Consider These 10 Critical Steps to Prevent and Detect Ransomware Threats
Ransomware attacks are a serious global issue and getting worse – in fact, they are often considered the top cyber threat facing businesses today.1 Ransomware statistics are staggering:
- Damages to businesses and organizations are expected to be $20 billion in 20212
- Global ransomware reports are up more than 715% from 2019 to 20203
- Ransomware payments have increased 60% in value since 20194
Ransomware is a crisis that will only get worse as threat actors continue to grow in sophistication and expertise. Ransomware attackers often operate with the discipline and approach of a legitimate traditional business, except with criminal intent.Fortunately, there are strategies companies can take to reduce the risk of falling victim to a ransomware attack.
Consider these ten technologies and processes to help prevent and detect a ransomware attack.
Each of these steps aligns closely with how attackers create and consummate their criminal activity. While some are costly, proactively implementing these steps now can mitigate the costs of business interruption, reputational damage, incident response and/or a ransomware payment.
Phishing Awareness Training, to educate employees and end-users on how to spot phishing emails and know the red flags to drive down clicks on the malicious emails many ransomware attackers use to gain a foothold in a network.
Disabling Accessibility of Remote Desktop Directly from the Internet, to prevent ransomware attackers from brute-forcing Internet-facing RDP services to gain entry into a network.
Properly Configured URL Filtering and E-mail Attachment Sandboxing, to prevent malware contained in ransomware emails from executing or going unnoticed.
An Advanced Endpoint Detection and Response (“EDR”) Solution, to detect and potentially quarantine ransomware and other advanced malware, and also to facilitate enterprise forensics in the event of an attack.
An Advanced Malware Detection Tool that Inspects Network Traffic, to identify ransomware and other malicious packets or network traffic flowing over the wire.
16+ Character Service Account and Domain Admin Passwords, to prevent ransomware and other hackers from cracking weak admin user names and passwords. Optimally, these strong passwords should be rotated regularly, using a Privileged Access Management (PAM) tool. Ransomware attackers use these cracked credentials to move laterally and deploy their ransomware.
Lateral Movement Detection Tools. After gaining a foothold, ransomware actors typically move laterally using compromised IT credentials. Detecting that anomalous lateral movement normally enables the attack be shut down before ransomware is deployed.
A Properly Configured Security Information and Event Management (“SIEM”) Platform that aggregates event, security, firewall and other logs. Trying to respond to and recover from a ransomware attack without a SIEM is very difficult, as visibility through local, non-centralized logs is often poor.
A Continuous Security Monitoring Function, which provides continuous monitoring and threat hunting using collected logs and alerts.
Locking Down Software Deployment and Remote Access Tools (such as SCCM, PDQ, and PsExec) to a small set of privileged accounts with multi-factor authentication where possible. Once they have secured elevated privileges, ransomware attackers typically commandeer SCCM/PDQ/PsExec accounts to push the ransomware executable across the network.
A PDF of this article is available for download below:
Sources:
- https://www.inc.com/adam-levin/ransomware-is-number-one-cyber-threat-this-year-heres-what-you-can-do.html
- “2019 Cybersecurity Almanac,” Cisco and Cybersecurity Ventures, 2019
- Bitdefender’s Mid-Year Threat Landscape Report 2020, page 14
- Coveware Ransomware Marketplace Report, August 3, 2020
About Cyber Solutions: Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.
About Aon: Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance.
All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy.
Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.
This client alert is not legal advice. Neither Aon’s Cyber Solutions, nor Stroz Friedberg Incident Response engages in the practice of law. Should you need legal advice or legal services related to ransomware or a ransomware incident, we encourage you to engage with your in-house counsel or outside legal counsel.
©2021 Aon plc. All rights reserved.