Ransomware attacks are getting more frequent and costly. MPSs and MSSPs must help their customers implement ransomware protection measures to prevent and minimize the impact of these exploits. Are you keeping up with the latest technology and techniques for ransomware prevention?
Jan 15, 2024
Did you know the average ransom payment in 2023 was $1.54 million, almost double the 2022 figure of $812,380? But the ransom isn’t the only cost. Ransomware recovery involves downtime, people hours, and legal defense and settlements. Plus, companies may suffer lost business, tarnished reputations, and higher insurance premiums.
More organizations will rely on MSPs and MSSPs to help them implement ransomware protection measures. However, technology and techniques from just a year or two ago may have become obsolete in today’s fast-shifting threat landscape. It may be time for a makeover if you haven’t updated your ransomware prevention strategy lately.
Famous ransomware attack examples
• ICBC bank ransomware attack – $9 billion
• Johnson Controls ransomware attack – $27 million
• Dallas ransomware attack – 30,253 people exposed
• Wannacry ransomware attack – a crypto-specific attack
With organizations at risk whatever their size, there’s a growing requirement to safeguard against this highly damaging method of cybercrime.
Here are 12 things you can do to help your clients strengthen their defense and minimize the impact of ransomware attacks.
How to prevent ransomware attacks: What MSPs should know
Ransomware prevention is just one piece of the puzzle. Companies must have the measures to minimize damage if malware slips through the cracks. As such, MSPs should implement a layered approach to stopping ransomware attacks.
1. Maintain offline, encrypted backups of critical data
Online and cloud backups are essential but not enough to guard against ransomware attacks. A hacker can delete or encrypt network-connected backups to make restoration impossible unless they receive the ransom. Meanwhile, automated cloud backups aren’t sufficient — if an attacker encrypts local files, the latest content will be synced to the cloud, possibly overwriting unaffected data.
Maintain and regularly update “golden images” of critical systems, like pre-configured OS and software applications, and develop comprehensive network diagrams so you can quickly rebuild infrastructure for a client. Also, implement a multi-cloud strategy to prevent vendor lock-in for cloud-to-cloud backups if an attack impacts all accounts under the same vendor.
2. Create and maintain a cyber incident response plan
Each of your clients should have an incident response plan and ensure stakeholders understand their roles in handling data extortion incidents. The plan also should detail how to provide data breach notifications to third parties and regulators to meet compliance requirements. A hard copy of the plan and an offline version should be readily available for IT and security personnel.
Help your clients assemble an incident response team, identify vulnerabilities, and take stock of all critical assets. Create a detailed checklist to cover the five crucial areas: identification, containment, eradication, recovery, and lessons learned. Regularly test and update the response plan to address changes in the IT environment, organizational structure, and regulatory requirements.
3. Implement a comprehensive asset management system
You must have a complete view of a client’s digital assets before you can protect them. Therefore, inventory mapping and tracking are crucial for a robust backup and recovery strategy. Identify data and files for essential business processes and understand associated interdependencies to focus your resources on safeguarding critical assets.
Store this IT asset documentation securely and keep an offline digital copy and a hard copy on-site. Stakeholders responsible for executing the incident response plan should know how to obtain this information quickly. Additionally, regularly update the inventory to reflect the organization’s restoration priorities during a ransomware attack.
4. Address internet-facing vulnerabilities and misconfigurations
Most organizations have implemented various cloud-based applications to support the work-from-anywhere trend. Combined with the proliferation of devices, companies have substantially increased their attack surface. You should conduct weekly vulnerability scanning for your clients to identify and address potential issues, especially on internet-facing endpoints.
Configure all on-premise, cloud services, mobile, and personal devices properly and enable their security features. Limit Remote Desktop Protocol (RDP) and other remote desktop services to reduce the attack surface. Also, prioritize patching servers that operate software for processing internet data (e.g. web browsers, browser plugins, and document readers).
5. Minimize the risks of compromised credentials
Implement phishing-resistant multifactor authentication (MFA) for all services, especially email, VPNs, and accounts with access to critical systems. Also, install identity and access management (IAM) systems and zero trust access controls for your clients — these measures are critical for reinforcing the security of today’s complex hybrid environments.
Ensure your clients aren’t using root access accounts for day-to-day operations. Create users, groups, and roles to enforce granular access control and limit lateral movements. Also, implement a strong password policy, educate employees about password hygiene, and turn off the ability to save passwords to the browser in the Group Policy Management console.
6. Strengthen defense against phishing attacks
Phishing is still one of the most common attack vectors. Generative AI will enable criminals to create more realistic and sophisticated scams rapidly. Help your clients update their employee awareness and training program to include the latest phishing techniques. Implement robust flagging and filtering mechanisms and disable macro scripts for Microsoft Office files transmitted via email.
Enforce domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification to minimize the risks of spoofed or modified emails from valid domains. Also, disable Windows Script Host (WSH), which may provide an environment where users may unintentionally execute scripts from malicious files.
7. Improve detection and protection against malware infection
Implement a centrally managed antivirus and antimalware solution and set up automatic updates. Review the configurations to ensure warnings are escalated to the appropriate security personnel. Also, use application allowlisting and/or endpoint detection and response (EDR) solutions on all assets to ensure only authorized software is executable.
Blocking malware is essential, but what if something slips through the cracks? Be prepared to act immediately to contain the damage. Provide clients with 24/7/365 SOC monitoring and implement a robust intrusion detection system that allows you to identify suspicious activities and contain their impacts promptly.
8. Stay ahead of advanced social engineering
MSPs should help their clients prevent advanced social engineering scams like search engine optimization (SEO) poisoning, drive-by-downloads, and malvertising. These techniques often trick users into visiting spoof websites or clicking links that inject malware into their systems. Moreover, bad actors may impersonate staff from a vendor to deceive employees into providing access credentials.
Update your client’s cybersecurity awareness training materials to cover these advanced social engineering techniques. You may implement sandboxed browsers to protect systems against malware picked up from web browsing. Also, consider using a Protective Domain Name System (DNS) to block malicious internet activities at the source for secure remote working.
9. Prevent supply chain attacks
Third-party vendors with access to critical systems and data may increase an organization’s vulnerability to malware and ransomware. Assist your clients in vetting their service providers and ensure they follow proper security protocols. Also, create service control policies (SCP) for cloud-based resources to prevent users from deleting logs or changing virtual private cloud (VPC) configurations.
Since MSPs are prime targets for supply chain attacks, you should implement security measures and operational controls to prevent threat actors from accessing your clients’ environments through your systems. in-SOC’s MSP Protect solution hardens your environment based on the NIST Cybersecurity Framework (CF) and CIS Critical Security Controls (CSCs) to improve your security posture and protect your reputation.
10. Apply the principle of least privilege
Malicious actors often leverage privileged accounts for network-wide ransomware attacks. The principle of least privilege provides users access to only the systems and services they need to perform their duties. It helps contain lateral movements and control damage even if hackers manage to infiltrate one part of an infrastructure.
Audit Active Directory (AD) for excessive privileges on accounts and group memberships and use the Protected User AD group in Windows domains to secure privileged user accounts against pass-the-hash attacks. Also, perform quarterly reviews on user and admin accounts to identify inactive or unauthorized accounts — prioritizing publicly accessible ones for remote monitoring and management.
11. Enforce group policy to restrict PowerShell usage
PowerShell in Microsoft Windows is a cross-platform, command-line, shell, and scripting language. Threat actors may use it to deploy ransomware and obscure their malicious activities. Restrict the use of PowerShell to specific users (e.g. administrators who manage a network or Windows OS) and grant permission on a case-by-case basis using Group Policy.
Update your clients’ Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier ones. Enable module, script block, and transcription logging in all PowerShell instances. These logs contain valuable data, including historical OS and registry interactions, to help you understand a threat actor’s PowerShell tactics, techniques, and procedures when responding to ransomware attacks.
12. Secure Domain Controllers (DCs)
Criminals often use DCs as a staging point to spread ransomware throughout a network. Ensure your clients are using the latest version of Windows Server supported by their organizations. Windows Server 2019 or greater and Windows 10 or greater are recommended because they offer robust built-in security features like Windows Credential Guard, Windows Defender, and Antimalware Scan Interface (AMSI).
Restrict DC access to a limited administrator group and create separate accounts for these members to perform day-to-day operations that don’t require administrative access privileges. Also, configure DC host firewalls to prevent internet access, regularly patch your clients’ DCs, and perform penetration testing to verify domain controller security.
What next?
Using enhanced.io’s flagship SOC as a Service for MSPs & MSSPs package, One Stop SOC, you can access the latest enterprise grade security tools to deliver world class cybersecurity services at an MSP friendly monthly cost. Get in touch to learn more.
You may also be interested in…