How to prevent ransomware

Backing up data, regularly updating software, and using a Zero Trust security approach are all ways to prevent ransomware infections from taking down a network.

Learning Objectives

After reading this article you will be able to:

  • Identify the major strategies for stopping ransomware
  • Understand how to prevent a potential ransomware attack
  • Explain the network security models that are best for blocking ransomware infections

Copy article link

How to prevent ransomware

Ransomware is an ever-growing threat — but good security practices, like regular software updates, frequent data backups, and user email security training, can decrease the odds that it will impact an organization.

Ransomware is a type of malicious software, or malware, that locks up files and data and holds them for ransom. It usually does this by encrypting the files and data, and the attacker keeps the encryption key. Ransomware can enter a network in a number of different ways, from malicious emails to vulnerability exploits to piggybacking on other malware infections.

There is no 100% foolproof way to prevent ransomware from entering a network, but taking the below steps can vastly reduce the risk of attack.

Update software regularly

A common way for ransomware to both enter and spread within a network is by exploiting vulnerabilities in outdated software. A "vulnerability" is a software flaw that someone can use for malicious purposes. As vulnerabilities are discovered, software vendors regularly issue fixes for them in the form of software updates. Not updating operating systems and applications regularly is like leaving a house's front door unlocked and allowing burglars to wander right in.

For example, in May 2017, WannaCry ransomware famously used the "EternalBlue" vulnerability to spread to more than 200,000 computers, even though Microsoft had previously issued a patch for the vulnerability.

Ransomware attacks also exploit vulnerabilities to spread within a network once they are already inside. For instance, Maze ransomware scans for vulnerabilities to exploit once it is already on a network, then uses those vulnerabilities to infect as many machines as possible.

To help prevent ransomware, along with many other kinds of attacks, update software as often as possible. This will patch vulnerabilities, essentially re-locking the front door so that criminals (or ransomware attackers) cannot get in.

Use two-factor authentication (2FA)

Many ransomware attacks start with a phishing campaign: they obtain user credentials (username and password), then use those credentials to enter and move within a network. In other cases, ransomware attackers attempt to use known default credentials until they find a server or a network that uses those credentials and thereby gain access. (Maze attacks have used this technique.)

Two-factor authentication (2FA) is a more secure approach to authenticating users. 2FA involves checking an additional factor, such as a hardware token that only the authentic user possesses. This way, even if an attacker manages to steal a username and password combination, they still cannot gain access to the network.

Keep internal email secure

There are a variety of methods that ransomware attacks use to compromise devices and networks, but email is still one of the most used. Many ransomware attacks start with a phishing attack, a spear phishing attack, or a trojan hidden inside a malicious email attachment.

Email security involves two key areas:

  1. Filtering out emails and email attachments from untrusted sources
  2. Training users to avoid clicking links and downloading or opening attachments from potentially dangerous emails

Implement endpoint security

Endpoint security is the process of protecting devices like laptops, desktop computers, tablets, and smartphones from attacks. Endpoint security involves the following:

  • Anti-malware software can detect ransomware on devices, then quarantine infected devices to prevent malware from spreading. Additionally, some ransomware attacks spread via preexisting malware infections — for example, Ryuk ransomware often enters networks through devices that are already infected with TrickBot malware. Anti-malware can help eliminate these infections before they lead to ransomware. (However, anti-malware is of little help once ransomware is activated and has already encrypted files and data.)
  • Application control helps block users from installing fake or attacker-compromised applications that contain ransomware.
  • Hard disk encryption does not help stop ransomware, but it is an important part of endpoint security nonetheless, as it prevents unauthorized parties from stealing data.

Read more about endpoint security.

Back up files and data

Regularly backing up files and data is a well-known best practice in order to prepare for a potential ransomware attack. In many cases, an organization can restore their data from a backup instead of paying the ransom to decrypt it or rebuilding all of their IT infrastructure from scratch.

Even though backing up data does not prevent ransomware, it can help an organization recover from a ransomware attack more quickly. However, the backup can be infected as well unless it is partitioned from the rest of the network.

Use a Zero Trust model

Many organizations think of their networks like a castle surrounded by a moat. Defensive measures that guard the network perimeter, such as firewalls and intrusion prevention systems (IPS), keep attackers out — just as a moat kept invading forces out of a castle in the Middle Ages.

However, organizations that take this castle-and-moat approach to security are highly vulnerable to ransomware attacks. The fact is, attackers regularly are able to breach the "moat" through a variety of methods, and once they are inside, they practically have free rein to infect and encrypt the entire network.

A better approach to network security is to assume there are threats both inside and outside the "castle." This philosophy is called Zero Trust.

Zero Trust security models maintain strict access controls and do not trust any person or machine by default, even users and devices inside the network perimeter. Because Zero Trust continuously monitors and regularly re-authenticates both users and devices, it can stop ransomware infections from spreading by revoking network and application access as soon as an infection is detected. Zero Trust also follows a principle of "least privilege" for access control, making it difficult for ransomware to escalate its privileges and gain control over a network.

Cloudflare One is a Zero Trust network-as-a-service (NaaS) platform. It combines security and networking services to securely connect remote users, offices, and data centers (a model known as SASE, or secure access service edge).

Want to learn more about ransomware? Dive deeper into the topic with these articles: