How to Prepare for a Ransomware Event

Published by Axio

Ransomware attacks — where cybercriminals extort companies by holding data and networks ransom — continue to rise in popularity. Recent trends suggest hackers will use ransomware more frequently in 2021 and beyond, which means companies need to be more vigilant than ever to prepare for attacks.

The topic of ransomware and its ongoing impacts on businesses were explored during a recent webinar from Axio, AIG, and Security Boulevard. Axio Co-Founder and President David White and AIG Cyber Product Lead Garin Pace spoke at length about the state of ransomware in 2021 and how companies can prepare for a ransomware event.

Below we share some of their insights and how companies can be better prepared for a ransomware attack.

Top Three Ways to Prepare for a Ransomware Event

As companies realize just how damaging and expensive a ransomware event can be, they should start thinking about practical ways to prevent attacks. What can be done to stop hijackers from gaining access to systems in the first place?

Here are three key steps they can take.

#1: Increase Protections to Privileged Credentials

Perhaps the most important thing companies can do right now is protect access to privileged credentials. Businesses today simply have too many employees and third-parties that have passwords and access to their networks. To lock this down appropriately, companies should consider the following:

  • Use multi-factor authentication (MFA) on domain administrator accounts — Companies should invest in MFA solutions to create a more protective layer for networks and sensitive information. MFA prompts should initiate after inputting a correct password. Examples of MFA implementations include sending a text message to the phone of an admin, sending an email requesting access, answering a difficult personal question, or using a physical token that connects via Bluetooth or RFID. There are many ways to implement this but a secondary authentication of almost any kind can help.
  • Scrutinize domain admin privileges — For service accounts where MFA may not be an option, it’s possible that some of these accounts are overprivileged and have too much access to networks and data. It’s crucial to regularly scrutinize who has access to what and scale back access.
  • Eliminate domain admin service accounts — Additionally, service accounts that can access the domain admin should not be used any longer or be reconfigured so they don’t have as many privileges. Hackers today often use service accounts as a way to break into networks. It might be more work to give a service account only the entitlements it needs, but it’s worth the effort and boosted security.

#2: Modernize Endpoint Protections

Most companies today have a variety of users touch their networks via a variety of devices, including cell phones, tablets, desktops, and laptops. These “endpoints” for the network often create security vulnerabilities that can stem from user error, phishing scams, or hacks. Despite this, companies aren’t necessarily ready when a creative, motivated cybercriminal wants to find a way into the network.

“A lot of these attackers are not necessarily bringing zero-days or what have you,” Pace said. “They are using some tried and true tactics, but they are sophisticated enough to make sure that whatever they are bringing, that it doesn’t appear in any list of signatures or any reputational source.”

Pace notes that some of these companies with a legacy technology stack end up being complacent. They are too trusting of established malware lists and don’t have software that can proactively look for threats that aren’t already known among researchers.

“Companies need endpoint-security protections that are able to detect a bad behavior without relying on any type of reputation source that says, ‘Oh, we’ve seen this attack before or we’ve seen this file or technique before,’” Pace said. “These attackers are pulling down ransoms in the millions of dollars, and they’re bringing tools that don’t appear on a reputation source. The most recent endpoint security platforms seem to be able to deal with this and are used to clean up these incidents. But, unfortunately, a lot of companies are still relying on legacy endpoint platforms and aren’t getting the job done.”

Other ways to beef up endpoint protection include implementing advanced anti-malware software, using firewalls and intrusion detection systems, and sandboxing, where you test devices and software changes outside of the typical production environment before implementing them in full.

#3: Measurably Improve Vulnerability Management

Another critical thing businesses need to do is to continue basic steps to protect against known vulnerabilities. For example, companies should keep all of their hardware and software up to date with patches in a timely fashion, even if it’s not the most exciting topic for administrators.

“It’s not sexy, but attackers continue to be able [to use established critical vulnerabilities that have patches issued] and exploit an externally accessible device in a victim’s network,” Pace said. “And on top of that, that device has privileged credentials inside it. It’s making it too easy. So while I know that patching isn’t trivial, it is something that we should continue to call out, and particularly in those critical systems, which have remote access and have credentials in them.”

Another thing companies and administrators need to think through when it comes to cyber protection is configuring permissions, so fewer things have access to the network, even if that’s difficult work.

“It is more work to go through, and in accordance with the privilege of least principle, say ‘what specific rights does this service need to work?’” Pace said. “While just giving it domain admin may make it easy to work, unfortunately, if an attacker takes over that account, that increases the risk. I’m not trying to call out companies, and we’re all in this security journey together. But I would hope that companies recognize that when vendors give their implementation guidance to companies, I would hope they realize that it may take a little bit more work to give a service account only the entitlements it needs.”

Why You Need to Do a Ransomware Preparedness Assessment

If companies are caught unaware when ransomware attacks happen, the pricetag can be incredibly high. As of 2020, ransom demands averaged about $5 million and topped out at an astronomical $40 million. Therefore, companies need to prepare and be vigilant against potential attackers.

To do this, companies should use a comprehensive ransomware preparedness tool to help gauge whether they are ready to prevent, contain, and recover from ransomware attacks. Below we’ll walk through why each of these assessment steps is important.

Prevent: Protect Against Initial Compromise

First and most importantly, a ransomware assessment can help your company determine if it is ready for a ransomware attack. It will help ensure you have implemented a secure network and device configuration that will, in turn, reduce network and supply-chain vulnerabilities. Along with this, it can also help you test how well you can monitor and stop both email- and web-based threats.

Contain: Limit the Spread of Ransomware

Secondly, a ransomware assessment can help you take a closer look at how your privileged accounts are managed. You need to know who all has access to your networks and what level of access each account has. In the case of service accounts especially, this can help you work through the problem of hackers using service accounts to gain access to the domain admin.

Restore: Respond to and Recover from Ransomware

Thirdly, an assessment can help you determine how well your system would recover from a damaging ransomware attack. Not only do you need to implement, test, and protect your backup systems and data, but you also need a strategic plan on how you’d respond to cybercriminals. For example, if a hacker exfiltrated sensitive user data from your company and threatened to release it online, what would be your business’ response?

Use An Assessment to Help with Cyber Insurance

One final reason companies should perform a ransomware preparedness assessment is to help when trying to obtain insurance coverage for cyber protection. For example, large insurance providers such as AIG can use a preparedness assessment from companies like Axio to help develop an insurance policy to protect against cybercrimes.

“AIG will accept the Axio ransomware assessment,” Pace said. “That’s one of the things that we are looking for. I have recently changed our underwriting standards, but we’ve worked with Axio to make sure all the data is there. If you are an actual customer, that can aid you in getting a cyber insurance quote.”

Think Ahead with Axio360

If your company requires more clarity on the risk of ransomware threats, Axio360 can provide a path forward. Right now, you can launch and complete a ransomware preparedness assessment for free in the Axio360 platform. It’s a quick way to understand your current cyber maturity and prioritize what critical improvements need to be completed as you move further into 2021.

Try the Free Tool