scope of restoration

Organizations won’t just need to restore files, but entire user environments; all current versions of Windows Server operating systems, for example, come with a feature called Volume Shadow Copies, which enables you to restore previous versions.

Reconsider network redesign

Organizations should consider approaches that would limit the potential lateral spread of an infection and restore health record systems, Michael Patterson, CEO of Plixer. This can be accomplished by inspecting historical network traffic looking for peer-to-peer communication as well as machines that have communicated with the domains and servers hosting the malware.

Data backup and disaster recovery planning should be a high priority for healthcare institutions. For example, taking affected machines off line and having data backups that can quickly become live instances are steps that can be taken to bring services back online quickly. Healthcare organizations should also be collecting logs and data flows to ensure they can investigate the traffic patterns of these exploits to identify other potentially infected hosts before they spread internally. “This will also help IT teams to not only be alerted to cyber attacks, but also have the forensic data to see where the hacker penetrated the system and close that hole,” Patterson says.

Consider deceptive technologies

There are new technologies to deal with ransomware, such as deception tools. Deception can stop an attacker in the network before the attack can take a substantial foothold. Deception can tie up the ransomware encryption process with false data on decoy network shares. Deception tools are designed to fool attackers and their ransomware exploits, keeping them from your real devices and real data. Once they start trying to encrypt these fake file systems they will be identified, shut down and the hospital can return to normal operations, says Ben-Simon of Trapx.

Content Continues Below

Review your incident response plan

Ensure communication lines between management, counsel and key IT personnel (IT Information Security Team) are open and ready to implement your incident response plan, says Alisa Chesler, an attorney with the Baker Donelson law firm. Pull out the response plan and make sure it specifically anticipates a ransomware attack. Documented incident response plans are an expected compliance obligation for all organizations regardless of the size, industry or kind of information maintained by the systems.

View the high visibility of current incidents as a teachable moment

Management, legal and IT security can no longer keep "kicking the can" when it comes to information security, says Chesler. Knowing your compliance and contractual obligations before an event is critical. This is also a good opportunity to revisit some prior decisions. For example, many organizations continue to delay implementing multi-factor authentication for a variety of reasons, including employee morale. However, this tool is widely becoming the most important information security protocol.