How to prevent a ransomware attack from happening again?

For Anti-Ransomware Day, we decided to publish few tips that will help your company avoid falling victim to ransomware for a second time.

How to avoid becoming a ransomware victim a second time

Over the past few years, cybercriminals have attacked small companies, giant factories, cities and even entire countries with ransomware. Attacks of this kind almost always result in significant losses, both financial and reputational, so there is a great temptation to throw all the forces to eliminate the consequences. But it is important not to lose sight of another issue — how to prevent a recurrence of the incident.

Why are you most likely to be attacked by ransomware a second time?

Once upon a time, ransomware authors themselves tried to attack companies by sending their Trojans with spam. Modern groups have long been working on the Ransomware-as-a-Service principle: they provide access to the infrastructure and malware code for a share of the ransom. And in general, the “encryption business” is rapidly turning into a full-fledged industry, where each participant has their own specialization. In particular, there are criminal groups that seek (or make) and sell primary access to company networks, so called initial access brokers.

If news outlets or hacker forums report that your organization became a victim of ransomware, this will automatically attract the attention of other attackers, especially if you agreed to pay the ransom. Because, firstly, it will mean that your infrastructure is vulnerable, and secondly, that you negotiate with attackers. For today’s criminals, this is a clear sign that it is worth to repeat an attack on your company. And as the results of the “How business executives perceive ransomware threats” survey conducted by our colleagues show, they are not far from the truth: 88% of executives from companies that have been affected by ransomware say they are ready to pay if the attack repeats.

How to minimize the chances of another ransomware attack?

The question of how to prevent a recurrence should be asked even in the process of investigation and elimination of consequences, and you need to start at the stage of deciding on the ransom payment. In the short term, the idea of ​​paying off the ransom may seem like a viable solution to the problem. However, before transferring money, you need to consider the following:

  1. Paying the ransom does not guarantee the safety of your information — it is already in the wrong hands.
  2. Even if attackers do not publish it immediately, there is no guarantee that it will not be secretly sold or used by criminals for other attacks.
  3. By paying criminals, you finance their business, and this inevitably leads to the expansion and increase in the number of attacks.
  4. By paying, you definitely give a sign that you can be attacked again.

Therefore, we strongly recommend not to pay. Otherwise, our advice for those who do not want a repeat ransomware attack is fairly standard:

  • Investigate exactly how you were attacked — this will help not only to prevent recurrence of the attack by the same scenario, but also allow you to choose the right next steps. If you don’t have the resources to investigate it on your own, employ external experts.
  • After you make sure that there are no more intruders in your infrastructure, take the time to check the versions of critical systems (OS, remote access tools, security solutions), update them if needed and maybe replace some of them with more reliable ones.
  • Conduct a thorough analysis of your infrastructure for vulnerabilities. After a successful attack, attackers are likely to start looking for alternative entry methods.
  • If attackers were able to get to your systems using social engineering, pay more attention to training personnel in the basics of cybersecurity.
  • If remote access tools and leaked passwords were used in the attack, insist on changing all passwords used on that system.
  • Ensure that all corporate devices that have Internet access (including servers and mobile phones) are protected with trusted solutions.