5 Key Ransomware Controls

A year after the WannaCry ransomware attack occurred, ransomware attacks continue to be a major threat for financial institutions. Most now regularly train employees to not click on suspicious links, but what are some other things that institutions should be considering? This week, the Friday 5 looks at five key controls to protect from Ransomware:

1. Remove local administrator rights. Much ransomware requires that the infected user has local administrator rights for the ransomware to run. In cases where ransomware can run without administrator rights, its ability to spread to other systems is usually stopped if the user is not an administrator. Removing administrator rights from all workstations is an important step towards minimizing ransomware risk.
   
   
2. Keep patching. Many ransomware attacks, including WannaCry, take advantage of known vulnerabilities to gain a foothold and spread across a network. Ransomware risk can be minimized by simply maintaining an aggressive patching regimen.
   
   
3. Consider whitelisting. There are several methods of ensuring that only authorized applications can run on a workstation. AppLocker is a whitelisting application that is included with Enterprise versions of Windows 7 and Windows 10, and there are several third-parties that offer other solutions. Whitelisting can stop most ransomware from executing. While these technologies require time to manage, they may be worth the time if they help avoid a ransomware attack.
   
   
4. Backups and file versioning. For organizations that do experience a ransomware attack, having a way to easily revert back to pre-infection file versions can limit the impact of the attack. A backup solution can do this, but it is important to ensure that the backups themselves are not available to the attacker to be encrypted. Another strategy some use is to store files on secure cloud-based storage platforms such as OneDrive which retain historical file versions. When designing a historical file retention policy, make sure the retention of historical file versions is great enough to allow recovery if the ransomware is not immediately identified.
   
   
5. Block remote services at the firewall. A newer trend among ransomware attackers is to seek servers that support direct access from the Internet using Remote Desktop Protocol (RDP). Once these servers are found, attackers break into the server using known RDP vulnerabilities and use this server to craft a ransomware attack on internal systems. The City of Atlanta was recently crippled for weeks by this type of attack. By eliminating all usage of RDP and other remote server services from the Internet, these attackers will be unable to achieve the initial foothold.

Bedel Security can help your institution ensure it has the right controls in place to protect itself from ransomware and other attacks. Please reach out to support@bedelsecurity.com us to learn more!