From Our Experts: 14 Tips to Reduce Your Exposure to Ransomware

At XM Cyber, we’re all about reducing your cyber exposures to protect your attack surface.

There are quite obviously loads of methods attackers leverage to make their way inside, but one way that is always top of their list is ransomware. So it comes as no surprise that in 2022, incidence of ransomware attacks surged dramatically. According to Verizon, ransomware attacks grew by 13% in 2022 – more than the combined growth of the previous five years. And it’s no longer just enterprises under attack. Ransomware  attackers have learned that SMEs and SMBs are less protected and more likely to pay up to get back online.

Thing is, not all ransomware attacks are preventable. But in truth, the vast majority truly are. Depending on the source you look at, experts estimate that a whopping 82% to 95% of overall cyberattacks (yes, ransomware among them) resulted from human error – social engineering, configurations errors, and misuse. These are issues which are wholly preventable with the right precautions put in place.

How to Reduce Ransomware Exposure – 14 Expert Tips

Taking action now to minimize the probability of a successful ransomware attack on your organization is not only prudent, it’s imperative. To help crack down on ransomware, we sat down with a bunch of our in-house experts to dig up their best tips on what you should be doing ASAP:

Huge shout out to our very own CISO Dan Anconina, VP Customer Experience Shay Siksik, and Technical Director Tobi Trabing for compiling this massive list of tips.

1. Reduce your exposure – For starters, build an efficient exposure reduction process to ensure that you remediate the most important exploits used by ransomware. Track threat intelligence to ensure you’re up to date with the latest threats and are able to identify and remediate them if they appear in your environment.

2. Secure your backups – Backups are one of the assets most targeted by attackers, because they include not only your data but also your recourse for recovery after a ransomware attack. Consider these your crown jewels and protect them accordingly.

3. Harden internet-facing services – Update Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) services to the latest stable versions, ensure there are no known vulnerabilities, limit the IPs that can access the machines, and allow access via VPN only, if possible.

4. Harden MFA – Multi-factor Authentication (MFA) is not a holy grail. Threat actors can get around MFA authentication using stolen credentials, smartphone spoofing, stealing authenticated session cookies after user logins, and social engineering. Make sure you harden and enforce MFA, if you’re using it. 

5. Sharpen your passwords – Complex passwords are highly secure, no doubt. But they are also nearly impossible to remember – leading to users and admins alike writing them down where they are easily discovered. Instead, use a good passphrase generator that allows users to start with 3-4 words that are inherently memorable, then generate a passphrase that they can actually remember. 

6. Institute least privilege – Least privilege means that each user is given the minimum levels of access or permissions needed to perform his/her job. Seth this up for users who should have access. Best case, instituting least privilege can stop ransomware in its tracks. Worst case, it can dramatically slow or limit an attack’s spread.

7. Raise phishing awareness – More than half of ransomware infections originate with phishing. Phishing is the main cause of Business Email Compromise (BEC) and increasingly sophisticated attack methodologies have led to increasingly lucrative rewards for attackers. Institute a comprehensive anti-phishing training program for employees, including frequent refreshers. 

8. Triple check configurations – Some 70% of compromised digital records are due to misconfigured assets and services. Adopt CCM/CSPM/SSPM tools and methodologies that continuously monitor configurations to ensure that controls are aligned with best practices and standards. Ensure that your protection covers the full environment. For example, compare the list of assets in your EDR to the one in your patch management or CMDB, ensure they all have EDR deployed.

9. Test continuously – Run security tests or penetration testing that are aligned with ransomware operations and implement remediations as part of your threat and exposure management program. Consider moving to a continuous penetration testing model: instead of just one test a year, adopt tools and methodologies that let you test your environment continuously.

10. Ensure proper IT hygiene – A good approach to defeating ransomware infections and its lateral movement is ensuring a good level of IT hygiene. Understanding how an attacker can compromise user or technical accounts and where they can use them is already significant to get insights – and with remediations implemented, they can even overcome them. One quick way to achieve that is by checking the available accounts on your network and machines, reflecting on their access levels and how you are currently authenticating with those accounts.

11. Secure workstations – Make sure to protect each employee workstation using EDR/XDR, DLP and browser security controls. Protect enterprise applications, data, and devices from employee browsing risks, too – but make sure to do so without violating privacy or slowing productivity.

12. Adopt zero trust – Zero trust security protects sensitive data far better than traditional perimeter-based security. This model assumes that there are active threats both inside and outside the network perimeter – and forces on-site and remote users to meet strict authentication and authorization requirements before they can gain access

13. Test security tools and employees – Conduct internal red team exercises, phishing awareness campaigns, and make sure to test both employees and management on a wide array of security playbooks and scenarios.

14. Ensure proper Active Directory hygiene –  AD hygiene is definitely also a must-review topic. If a ransomware family can leverage AD misconfigurations to infect the whole domain, that’s essentially game-over. By understanding the group nesting, group privileges, DACLs, etc., you can get an excellent overview of the potential AD misconfigurations and how they relate to each other.

The Bottom Line – Take a Holistic and Proactive Approach

Reducing your exposure to ransomware requires an all-hands-on-deck approach that touches every corner of your organization. When data is one of your most valuable assets, losing it could mean irreversible damage. By adopting holistic and proactive anti-ransomware practices, organizations can mitigate ransomware threats before they become full-scale attacks.