Ransomware attacks are a growing threat in our increasingly digital world, impacting businesses, governments, and individuals alike. A recent attack on a major IT vendor in Sweden, for example, crippled services across multiple sectors, including retail, entertainment, and public sectors, highlighting the devastating impact of these attacks. This practical guide will equip you with actionable steps to bolster your defences and mitigate the risk of falling victim to ransomware attacks.
5 steps to prevent ransomware attacks
1. Update all operating systems to the latest versions, doesn’t matter if it’s Windows, Linux or Mac-based as the first step.
The IT team will roll out an OS patch management service within the next 10 days. This service will ensure all systems are patched with the latest updates. The team will prioritise critical patches (rated 9+) and will adhere to an SLA requiring them to fix these critical vulnerabilities within 2 business hours. Make sure your IT team makes an inventory of their OS and subscribes to the feed on CVE alerts.
If you are on Google Cloud – Enable Security Command Center, the CVE details appear thereafter scanning your inventory. Use VM Manager to automate patching for your virtual machines.
2. Update all applications to the latest versions.
Use the same method as above for CVE details, but identify the software used in your services, like Apache, Log4j, self-hosted Jira, Magento, Jenkins and WordPress (just to name a few). Add-on plugins often introduce vulnerabilities because third-party developers create them, and they can contain security holes. Attackers can exploit these vulnerabilities, and I have seen this happen to many customers. These customers were then surprised to learn that support did not cover the attack because it originated from a plugin purchased through the software’s marketplace.
If you can use a managed service, it helps a lot due to the support provided and automated updates that the product provider should execute in the event of zero-day exploits.
3. Implement Multi-Factor Authentication and rotate keys and passwords regularly
This is one of the simplest but time-consuming things that greatly improve security. Using Google Authenticator, Yubikey or Passkeys all creates an additional step for external actors to get access to your systems. The thing about cybersecurity is about creating defence in depth, multiple layers through which they have to get through before they give up. It is interesting that this was a strategy in warfare even before computers were invented.
Service account keys, SSH keys, VPN passwords, regular passwords, all need to be rotated regularly. If you haven’t rotated it since you set it up (maybe multiple years ago), bite the bullet and do it once as a good start. Then set up a schedule to do it every 1-3 months. I have seen this attack both on-prem and on the cloud more times than I care to count. Even better if you can go without service account keys, but not all applications support Workload Identity Federation. One of the greatest inventions that 10X security but requires additional configuration to work. Make the attacker target Google instead of you (Google can handle it).
Use a vulnerability scanner
What you don’t know you can’t fix. There are open-source versions, paid versions, and there are cloud-based versions. Start with one at least, and when that is in place, fix the remediations, and then evaluate what is best for your long term.
5. Take backups and build Golden Images
If your environment has not been compromised before (or newly built), take backups which are immutable and offsite. There is even a recommendation to make offline backups, which may be necessary for the highest levels of security, but I find that having immutable backups on an isolated cloud service is mostly good enough. E.g. on Google Cloud Storage with object or bucket locks. Test that your restore processes work so that you can get back to a functioning state, and rehearse that every 6 months so that your engineers are fresh on it. Remember that attackers can also target and destroy your backups. Take this step after you protect and rotate the service account keys.
Ransomware Attacks: VM for Security
If your environment has been compromised, assume the worst, and take the chance to build Golden Images of virtual machines. This means setting up a new VM with all necessary dependencies and patches and making an immutable copy of that VM. Every new rollout will be based on that Golden Image, and your team should make new versions of that Golden Image. This allows you to destroy and recreate infected virtual machines with confidence.
A lot of the security items I mentioned above can be time-consuming, which creates a situation where external actors can start to exploit security holes borne of laziness. If the team is overstretched on delivering new functionalities, it is important to then pay someone to do this instead, but still verify it is being done to ensure accountability.
By no means does this guarantee you have a foolproof system, but it will create much more layers than you may have today.
Devoteam helps you secure your business
Partner with Devoteam to find the right solutions to secure your business.