Ransomware Prevention: Best Practices to Follow and Pitfalls to Avoid

By Presidio Insight Blog Security October 8, 2021

While there’s no silver bullet to preventing a ransomware incident, following security experts’ recommendations will greatly reduce your vulnerability.

Thousands of Americans experienced the trickle-down effect of a ransomware breach in early May following the Colonial Pipeline attack, which shut down the oil supplier’s operations and left many scrambling to find gas and waiting in huge lines when they did.

The attack originated from DarkSide, a Russian-linked criminal group, who threatened to leak the utility provider’s sensitive data unless the company paid a $4.4 million ransom.

In July, another Russian-linked cybercriminal organization, REvil, launched the single most prominent global ransomware attack on record. The breach infected thousands of victims in more than 17 countries and demanded $70 million in cryptocurrency to unscramble all the infected machines. Swedish supermarket chain Coop closed hundreds of stores after becoming part of the REvil ransomware attack that originated with its IT solution provider’s Kaseya VSA software. At least 200 other organizations were also part of the attack.

Earlier this month, international consulting firm Accenture became the latest target in a string of high-profile ransomware attacks when the LockBit group claimed to have breached the company’s servers and threatened to release its data.

These attacks represent just a few of the thousands that occur each year, many of which go unnoticed even though millions of dollars are cumulatively spent on ransoms.

In its most recent quarterly Threat Assessment Report, the Cisco Talos Incident Threat (CTIR) team observed various attacks, with ransomware being the most dominant threat. Per the report, ransomware accounted for almost half (46%) of all incidents and more than triple that of the next most common threat.

Actors targeted a broad range of verticals, including transportation, utilities, healthcare, government, telecoms, technology, machinery, chemical distribution, manufacturing, education, real estate and agriculture. Among all the verticals, healthcare was targeted the most for the third quarter in a row, with the government being the second most targeted.

Why Ransomware? Why Now?

Industry experts say the rise in attacks is due to a confluence of factors, including the increase in hard-to-trace cryptocurrency, the work-from-home trend and a political climate marked by tensions between the U.S. and Russia, where the majority of ransomware attacks derive.

Besides the abundance of low-hanging fruit, ransomware has proven to be highly profitable for cybercriminals. “Cybercrime is estimated to cost the global economy in the neighborhood of $6 trillion—that’s equivalent to some of the largest economies in the world,” says Dave Trader, Cybersecurity Practice Lead at Presidio. “Reports show in 2020, ransomware was the top attack type in North America and is a lucrative business that will continue to evolve and proliferate. Ransomware as a Service (RaaS) is now a business model for distributing ransomware variants to subscribers offering the same benefits associated with legitimate Software as a Service (SaaS) providers such as regular updates, technical support, access to communities, and documentation.”

Step One: Plan for the Possibility of an Attack

When end users consider ways to defend themselves against the latest cybersecurity threats, topics such as security, data backup and recovery and employee training often are cited. All these things are good and necessary, but they’re not the first thing companies should be thinking about. The first step entails creating a plan that details how your company would handle a security incident. Here are some of the pitfalls that happen if you skip this vital step:

Pitfall #1: Hitting the panic button and word-vomiting

“When there’s an incident, people within an organization often panic,” says Jennifer Beckage, managing director of Beckage, a law firm focused on technology, data security and privacy matters. “They may call their spouse, other family members or even a peer who may have experienced a similar incident. But, unfortunately, once the toothpaste is out of the tube, there’s no putting it back in. So, the first call should be to a lawyer who understands data security and privacy and who can help sort things out. The other benefit of engaging a lawyer in the tricky data security space is that all communications are privileged, meaning they’re confidential.”

The panicked calls Beckage describes above are often followed by assumptions of a worst-case scenario and the bandying about of terms like “cyberattack” and “breach,” when in fact, it may be an incident. “You have to be very careful what you say,” warns Beckage. “If you use a certain word, it may start a clock somewhere.”

Trader concurs and adds, “The clock starts ticking when you say certain words for GDPR (General Data Protection Regulation), for example, especially concerning when you have to report an incident.”

Pitfall #2: Jumping the gun to data recovery

When someone sees a threatening message on their screen telling them their data is locked and demanding money, their immediate thought is, “How can I make this go away and get my data back?” But, skipping to data recovery before consulting with an incident response expert can make things worse, warns Beckage. “We’ve seen situations where a company’s network was compromised, and they continued using their corporate email to communicate sensitive information while the threat actors were observing,” she says. “In one scenario, a stakeholder tried negotiating with the criminal, saying he could only afford a smaller ransom fee. The criminal responded, ‘I saw the email with your insurance policy limits. I know you have more money.’”

Pitfall #3: Giving in and paying the ransom

Another knee-jerk reaction to a ransomware attack—especially for companies that don’t back up their data—is to pay the fee in the hope that things can quickly get back to normal without anyone knowing. The problem with this strategy, says Beckage, is that it could put you in a bad situation with the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC). “OFAC issued an advisory last year that warns against paying threat actors on the U.S. sanctions list because it funds activities that impact U.S. national security interests. Those who do pay threat actors could face additional fines and penalties from the U.S. government unless certain risk mitigation steps are taken and evaluated.”

Pro Tip: Create an incident response plan—and practice it

To avoid adding unnecessary complexity, cost and stress to an already difficult situation, it’s imperative that companies create an incident response (IR) plan. The National Institute of Standards in Technology (NIST) has readily available resources that can help you build a plan. However, NIST also acknowledges there’s no one-size-fits-all approach. For example, some organizations may prefer a central IR plan where a central body such as a computer security IR team (CSIRT) handles the response. Other companies may require a distributed plan involving multiple response teams responsible for a location or affected systems. There’s even a coordinated option where a central team or body conveys response plans to the affected groups.

Once the IR plan is created, it’s essential to test the plan regularly, advises Presidio’s Trader. “The best way to prepare for a ransomware attack is to run practice drills to identify areas of improvement in the environment. We do this through table-top exercises (TTX), attack simulations and ransomware readiness assessments. Our team will systematically go through the components necessary to protect an environment and review current configurations to protect the client’s environment from these attacks.”

Must-Have Security Technologies for a Zero Trust Strategy

While there’s no single technology solution to defend against cyberthreats, a few specific security solutions can help significantly. The CTIR team recommends the following:

Use multifactor authentication—such as Cisco Duo, which will help prevent adversaries from accessing users’ accounts and spreading malware deeper into networks. CTIR frequently observes ransomware incidents that could have been prevented if MFA had been enabled on critical services.

Use email security—such as Cisco Secure Email (formerly Cisco Email Security) to block malicious emails sent by threat actors as part of any business email compromise (BEC) campaigns. You can try Secure Email for free here.

Prevent ransomware execution—with Cisco Secure Endpoint. Try Secure Endpoint for free here.

These security technologies are critical parts of a Zero Trust strategy, which encourages organizations not to trust any entity outside or inside their parameters. In addition, a zero-trust network adheres to the principle of least-privilege access: giving users only as much access as they need and minimizing their exposure to sensitive network resources. To learn more about Zero Trust, check out our on-demand webinar, “What Does Zero Trust Actually Mean?” featuring input from three cybersecurity experts with over 60 years of collective experience.

Backup and Disaster Recovery’s Role in Beating Ransomware

Backup and disaster recovery (BDR) solutions can be an invaluable resource in the event your mission-critical data files get locked up—if you practice good BDR hygiene. This entails adopting Veeam’s 3-2-1-1-0 rule for backing up data:

3 different copies of data
2 different forms of media
1 off-site copy
1 copy that’s offline, air-gapped or immutable
0 errors after backup testing and recoverability verification

The last bullet point on the list, testing, is where many BDR strategies fail. This step used to be a massive pain with image-based backups and bare-metal restores. You had to build another server using identical hardware components and drivers before starting the time-consuming restore process. In the modern era of virtual machines (VMs), you can reduce the 8-hour recovery window to less than 15 minutes with a good solution.

Closing Thoughts

Companies need to take a comprehensive and holistic approach to ransomware. “There isn’t one silver bullet for ransomware, but when we combine our defenses and sync them in harmony, that unison provides a best practice platform that can combat these attacks,” says Trader. “In the event you discover you’ve been attacked, our Incident Response Team is ready to rapidly engage and assist with triage, stabilization and recovery efforts. Our experts know how to mitigate, remediate and encapsulate forensic evidence working alongside cyber insurance and legal teams. Attacks like this can be disruptive, and our teams respond with a sense of urgency to get you back up and running more securely.”

Presidio

+ posts

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other".
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
Zoominfo	session	Zoominfo uses technologies to collect and store information when you interact with services it offer to their partners, such as advertising services or analytics. All of those processes are meant to improve your user experience and the overall quality of our services.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_111355416_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	This cookie is used to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This is a Hotjar cookie that is set when the customer first lands on a page using the Hotjar script.
_hjIncludedInPageviewSample	2 minutes	This cookie is set to let Hotjar know whether the user is included in the data sampling defined by site's pageview limit.
_hjIncludedInSessionSample	2 minutes	This cookie is set to let Hotjar know whether the user is included in the data sampling defined by site's daily session limit.
_hjTLDTest	session	Hotjar test cookie to check the most generic cookie path it should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable). To determine this, we store the _hjTLDTest cookie for different URL substring alternatives until it fails. After this check, the cookie is removed.
oktgid	1 year	This cookie is used for storing the visitor ID of the user who clicked on an okt.to link.
oktsid	session	This cookie is used for storing the session ID of the user who clicked on an okt.to link.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by YouTube and is used to track the views of embedded videos on YouTube pages.

Cookie	Duration	Description
__gwtCookieCheck	session	This cookie is used to check if the visitors' browser supports cookies.
AnalyticsSyncHistory	1 month	These cookies are used to deliver advertisements more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They remember that you have visited a website and this information is shared with other organizations such as advertisers.
li_gc	2 years	These cookies are used to deliver advertisements more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They remember that you have visited a website and this information is shared with other organizations such as advertisers.
UserMatchHistory	1 month	LinkedIn - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

Ransomware Prevention: Best Practices to Follow and Pitfalls to Avoid

Presidio

UJIMA

VETs

WONDER

PRIDE

Mental Health Matters

KEVIN FLEURIE

Dan O’Brien

BRYAN CALDER

ROBERT KIM

VINCENT TRAMA

WAHEED CHOUDHRY

CHRIS CAGNAZZI

BRID GRAHAM

MICHAEL KELLY

KEVIN WATKINS

JENNIFER JACKSON

MANNY KORAKIS

JUSTIN FILIA

GOPINATHAN PANDURANGAN

STEVEN PALMESE

ELLIOT BRECHER

BARBARA ROBIDOUX

Please select your venue city and
complete registration form below.

Please complete registration
form below.

Dave Hart

CHRIS BARNEY

JOHN HANLON

Greg Hedrick

Courtney Washington

CHRISTINE KOMOLA

VINU THOMAS

JULIETTE AUSTIN