Every year, ransomware impacts millions of users and nets millions of dollars in profits for the bad guys. Given how these attacks infiltrate and spread within enterprise networks, IT teams need advanced network security capabilities. Only then can they apply proactive measures to eradicate threats before they execute. For those that do execute, advanced network security makes it possible to limit the impact and reduce the risk of reinfection.
There are various channels through which ransomware can land on systems, including phishing emails, planted USB drives and website compromise. But network activity is a good place to start when setting up your defenses. That’s where many of these initial indications of malicious activity within your organization will pop up:
- Malware proliferation
- Malicious encryption activity
- Mass file modifications
- Script emulation
- Zero-day exploits
- Password-protection of files
- Attempts to modify backup and restore processes
Each of these threats has the potential to cause damage – to your network and to your business. That’s why it’s so important to take the necessary steps to get prepared and protected.
Step 1 – Tackle the basics
Before setting up your network defenses, there are a couple basic starter steps to take. First, make sure all your devices are running the latest operating system and are fully-patched. Out-of-date systems are much more susceptible to attacks, as was the case with the WannaCry ransomware attack in May 2017.
Veristor also recommends making sure your system back-ups work properly by testing your restore processes regularly. If all else fails when ransomware hits, back-ups at least give you the possibility of restoring your files and applications to a point-in-time prior to the attack. It’s also a good idea to strongly consider cloud or hybrid-cloud storage for your back-ups. This can help you recover faster if your on-premise systems—including your back-ups—become infected.
Step 2 – Focus on the network
Now let’s make sure you have complete visibility into what’s going on with your network. That’s where you can see if ransomware has breached any of your managed devices – or unmanaged devices that do not fall under the protection of gateway defenses. By using advanced network visibility tools from innovators like Trend Micro and Palo Alto, you can then look for the three primary ways ransomware typically infiltrates networks:
- Command-and-control servers (C&C) can act as relays when ransomware captures their public key and uses it to encrypt and lock target files on other devices. The corresponding private key stays with the attacker the entire time, and the public key can be changed at any time. When a connection to the C&C server cannot be established, most ransomware simply fails. But watch out, some types with a default key embedded in their code can still proceed with encryption routines.
- Hackers may also use propagation to spread ransomware to other systems and servers. When running on infected systems, ransomware can encrypt files on local hard drives and mapped network drives. This allows infections to spread much more quickly, turning what could simply be an annoyance for one end-user into a wave of infection that disables an entire network.
- Ransomware can also infiltrate networks through unauthorized access via a trusted third party. This type of ransomware often uses Remote Desktop Protocol (RDP) brute-force attacks or stolen login credentials to infect systems. In addition to watching for this attack vector within your network, it’s important to verify the security measures applied by any business partners with IT systems you connect to.
Step 3 – Protect your email
As another facet of network protection, we also recommend defending against email scams that appear as though they are coming from an executive in the company, a customer or a business partner. These emails use return addresses with characters that are very close to the authentic email address of the sender, and they typically arrive without malicious links or attachments. This allows them to bypass security measures and catch end users unaware. Many of these scams ask for sensitive information, such as employee social security numbers or bank account information. If the information is sent, the consequences can lead to fraudulent transfers and six-figure losses.
While training end users how to recognize and avoid responding to such emails is a key element of a comprehensive security posture, IT can also deploy protection at the network level. This includes technologies that utilize machine learning to inspect email headers and social engineering techniques to detect fraudulent email. Other technologies include heuristic malware scanning; sandbox filtering for analyzing possible malicious file attachments or embedded URLs; and email reputation scanning for blocking known malicious IP addresses, analyzing email sources and correlating them with a known safe senders list.
Proactive threat detection equals peak IT performance
A robust network defense requires stopping threats at multiple stages—before they execute. It takes a multi-layered team effort across your tools and your people. And by leveraging the latest ransomware defense solutions, you can gain a complete picture of existing threat actions across all your network assets.
By collaborating with the right IT partner, you can accelerate the process of creating a secure network environment and more quickly detect indications that ransomware is knocking on your door. Working together to architect a strong defense is key because proactively detecting ransomware significantly reduces the chances that hackers can encrypt files. Whether you’re a large enterprise or a small business—stopping threats before they execute ensures your IT systems keep running at their best.
To discover additional measures you can deploy to further protect your business, check out our solutions and resources for endpoint security to isolate users and data from fast-moving threats.
Attend our upcoming Enterprise Cybersecurity Conference.