Steps to Help Prevent & Limit the Impact of Ransomware

From small local government entities to large organizations, ransomware attacks are everywhere. It's up to all of us to help prevent these attacks from being successful.

Ransomware is a type of malware that encrypts files on a system or device in an attempt to coerce the victim to pay a ransom. Threat Actors (TAs) can also warn of files being leaked, erased, or inaccessible. TAs will drop ransom notes claiming responsibility and encourage a response from the victim through the medium they dictate, through encrypted chat or email (for example). Ransomware can be particularly harmful when it targets hospitals, emergency call centers, and other critical infrastructure, as a successful infection could disrupt access to systems and data necessary for delivering life-saving medical treatment and upholding public safety.

To protect against ransomware, you need a holistic, all-hands-on-deck, defense-in-depth approach that brings together your entire organization. Below are four ways you can get started in your efforts to stop attacks and limit the effects of ransomware. We've mapped each step to the applicable security best practices of the CIS Critical Security Controls^® (CIS Controls^®) so that you can learn more on each topic.

1. Develop Policies and Procedures

Create a scalable and practical incident response plan so you and your staff understand their responsibilities and communication protocols both during and after a cyber incident. Teams to include in your incident response plan include (but aren't limited to) IT, legal, and administrative teams. You should also include a list of contacts such as any partners, insurance providers, or vendors that would need to be notified. These plans should be run through a test process or "tabletop exercise" to assess the implementation, identify any gaps, and then refine plans accordingly. We recommend reviewing the plan on a quarterly basis to account for organizational growth and changes such as end-users/staff or IT assets and infrastructure.

View CIS Control 17 for more on incident response management.

2. Maintain Backups

Backing up important data is the single most effective way of recovering from a ransomware infection. There are some things to consider, however. Your backup files should be appropriately protected and stored offline or out-of-band so they can't be targeted by attackers. You can use cloud services to help mitigate a ransomware infection, as many of these services retain previous versions of files that allow you to roll back to an unencrypted version. Be sure to routinely test backups for efficacy. In the case of an attack, verify that your backups aren't infected and secure your backups immediately following the attack. It is also important to ensure that the integrity of said backups are maintained, and it is also important to confirm before rolling back.

Control 11 provides more information about how to make a data recovery plan.

3. Know Your Attack Surface and Harden Your Network

You can't defend what you don't know about, so your first step here is developing asset inventories for your enterprise assets and software. You can do so using Control 1 and Control 2. Once you understand your attack surface, you can then move on ensuring your systems are configured with security in mind. Secure configuration settings can help limit your organization's threat surface and close security gaps left over from default configurations. Toward that end, you can use the secure recommendations of the CIS Benchmarks™, industry-leading, consensus-developed configurations which are freely available to all. Keep reading to explore several examples of effective hardening methods you can consider when reviewing the current security posture of your organization.

Review Port Settings

Many ransomware variants take advantage of Remote Desktop Protocol (RDP) port 3389 and Server Message Block (SMB) port 445. Consider whether your organization needs to leave these ports open and consider limiting connections to only trusted hosts. Be sure to review these settings for both on-premises and cloud environments, working with your cloud service provider to disable unused RDP ports.

Control 4 describes different ways your organization can control network ports, protocols, and services.

Keep Systems up to Date

Make sure all of your organization’s operating systems, applications, and software are updated regularly. By applying the latest updates, you'll make progress in closing security gaps that attackers are looking to exploit. Where possible, turn on auto-updates so you’ll automatically have the latest security patches. In some environments, out-of-date software is necessary to utilize based on operational need. Strongly consider addressing those systems that contain particularly vulnerable software and deprecate/update as soon as possible.

Additional information about updating and vulnerability management is available in Control 7.

Network Visibility

Prior to an incident, it is important to consider the overall visibility of your network and user accounts. You can improve your visibility by maintaining up-to-date network diagrams and storing them so they can be retrieved from secure containers. This also includes visibility of your end-user accounts. Review Active Directory for accounts that can be removed or no longer needed while implementing a strict naming convention and heavily discouraging the use of shared accounts, which would generate a system of accountability when assigning vendor accounts.

Check out Control 5 for more details about managing your organization's accounts.

Access Control

To gauge your organization's overall security posture, review your access control policy and implementation. Specifically, review how your end-users connect to your network and resources, both internally and externally, and implement safeguards such as multi-factor authentication (MFA) on solutions such as your virtual private network (VPN) client and any portals or resources that can be accessed remotely by end-users. Other things you can consider include lockout policy, password age and complexity requirements, and security challenge questions.

Implement an IDS

An Intrusion Detection System (IDS) looks for malicious activity by comparing network traffic logs to signatures that detect known malicious activity. A robust IDS will update signatures often and alert your organization quickly if it detects potential malicious activity.

The Center for Internet Security^® (CIS^®) has developed Albert Network Monitoring Management, an IDS solution tailored to U.S. State, Local, Tribal, Territorial (SLTT) government organizations. It uses a custom set of signatures that are updated daily to help SLTTs detect malicious activity that precedes a ransomware infection.

Defend Your Endpoints

You can add an additional layer to your ransomware defenses by investing in endpoint protection. Ransomware is constantly evolving, which means you can't rely solely on signatures alone for your defense. You also need to monitor your endpoints to quickly identify and block malicious activity, even in instances where no one else has seen that exact activity before.

That's the logic behind CIS Endpoint Security Services (ESS). CIS ESS uses Next Generation Antivirus (NGAV), Endpoint Detection and Response (EDR), and more to protect your endpoints against both known (signature-based) and unknown (behavior-based) malicious activity. ESS can also kill or quarantine files effectively stopping a ransomware attempt before it develops into an infection.

4. Train the Team

Security awareness training is key to stopping ransomware in its tracks. When your employees can spot and avoid malicious emails, everyone plays a part in protecting the organization. Security awareness training can teach team members what to look for in an email before they click on a link or download an attachment. However, keep in mind that not all security awareness training solutions are created equal. Cost doesn’t drive effectiveness. You can model campaigns after real-world samples and challenge end-users to identify where improvements can be made.

Control 8 describes the maintenance, monitoring, and analysis of audit logs that are managed by most commercial IDS solutions.

Don't Give Ransomware Actors a Time Advantage

When ransomware strikes, your organization needs to learn of an infection and investigate quickly so that you can protect your systems and data. Most organizations struggle to contain incidents quickly, however. In its 2023 Cost of a Data Breach Report, IBM found that organizations took 204 days to identify a breach and 73 days to contain them. That's plenty of time for TAs to encrypt your files.

It doesn't have to be that way. Through Albert Network Monitoring and Management, analysts in the 24x7x365 CIS Security Operations Center (SOC) perform initial investigation by confirming malicious threat activity, reviewing any historical activity from the impacted host, gathering security recommendations for the affected organization, and notifying the affected entity with expert security analysis and guidance. The process takes an average of six minutes between event detection and notification, thus complementing your other ransomware defense measures with timely insights into malicious activity. 

Analysts in the CIS Cyber Incident Response Team (CIRT) are also available if your incident meets the criteria for appropriate casework at no cost to SLTTs with services that include incident response, forensic analysis, and malware analysis. You can complete a request for CIS CIRT assistance by contacting the CIS SOC 24x7x365 at [email protected].

Ready to accelerate your ransomware defenses?