Below are the steps we recommend in taking to secure your business against a ransomware attack. Ransomware is a specific type of malware that locks the files on your computers unless a ransom is paid. (Learn more about ransomware.)
Recommendations for system administrators
No prevention is absolute, but these steps reduce the likelihood of a ransomware attack and its severity, if something happens.
- Educate employees about the best practices for how to avoid inadvertently installing malware.
- Disable any remote access to your network unless absolutely necessary. Remote Desktop Protocol (RDP), ScreenConnect, LogMeIn, etc. are all examples of remote access tools.
- If remote access is required, then add multi-factor authentication (MFA, sometimes known as 2FA for “second factor”) to any external connection into your business.
- Disable SMBv1 across the environment. This older Windows network protocol, Server Message Block, is not secure and often targeted.
- Disable Windows PowerShell on any endpoint where it is not utilized; this command-line tool for system administrators provides significant access if compromised.
- Disable Office Macros, since these may contain malicious code. We recommend disabling via Group Policy across your organization.
- If possible, block inbound and outbound foreign connections on any firewall you’re running.
- Review all accounts in Active Directory and disable stale accounts.
- Never re-use passwords between user accounts. Use LAPS (Local Administrator Password Solution) from Microsoft to enforce.
- Follow the principle of least privilege. Limit the access rights of users to ensure users are not administrators on the systems if not necessary.
- Disable legacy email authentication methods including POP, PowerShell, and IMAP.
- Force all users to change passwords after a successful phishing campaign. (Don't limit changes only to those you know were compromised.)
Note: since nearly all ransomware to date targets Windows environments, some of these recommendations are specific to Windows.
Recommendations about document handling
Criminals focus their attention on more obvious targets, so how you handle sensitive information in documents and email can reduce the impact of ransomware.
- Any document containing sensitive data should be password protected.
- Never share sensitive data documents or passwords through plaintext email.
- Avoid naming documents to announce their sensitive content, such as “All Employee Payroll Details.xlsx”.
- Emails containing sensitive data should not be kept in the mailbox for an indefinite amount of time.