Back in December 1989, Eddy Willems, an employee at a Belgium based medical insurance company received a floppy disk that forever changed the cybersecurity world as it was known back then. The said disk contained malware that launched the first ever ransomware attack. Since then, ransomware as a threat has come a long way, and continues to plague organisations across the world. As one of the most devastating attacks deployed by cybercriminals, it’s no surprise then, that when Sophos researched the impact, it found that more than one-half of organizations surveyed across 26 countries were hit by ransomware in 2019.
In the Indian scheme of things, 82 per cent of these organisations surveyed admitted to being hit by ransomware, reiterating the heightened need for increased network security to help block the attack.
Below is an overview of what organisations need to know, including understanding how ransomware attacks work and guidelines for configuring firewalls and the network for the best protection possible.
Best practices for firewall and network configuration to defend against ransomware
Ensure the best protection: As a part of this, an organisation’s security solutions must include a modern high-performance, next-gen firewall with IPS, TLS Inspection, zero-day sandboxing, and machine learning ransomware protection.
Lockdown RDP and other services using firewall: A good practice to prevent attackers from entering a network is to ensure remote access to servers and systems is only possible via VPN and ideally using multi-factor authentication or a whitelist of sanctioned IP addresses.
Reduce the surface area of attacks: Thorough and periodic reviews of all port-forwarding rules help to eliminate any non-essential open ports. Each of these open ports represents a potential opening in networks. Where possible, VPN should be used to access resources on the internal network from outside rather than port-forwarding. It is also advisable to secure any open ports by applying suitable IPS protection to the rules governing that traffic.
Enable TLS inspections: TSL inspection, with support for the latest TLS 1.3 standards on web traffic, ensures threats are not entering a network through encrypted traffic flows.
Minimize the risk of lateral movement within the network: A good way to do this, is to segment LANS into smaller, isolated zones or VLANs that are secured and connected by the firewall. When doing so, be sure to apply the recommended IPS policies to rules governing the traffic traversing these LAN segments to prevent exploits, worms, and bots from spreading between LAN segments.
Automatically isolate infected systems: When a ransomware or other attack strikes, it’s important that IT security solutions are able to quickly identify compromised systems and automatically isolate them until they can be cleaned up, to prevent spread to other systems on the network.
Use strong passwords: Last, but not least, strong passwords are critical. Attackers today deploy brute-force hacking tools to enter systems, and hence passwords must be strong enough to withstand their impact. Sophos also recommend setting multi-factor authentication for VPN access, email, and other accounts that contain sensitive information.
Based on research from Sophos’ 2021 Threat Report, attackers are going to continue developing and using ransomware against organizations. The report predicts the gap between ransomware operators at different ends of the skills and resource spectrum will increase. At the high end, the big-game hunting ransomware families will continue to refine and change their tactics, techniques and procedures (TTPs) to become more evasive and nation-state-like in sophistication, targeting larger organizations with multimillion-dollar ransom demands. At the other end of the spectrum, Sophos anticipates an increase in the number of entry level, apprentice-type attackers looking for menu-driven, ransomware-for-rent, such as Dharma, that allows them to target high volumes of smaller prey.