How to Prevent Ransomware

Ransomware is a growing cybersecurity concern for organizations of all sizes across a wide range of industries. Hoping you won’t fall victim to ransomware isn’t enough—you need to be proactive.

This guide will teach you how to prevent ransomware and beef up your cybersecurity protocols.

Step 1: Protect Your Endpoints

Ransomware prevention begins with endpoint security.

Basic antivirus software typically won’t be enough to fight even moderately advanced ransomware attacks. So you need to harden your endpoints with security tools that don’t require a manual response from your IT security team.

Endpoint detection and response (EDR) is the solution. These modern endpoint security tools provide real-time threat intelligence and full visibility for your endpoints. They can be a lifesaver for devices pre-infection, as they defuse threats in real-time automatically—no need for human response.

Check out our guide on the best endpoint security tools to find the best EDR software for your organization.

Step 2: Update Your Software and Systems

Once the EDR solution has been deployed, it’s time to ensure all of your organization’s systems are updated to the latest versions. I’m referring to things like:

  • Software
  • Applications
  • Operating Systems

Basically, anything that can be updated with a new version and security patching needs to happen. Many ransomware attacks exploit outdated systems.

After these initial updates take place, set up a solution to ensure all future updates happen promptly. Some software you can put on auto-update. Other advanced systems might require manual patching.

Step 3: Implement an Intrusion Detection System (IDS)

Next, set up an IDS on your network. This is a bit different from EDR software, which we covered back in the first step.

Intrusion Detection Systems proactively look for malicious activity. This is accomplished by comparing your traffic network logs to signatures.

Many IDS tools use AI to compare and match signatures with safe network traffic compared to malicious traffic. If there’s a red flag in the network traffic, your IDS tool will sound the alarm and alert your organization.

Step 4: Create a Stricter BYOD Policy

A bring your own device (BYOD) policy in the workplace is becoming more common every day. This is especially true for organizations with remote employees and dispersed staff.

But a loose BYOD policy can be the weak link in your fence.

Every organization is different. Some of you might ban personal devices for work-related activity altogether. But if you want your team to use their own smartphones or tablets at work, you can use mobile device management (MDM) software or enterprise mobility management (EMM) tools to implement new policies.

This eliminates unregulated devices from your network, therefore lowering the risk of an attack.

Step 5: Zero Trust Implementation

Zero trust piggybacks off of the stricter BYOD policy. But it’s important to have BYOD rules in place first.

This security model is simple—it assumes that any device or any person attempting to connect to your network is a potential threat.

Trust nobody within the network or outside of the network until their identity has been checked. Security principles like multifactor authentication or network access controls can be used to verify a user’s credentials.

Think of your zero-trust policy like TSA at the airport. Even security guards, airport employees, and other TSA agents must pass through security checkpoints before entering restricted areas.

Step 6: Use Privileged Access Controls

Even if a user or device has been cleared to access the network, it doesn’t mean that they should have access to every file, folder, or device in the organization.

You need an access control system that restricts access by privilege.

This can be set up with RBAC (role-based access control) or user-based permissions.

In simple terms, it just means that not everyone can access everything. Your accounting department doesn’t need access to HR data. HR reps don’t need access to marketing data, and so on.

This type of access control policy is critical for ransomware prevention. If an employee is attacked, the breach will be limited to that user’s access. This also makes it easier to remediate the situation if the ransomware can’t be removed immediately.

Step 7: Block Executables and Malicious JavaScript Files

It’s very common for ransomware to be delivered as an executable file containing an .exe extension. You can use a filtering system to block executables from emails, ensuring your staff doesn’t click something that executes ransomware.

Additionally, some ransomware is delivered as a .zip file with malicious JavaScript.

These files might be disguised with names like readme.txt.js or just readme.txt containing an icon that looks like a text file. Disabling the Windows script host can help with these vulnerabilities.

Step 8: Run Penetration Tests

Once everything is in place, it’s time to run penetration tests.

The purpose of a pen test is to evaluate your IT infrastructure for potential weak points and vulnerabilities. Ask yourself this—if you wanted to deploy a ransomware attack in your organization, how would you do it?

This process forces you to look for weak points in your network and infrastructure.

It should cover everything from endpoints to users, access control, backups, servers, and more. Leave no stone unturned.

By the end of your penetration tests, it’s likely that you’ll find some exploitable areas that need beefed-up security. Once you make the necessary adjustments, continue to run additional pen tests to see if your updated security closed the gaps.

You can read our guide to penetration testing to learn more about how this works.

Common Problems When Preventing Ransomware

Even if you’re following the steps above to prevent ransomware, you may encounter some stumbling blocks during this process. This is normal, and you shouldn’t panic or get discouraged if everything isn’t going according to plan.

I’ve identified the most common pain points related to ransomware prevention below, along with solutions for avoiding them.

Problem 1: Employee Education

You’re only as strong as your weakest link. In terms of cybersecurity, human error is a common cause of hardware or network infection.

Sometimes you’ll encounter employees with malicious intent. They might have a grudge against the organization and do something to intentionally cause damage. But more often than not, it’s usually just a careless mistake that could lead to a ransomware attack.

Basic stuff like clicking a suspicious email link or not changing passwords regularly can lead to much bigger issues. Once the ransomware infects one device in the network, it can quickly spread and create detrimental results.

Cybersecurity training is the solution here.

This must be more involved than the occasional newsletter that mentions ransomware prevention. I’m talking about real training that everyone on your staff needs to complete.

It might seem like a cumbersome process or an expensive initiative. But it’s marginal if you compare it to the cost of a data breach or ransomware attack.

All new employees should go through a ransomware prevention course as part of their training. Then you can retrain your staff once a year or so to keep everything fresh in their minds. Not only will this help prevent them from making careless actions, but it can also give them a playbook for what to do if they encounter ransomware.

Problem 2: Early Detection

No ransomware prevention policy is 100% foolproof. So even if you’re applying all the steps and best practices in this guide, there’s still a chance for hackers to infiltrate your system.

If this happens, detecting the problem ASAP could be the difference between preventing ransomware and a full-blown lockout.

That’s because not all ransomware attacks are immediate. Most attacks come from scripts or executable files that must be downloaded before running. Other times, ransomware is intentionally left dormant until a specific time or date.

For example, the infamous Locker ransomware stayed silent on machines until May 25, 2015, at midnight. Then it “woke up” and started infecting devices where it was installed. Had those files been detected earlier, they could have been removed prior to the attack going live.

Having the right anti-malware software is the simplest solution here.

Modern anti-malware tools make it easy for network admins to monitor suspicious traffic on the network. Many times, these tools can detect ransomware before it even officially executes. With the help of artificial intelligence, behavior monitoring, and machine learning, cybersecurity software can assist with early detection.

It’s also important for you to update your software on a regular basis. This ensures that it can fight the latest and most sophisticated cyber attacks.

Problem 3: Backup Recovery

Backing up your data is an important step in the ransomware prevention process. So if you ever fall victim to ransomware, the cybercriminals don’t have as much leverage.

Sure, they can threaten to leak sensitive data. But if you’re able to access your data from a secure backup, they can’t actually prevent you from accessing your information.

There’s one catch—those backups are useless if they’re not recent and you can’t access them.

Here’s something else to keep in mind. Hackers know that you’re going to back up your files. So modern ransomware is sophisticated enough to scan the network for backup files. This means that ransomware must still be removed from the network, even after you’ve recovered data from a backup.

If the backup is on a server running on the same network as the ransomware attack, you’re going to have problems recovering your files.

That’s why it’s so important to set up automated off-site backups. Depending on your organization, these backups should occur nightly. Some companies may set automatic backups throughout the day.

Cloud backups in an off-site location can typically keep your files safe from ransomware attacks on network devices.

Problem 4: Ransomware Mitigation

You’ve taken all the steps required to prevent ransomware, but you’re still attacked—now what?

Like anything else, you need to have a plan in place for mitigating the solution here. Many organizations panic and feel like they need to pay the ransom immediately.

But paying a ransom doesn’t guarantee that you’ll be able to recover all of your data. So think twice before you make such an important decision.

In most cases, you shouldn’t pay the ransom demanded. The United States DOJ says that ransomware victims should contact a local FBI field office or the Secret Service.

Overall, the US government discourages ransomware payments because it sets the wrong precedent and encourages these types of hacks to continue. With that said, it’s ultimately your decision on whether or not you end up paying the ransom.

Some companies have sensitive data that must be protected at all costs. The inability to access your data is one thing. But if the hacker threatens to leak sensitive information to the public, it could be detrimental to your business.

Organization leaders, stakeholders, and decision-makers should all be on the same page with how ransomware is handled. You should have these conversations now, before an attack occurs, and take a formal vote to decide how you’ll proceed if hackers demand a ransom.

So get this formal decision out of the way early. This way, nobody will panic and everyone will know what to do if you’re ever attacked.

Problem 5: Ransomware Removal

Deciding whether or not to pay a ransom is just one aspect of ransomware mitigation. You’ll also need a procedure in place to remove the ransomware files either before or after the attack is executed.

Ransomware removal is obviously easier said than done. Some attacks are very sophisticated and bypass even the most robust anti-ransomware software.

The first thing you need to do is isolate the infected systems.

Kill the power on the infected device, as well as the other devices on that network. Shut down your systems and pull the plug on your network cable. Shut off the wifi, and do everything you can to isolate the infected device from other computers or storage devices running on the same network.

Now you need to identify the type of malware that’s causing the infection. Based on this information, your IT security team might be able to find a decryption key online if the hacker is using a common ransomware file.

It’s imperative that the files are completely removed before you bring that device back onto your network. Otherwise, the malicious files can continue to spread like wildfire.

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
CIO of GitLab

Incredible companies use Nira