Ransomware Risk Factors & Risk Reduction Strategies
Ransomware risk factors continue to be a top concern for organizations of all sizes and across all industries. In fact, the 2022 Verizon Data Breach Investigations Report found that ransomware increased 13% in 2021 – a spike equal to the last five years combined.
In addition, ransomware and it’s equally troublesome counterpart extortion exposure made it onto our list of the top threats for 2022. From widely publicized cases affecting health care organizations to many small businesses whose day-to-day operations are interrupted, ransomware is a very real threat and every organization should have a plan.
LMG Security has published a lot of advice on what to do if your organization is hit with ransomware, but for this blog we will turn our attention to ransomware risk factors and risk reduction strategies.
How to Evaluate Your Organization’s Ransomware Risk
We recommend you start by considering the two traditional components of evaluating risk – likelihood and impact. First, how can you proactively reduce the likelihood of being hit by ransomware? Then, what can you do to proactively limit the impact in case you are hit? Let’s review some key components you need to evaluate your organization’s ransomware risk:
Reducing Likelihood:
Having a strong response strategy in place is essential but preventing ransomware in the first place is even better!
What can you do?
- Strong Authentication: Enforce long, strong passwords, and give your users access to a password manager program to help them store their long passwords securely. Deploy multi-factor authentication wherever available, and especially for remote access, including vendor access.
- Tip – Check out LMG’s video tutorials on multi-factor authentication and password generation for more information
- Exposed RDP Interfaces: Many ransomware infections start with an exposed login interface. Criminals break in using a weak or stolen password, and then spread throughout the internal network by exploiting unpatched computers or leveraging additional weak or stolen passwords. Protect against this common attack vector by conducting regular port scans, closing unnecessary RDP, and putting any RDP interfaces behind a VPN.
- Regular and Emergency Patching Policies: Many organizations have a patch management policy that calls for monthly or bimonthly patching cycles. But when a critical vulnerability is announced, hackers may actively try to exploit your server within hours or days, not weeks. You need to update your patch management policies and procedures to ensure quicker patching for critical vulnerabilities and ensure strong patch verification. Consider using an automated patch management cybersecurity tool or a continuous vulnerability management solution. This will enable you to catch the systems that are out of date for patches. Don’t forget to verify that patching was successful. Many organizations think they have successfully patched their software, only to find out later the patch failed.
- Tip – Inventory all of your operating systems and third-party apps, so you know which patches you need to apply. Read this blog on software patch management tips for more information.
- Phishing Prevention: Phishing emails are a top attack vector for ransomware, either through the use of attachments infected with malware, or the use of phishing to capture user credentials, which are then used to authenticate via public facing interfaces like RDP. Make sure your users all understand the risks of phishing and how to identify phishing emails – this is a key factor to reduce your organization’s ransomware risk! Ensure your spam filtering is effective, and use a web proxy to detect and block malicious sites. (Read more on phishing prevention.)
- Tip – Consider phishing tests to gauge the effectiveness of your training and help identify any users who may need a little extra help identifying phishing emails.
- Cyber Hygiene Basics: As with all types of malware threats, having the basics covered can go a long way to reduce risk. Eliminate outdated operating systems from your environment, proactively patch all systems, and deploy antivirus with automatic updates. Monitor for systems with missing patches or lapsed antivirus.
Reducing Impact
If you are affected by ransomware, there are ways to proactively reduce the potential impact of the situation.
What can you do?
- Strong Access Management: Ransomware will encrypt any files to which the affected user has access. This means you can reduce potential impact by carefully managing user access permissions. What does this entail?
- Role-based Access: Step one is to only grant access to systems and data that is specifically needed for each user’s job function. For efficiency, role-based access control is typically set up by job title, department, or role, rather than by the individual user.
- Tip – Don’t assume that managers need broad access! Seniority or tenure does not justify access to everything. Make sure all access is appropriate for each person’s specific job responsibilities. Broad access creates significant risks for your organization.
- Guard Against Access Creep: This often occurs when a user changes roles and is given new permissions for the new role, but their previous permissions are not reviewed and adjusted accordingly. This is important, as lack of an effective change process can totally undermine the intent of role-based access.
- Tip – Access creep can also happen in relation to a special assignment or even when a team member covers for a coworker who is out. Be sure that access intended for a short-term purpose is tracked and removed when no longer needed.
- Privileged Access Management: Be sure your IT administrators have regular user accounts for day-to-day functions like email and internet research, that don’t require elevated privileges. Administrator accounts should only be used for tasks that require elevated access.
- Account and Permission Reviews: Periodic review is important to identify any accounts no longer needed or any excess permissions that can be removed.
- Tip – Removing or limiting an employee’s access can be a touchy subject if they think it is because they are not trusted. Communicate the “why” behind access restrictions; let employees know that broad access can increase the potential impact of ransomware and cause serious damage to the organization.
- Local Administrator Credentials: Don’t use the same password for the local administrator account on all of your workstations. If attackers successfully crack that password, they can use it to move laterally through your network.
- Tip – Use Microsoft’s Local Administrator Password Solution (LAPS) to resolve this issue.
- Detection and Reporting Capability: With ransomware, time is of the essence. Timely detection through automated tools like an intrusion detection/prevention system (IDS/IPS) and endpoint monitoring give your team the opportunity to contain the situation and reduce impact. Also make sure your users know the signs of ransomware, what to do, and who to report it to.
- Role-based Access: Step one is to only grant access to systems and data that is specifically needed for each user’s job function. For efficiency, role-based access control is typically set up by job title, department, or role, rather than by the individual user.
- Network Segmentation: Separate systems on your network so that a high-risk workstation is less likely to infect an important server.
- Backup Strategy: Backup your data, store it offline, and store a copy either off-site or in secure cloud storage. Test your backups regularly to make sure they are viable for recovery, and to ensure your team is familiar with the recovery process. If you are hit with ransomware, sometimes your backups are your only recourse.
- IR Preparedness: Make sure you have an Incident Response Plan in place, and that it covers ransomware scenarios. Ensure that your response team is familiar with the plan and with their specific roles, and that you’ve identified back-up team members for critical functions.
- Tip – Practice your IR plan through a tabletop exercise, which can yield some surprising lessons.
Does this list seem like a lot to tackle? LMG Security has compiled these ransomware risk factors into a Ransomware Risk Assessment package to help our clients evaluate their ransomware risk and identify steps to reduce it.
Contact LMG Security to learn more about how a Ransomware Risk Assessment can help your organization guard against the threat of ransomware.