How to reduce the likelihood of a Ransomware attack
Drawing on specialised experience in the Cybersecurity sector, we have identified several aspects frequently underestimated that, if addressed and managed correctly, would enable organisations to substantially reduce the risk of ransomware attacks.
1. False belief: “No one is interested in attacking us”
Within organisations, there is an erroneous belief that they are not attractive from the perspective of cyber-criminals; the refrain is often heard: “who would want to attack us? what would be their interest?”.
This mindset leads to a false perception of security within corporate systems.
The majority of cyber attacks are “opportunistic” in nature. Cyber-criminals deploy new malware and exploit vulnerabilities to compromise the widest possible number of information systems, evaluating the actual size and scale of the target organisation only at the moment of ransom demand.
Intervention:
Promote a security culture with a preventive approach, avoiding the need to manage crisis situations that could compromise business operations.
2. Exposed servers
When exposing a service (SSH, SMB, RDP, VPN, etc.) on a public network, it is necessary to ensure that it is always patched and that any associated vulnerabilities are remediated immediately. Periodic Vulnerability Assessment execution enables identification of new vulnerabilities.
One of the most striking cases of failed security patching relates to the SMBv1 service vulnerability that enabled the WannaCry ransomware to spread and propagate across the public network without any control. Conducting periodic Cybersecurity Advisory assessments is critical to identifying such exposures before exploitation.
Intervention:
Keep the operating system and exposed services up to date through scheduled Vulnerability Assessment execution. The use of non-standard ports could protect the server from potential massive automated attacks targeting exploitation of a specific vulnerability.
Segment systems and monitor network traffic between what is exposed on the public network and internal LANs.
3. Mail server security policy
Although the number of vulnerable systems on the public network is enormous, cyber-criminals often prefer to use email as the vector for initial compromise.
This translates into the mass sending of malicious emails targeting organisations worldwide.
Intervention:
Review the security policies applied by the mail system (Office365, Exchange, etc.) to prevent files with potentially suspicious extensions (“.ace”, “.exe”, “.iso”, etc.) from reaching user mailboxes.
4. Segmentation
One of the objectives of security practitioners is to prevent a single point of failure from impacting the security of the entire system. For this reason, having a segmented corporate LAN reduces the impact resulting from the compromise of a single system.
Intervention:
Adopt a Zero-Trust approach to reduce system access to the remainder of corporate networks, monitoring and managing potential security anomalies. Effective network segmentation, combined with continuous monitoring, significantly constrains lateral movement following initial compromise and limits the blast radius of ransomware propagation.
