Backing up data, regularly updating software, and using a Zero Trust security approach are all ways to prevent ransomware infections from taking down a network.
Ransomware is an ever-growing threat — but good security practices, like regular software updates, frequent data backups, and user email security training, can decrease the odds that it will impact an organization.
Ransomware is a type of malicious software, or malware, that locks up files and data and holds them for ransom. It usually does this by encrypting the files and data, and the attacker keeps the encryption key. Ransomware can enter a network in a number of different ways, from malicious emails to vulnerability exploits to piggybacking on other malware infections.
There is no 100% foolproof way to prevent ransomware from entering a network, but taking the below steps can vastly reduce the risk of attack.
A common way for ransomware to both enter and spread within a network is by exploiting vulnerabilities in outdated software. A "vulnerability" is a software flaw that someone can use for malicious purposes. As vulnerabilities are discovered, software vendors regularly issue fixes for them in the form of software updates. Not updating operating systems and applications regularly is like leaving a house's front door unlocked and allowing burglars to wander right in.
For example, in May 2017, WannaCry ransomware famously used the "EternalBlue" vulnerability to spread to more than 200,000 computers, even though Microsoft had previously issued a patch for the vulnerability.
Ransomware attacks also exploit vulnerabilities to spread within a network once they are already inside. For instance, Maze ransomware scans for vulnerabilities to exploit once it is already on a network, then uses those vulnerabilities to infect as many machines as possible.
To help prevent ransomware, along with many other kinds of attacks, update software as often as possible. This will patch vulnerabilities, essentially re-locking the front door so that criminals (or ransomware attackers) cannot get in.
Many ransomware attacks start with a phishing campaign: they obtain user credentials (username and password), then use those credentials to enter and move within a network. In other cases, ransomware attackers attempt to use known default credentials until they find a server or a network that uses those credentials and thereby gain access. (Maze attacks have used this technique.)
Two-factor authentication (2FA) is a more secure approach to authenticating users. 2FA involves checking an additional factor, such as a hardware token that only the authentic user possesses. This way, even if an attacker manages to steal a username and password combination, they still cannot gain access to the network.
There are a variety of methods that ransomware attacks use to compromise devices and networks, but email is still one of the most used. Many ransomware attacks start with a phishing attack, a spear phishing attack, or a trojan hidden inside a malicious email attachment.
Email security involves two key areas:
Endpoint security is the process of protecting devices like laptops, desktop computers, tablets, and smartphones from attacks. Endpoint security involves the following:
Read more about endpoint security.
Regularly backing up files and data is a well-known best practice in order to prepare for a potential ransomware attack. In many cases, an organization can restore their data from a backup instead of paying the ransom to decrypt it or rebuilding all of their IT infrastructure from scratch.
Even though backing up data does not prevent ransomware, it can help an organization recover from a ransomware attack more quickly. However, the backup can be infected as well unless it is partitioned from the rest of the network.
Many organizations think of their networks like a castle surrounded by a moat. Defensive measures that guard the network perimeter, such as firewalls and intrusion prevention systems (IPS), keep attackers out — just as a moat kept invading forces out of a castle in the Middle Ages.
However, organizations that take this castle-and-moat approach to security are highly vulnerable to ransomware attacks. The fact is, attackers regularly are able to breach the "moat" through a variety of methods, and once they are inside, they practically have free rein to infect and encrypt the entire network.
A better approach to network security is to assume there are threats both inside and outside the "castle." This philosophy is called Zero Trust.
Zero Trust security models maintain strict access controls and do not trust any person or machine by default, even users and devices inside the network perimeter. Because Zero Trust continuously monitors and regularly re-authenticates both users and devices, it can stop ransomware infections from spreading by revoking network and application access as soon as an infection is detected. Zero Trust also follows a principle of "least privilege" for access control, making it difficult for ransomware to escalate its privileges and gain control over a network.
Cloudflare One is a Zero Trust network-as-a-service (NaaS) platform. It combines security and networking services to securely connect remote users, offices, and data centers (a model known as SASE, or secure access service edge).
Want to learn more about ransomware? Dive deeper into the topic with these articles: