How to Avoid Ransomware? 13 Best Practices to Prevent an Attack

What would happen if, in an instant, you were locked out of your device, with no access to your data or business-critical systems? In an age where individuals and companies are increasingly reliant on computers and data, ransomware can wreak havoc, which can include irretrievable data, leaked information, and other irreversible losses. We’ll talk about how to avoid ransomware, including the types to look out for, common attack vectors, and important preventative measures.

What is Considered Ransomware?

Ransomware is a type of malware that restricts a user or organization’s access to certain data and systems. A ransomware attack carries this out by gaining entry and then encrypting files or blocking access. Sometimes, ransomware infections are accompanied by threats to publish sensitive data. Often, attackers will require an organization to pay a ransom to decrypt and gain access to their data and prevent data exfiltration.

In 2023, known ransomware attacks increased by 68%. Ransomware demands are also getting bigger, with the greatest known demand being $80 million in 2023. About one-quarter of all breaches involve ransomware, making it a significant threat in the digital landscape.

Common Types of Ransomware

There are several common types of ransomware, each with its own characteristics and particular threats. Some of these can also be used in combination.

Encrypting Ransomware

The most common form of ransomware is encrypting ransomware. This is where cybercriminals restrict access to your files by encrypting them using an encryption algorithm. To access their data, businesses must pay a ransom and get a decryption key to begin the data decryption process. 

Locker Ransomware

Instead of encrypting your files, with locker ransomware, hackers prevent access to files, applications, or systems by locking them up. This could look like blocking a screen or keeping users from accessing certain functions on their devices.

Scareware

Scareware relies on fear to get users to act quickly. A typical scareware tactic would include a warning for users to buy software that can fix a false security issue. When users try to install the software, cybercriminals can use it to gain access and encrypt or lock files.

Doxware/Leakware

Much like scareware, doxware (also known as leakware), also depends on fear. Bad actors will claim they have valuable information from the company or user and threaten to leak sensitive data unless they pay a ransom.

Master Boot Record Ransomware

Devices need a Master Boot Record (MBR) to start up. When hackers infect the MBR, they keep the device from operating properly. Essentially, users will not be able to reach the operating system level of the device, so it becomes useless.

Mobile Device Ransomware

Ransomware tends to be the most common on desktop and laptop computers, but mobile ransomware also exists. With mobile ransomware, users are prevented from accessing key files and applications on their smartphones and tablets. Doxware and leakware may also be used in mobile ransomware threats.

How Do You Get Infected by Ransomware?

Just like there are many types of ransomware tactics, there are also many different points of vulnerability for users to get infected by ransomware.

• Phishing emails: These emails frequently direct users to enter their credentials into a seemingly legitimate website. Once entered, attackers will be able to gain access to the network and upload ransomware. 
• Remote Desktop Protocol (RDP) attacks: RDP allows someone else to control a user’s computer, or allow someone to access their work device from home. When organizations have weak RDP configurations, they can allow attackers to deploy ransomware. This attack vector is commonly used when organizations have firewall policies that allow sources from the internet RDP access to internal devices.
• Malvertising: Malvertising can be linked to scareware or seem more benign. Users receive malicious advertisements, and if they click on them, they may infect their devices with ransomware.
• Pirated software: When users download software from unverified sources, they may become infected with hidden ransomware.
• Unpatched software: Zero-day vulnerabilities from unpatched software can pose a significant risk to businesses. Patching regularly can reduce the risk of software vulnerabilities.
• Social engineering: Social engineering is a more sophisticated attack vector that is often used with phishing emails or other methods of impersonation, such as voice calls. Scammers may call pretending to be part of the IT team and ask a user to download malicious software, for example. 

How Do Ransomware Attacks Impact Organizations?

At their smallest, ransomware attacks can be annoying, forcing users to find workarounds to their data through backups, or taking down functions that aren’t mission critical. At their largest, ransomware attacks can bring down entire organizations, grinding processes to a halt and impacting thousands, if not millions, of users at the same time. A recent attack at Change Healthcare, the largest medical claims clearinghouse in the United States, led to the company having to connect over 100 systems, making it impossible for them to process medical claims via primary platforms.

Additional impacts to organizations can include:

• Damaged brand reputation
• Compromised employee and customer data
• Legal issues due to a breach or leak of sensitive data
• Significant unexpected costs – on average, it costs $1.54 million to remediate and recover from an attack
• Extensive downtime

13 Best Practices for Avoiding Ransomware

While ransomware attacks are always a possibility, taking these proactive measures can significantly reduce the risk of falling victim to common attack vectors or feeling the pressure of paying a ransom demand.

1. Develop Detailed Plans and Policies

You don’t want to be caught off-guard when a ransomware attack happens. By developing an incident response plan and defining roles for your security team to fulfill curing a ransomware event, you can act quickly when an incident occurs. Form a ransomware recovery plan with your team and have marching orders in place so you don’t have to second-guess your plan.

2. Conduct Drills and Regular Testing

Once you’ve created a response and recovery plan, test it regularly. You can create drills that simulate what an attack would be like to ensure the remediation steps you plan on taking will work. Businesses can use what they’ve learned during ransomware drills to improve their processes and be even more prepared for an attack.

3. Use a Zero Trust Architecture

The strictest access method you can implement is zero trust architecture, where all users are required to authenticate each time they try to access the network. Preventing automatic logons will reduce the chance of unauthorized users accessing the network.

4. Maintain Backups

Maintaining backups of network data is the most effective way to restore network and data access and recover from a ransomware attack without paying the ransom. According to Cybereason’s Ransomware: The Cost to Business Study 2024, only 47% of organizations that pay the ransom gain access to their uncorrupted data, leaving 53% of organizations without access to their encrypted data even after cooperating with attackers. Consider employing traditional or air-gapped backups as part of your ransomware recovery plan.

5. Routinely Update and Patch Systems

Software vulnerabilities are an easy way cybercriminals can compromise your network and access data. Patching and updating your systems regularly can cut down on zero-day vulnerabilities, making it more difficult for bad actors to access back doors to your systems.

6. Review Port Settings

Block any unused ports, which can be cracked doors for ransomware attacks. Aside from blocking, you can also allow those ports with the implementation of a firewall policy. If you chose the latter route, be sure to study and execute the principle of least privilege (POLP) when creating your firewall policies and configuring user access management. When following this principle, it’s particularly important to do the following:

• Tighten your firewall rules to only allow essential network traffic. This helps block ransomware’s lateral movement, as it often uses unusual ports to evade detection.
• Give users only the access they need to do their jobs. This minimizes data breaches and damage from compromised accounts.

Additionally, implement multi-factor authentication (MFA) as an additional layer of security for network resource access. By requiring extra verification steps beyond passwords, it severely hinders ransomware attacks that rely on stolen credentials or phishing scams.

7. Harden Endpoints

Fortifying endpoints diminishes potential weaknesses that hackers could leverage for malicious purposes. This process encompasses deploying and updating anti-malware solutions capable of identifying and neutralizing ransomware before it can encrypt data or propagate across the network. Additionally, it includes implementing other security measures like regular patching, disabling unnecessary services, and applying strict access controls.

8. Perform Network Segmentation

Ransomware can do more damage the more it is given the chance to spread. Network segmentation can help you cut ransomware infiltrations off at the pass and limit the amount of damage that attacks can do.

9. Implement Web Application Firewalls

To better protect your network resources that can be accessed via the internet, utilize web application firewalls (WAFs). This type of firewall scrutinizes incoming web traffic, acting as a gatekeeper to thwart malicious requests that could potentially exploit vulnerabilities in web applications. By meticulously filtering out hazardous inputs, WAFs erect a formidable barrier, preventing attackers from delivering ransomware or exploiting weaknesses to gain unauthorized access. These robust security solutions serve as a critical shield, fortifying defenses against the initial vectors commonly employed in ransomware campaigns.

10. Leverage UTM Security Capabilities Within Firewalls

Unified threat management (UTM) offers a multi-layered defense at the network level, encompassing antivirus, intrusion prevention and web filtering, alongside other robust security features. These features enable UTM solutions to detect and neutralize ransomware signatures within network traffic, preventing them from infiltrating network resources and compromising systems. Additionally, web content filtering fortifies defenses by restricting access to malicious websites that could potentially deploy ransomware onto users’ computers, mitigating the risk of infection from external sources.

11. Consider Incorporating Email Gateway Security and Sandboxing

Organizations looking to take their email security up a notch can add advanced multilayered protection against email-borne threats through email gateway security measures, filtering out suspicious emails before they reach a user’s inbox. Sandboxing can also improve email security by creating a safe testing environment for unknown links, senders, or file types in a controlled environment.

12. Use Advanced Security Solutions

Security information and event management (SIEM) solutions aggregate and analyze data streams from diverse sources across the network in real-time, facilitating the identification of suspicious activities and potential threats. By harnessing advanced analytics, correlation rules, and threat intelligence, SIEM systems can detect indicators of compromise early. This proactive approach enables response and mitigation actions to be quickly taken, preventing the propagation of ransomware and minimizing its impact on the organization.

13. Invest in User Education

Employees and users are common attack vectors. Cybercriminals use phishing emails, scareware, malvertising, and more. Training these users on common ransomware tactics, and what to look out for, is the best way to reduce the likelihood they will expose your organization to threats. Implement ongoing education and consider periodic testing that mimics common attack strategies to keep users sharp.

How to Stay Up-to-Date on the Latest Ransomware Threats

Ransomware threats are changing rapidly. Businesses that can stay up-to-date on the latest threats will stand to fare the best in an evolving threat landscape. Cybersecurity teams should lean on reliable and reputable resources to stay current:

• CISA and NCSC: The Cybersecurity & Infrastructure Security Agency (CISA) in the US and the National Cyber Security Center (NCSC) in the UK are governmental agencies that provide alerts and guidance on ransomware threats and mitigation.
• CSA: The Cloud Security Alliance offers guidance on ransomware protection, as well as other cloud security best practices.
• SANS Institute: This cybersecurity institute publishes reports and research papers on ransomware threats.
• Threat Intelligence Feeds: Certain cybersecurity companies publish threat intelligence feeds with real-time updates on ransomware attack methods and current variants.

Leveraging IT Security Expertise to Avoid Ransomware

Staying one step ahead of ransomware threats requires a multi-layered approach and a wealth of experience. IT teams struggling to keep up with the latest news while keeping normal operations afloat can benefit from the advice and services of an external cybersecurity expert or team.

TierPoint’s IT security solutions can help you identify weaknesses, opportunities for more robust security measures, and best practices for responding to potential attacks. Whether you’re looking for the last pieces to round out your disaster recovery and business continuity planning, or you don’t know where to start, we can help.

Download our whitepaper to learn more about how to prevent, detect, and recover from ransomware attacks.