Nine Ways to Protect an Enterprise Against Ransomware

Unlike the stealthier advanced attacks that can stay undetected on corporate network for months, the impact of ransomware is immediate and intrusive.

Ransomware infiltrations in enterprises increased by 35 percent in 2016, according to consensus of security industry analysts and vendors, including Symantec. But even more alarming is the recent rise in its sophistication and distribution.

Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. It can bring your business to a halt and cause significant financial damage.

Unlike the stealthier advanced attacks that can stay undetected on corporate network for months, the impact of ransomware is immediate and intrusive. Cyber attackers don't need a lot of money, resources or technical sophistication to use ransomware. Businesses are increasingly concerned about monetary damage, business downtime and other effects of ransomware.

Here are nine important steps, provided as industry information by enterprise security provider Landesk, that an enterprise should take to protect against a malware attack.

1. Patch the Critical Operating Systems and Applications

For most organizations, patching should be the first or second line of defense against any attack, including ransomware.

You can prevent many such attacks by ensuring that the OS and required third-party applications on each client system are up to date. You should also make a special effort to ensure that all critical patches and updates for applications such as Adobe Flash, Java, Web browsers, and Microsoft Office are kept current. In addition, you should prioritize patch and update deployments based on business needs and policies—and you should execute those deployments in ways that don't disrupt user or business operations.

Many organizations fear that comprehensive, timely, and consistent patching is too complex to execute and maintain, or that it may break critical business applications. However, using the latest patch management tools to scan for missing patches and deploy them to workstations or servers is a straightforward task—even in the most complicated environments.

2. Ensure that Antivirus Software is Up to Date and that Regular Scans Are Scheduled

If patching is your first line of defense, then antivirus (AV) should be the next one. Security researchers know by now that most ransomware attacks cannot be stopped by traditional, signature-based AV solutions. However, you don't want to fall victim to malware threats that are already identified and tagged by your AV vendor.

Ensuring that your virus definition database is always up to date on all your workstations is the most important element of an effective AV strategy. Good security management software can automate this process. Good solutions can distribute the latest virus definition file to all your endpoints in any size of environment very efficiently bandwidth-wise.

3. Manage Carefully the Use of Privileged Accounts

Minimizing privileges is an important tactic to protect against many types of malware, including ransomware. For example, a recently discovered ransomware attack called "Petya" requires administrator privileges to run and will do nothing if the user doesn't grant those privileges.

Removing administrator rights is easy, but balancing privileged access, user productivity and enterprise security isn't. Thus the need for privilege management solutions.

However, one thing to consider when protecting against ransomware is that many ransomware attacks are simply executables that users are tricked into running. Once executed, those ransomware instances run inside the current user space and don't require any administrator privileges to do their damage. For example, an updated version of the recent Petya ransomware attack has a fallback mechanism that allows it to encrypt files without the need for administrator privileges.

4. Implement Access Control that Focuses on the Data

An effective access control solution can help you protect against ransomware. However, if the solution focuses primarily or exclusively on user-access rights, it will likely prove less than effective.

Access control can be highly beneficial for protecting files located in shared drives. That's because some users may always have legitimate rights to access and modify at least some files on every shared drive. After all, most of those files are document files created by legitimate users. This means that a ransomware attack that successfully infects the system of a user with legitimate access rights can encrypt and hold hostage all of the files on all connected, shared drives and folders.

Compared to traditional access control, the new-gen method of data protection relies on understanding the behavior of ransomware and does not require creation and management of user-specific (and ever-changing) rules. It is therefore also easier to implement and maintain than access control based on user-rights management.

5. Define, Implement and Enforce Software Rules

Good enterprise software also makes it easy to define, implement and enforce rules that govern how other software behaves. Rules can restrict the ability of designated software to execute, or to create, modify, or read any file, or files located in specific folders—including the temporary folders used by browsers and other programs.

Those rules can be applied globally or to specific users or groups. However, before implementing such rules, it is important to consider the user experience degradation such rules can introduce. For example, when installing new or updated software, legitimate users are sometimes required to decompress ("unzip") or execute files directly from their browsers. Users may also rely upon the ability to create or invoke macros to do their jobs.

Software restriction rules may block these otherwise legitimate activities.

6. Disable Macros from Microsoft Office Files

Disabling macros from Office files will block many types of malware, including ransomware. For example, Locky is a relatively new crypto-ransomware that spreads primarily via spam with attachments. It entices users to enable macros in Word documents that download the malware onto machines.
7. Implement Applications Whitelisting

This solution effectively eliminates the ability of any ransomware to run, since no ransomware is trusted. It ensures that only known applications designated as trusted can run on any endpoint. The biggest challenges to the success of whitelisting are creating the initial list of trusted applications, and keeping that list accurate, complete, and current.

8. Restrict Users to Virtualized or Containerized Environments

In most cases, ransomware is distributed as an email attachment. Restricting users to virtualized or containerized environments will ensure that any ransomware that gains access to a user's system will do no harm to the user's primary work environment.

9. Back Up Critical Files Frequently

The FBI paper recommends using timely, frequent backups of critical files as a business continuity consideration. If done right, backups will save the day if you're attacked by ransomware.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...