In recent years, hackers locking down entire computer networks, demanding payments to allow users back into their systems, have made ransomware one of the scariest and most expensive cyber attacks.

It is not easy to count cases because many victims pay the ransom demands without asking for any help from cybersecurity professionals, or reporting authorities. And payment most often does not guarantee that the stolen files will be returned. On average, the chances of recovery after paying the ransom are less than 15%.

Another aggravating factor is the average amount charged to release files in such attacks, which keeps growing. It increased to $84,000 in the last quarter of 2019, more than double what it was in the previous quarter, according to data surveyed by ISH Technology. In December of the same year, it was already at $190,000.

Still, the numbers don't match the true cost of a ransomware attack. Operations at factories and organisations are disrupted so brutally that it is not uncommon, after a data hijacking, for those companies to be shut down.

There is a dramatic escalation in occurrences. Ransomware has evolved into an industry with hundreds of gangs vying for the most lucrative victims on the dark web. When victims don't pay, some groups have adopted the practice of publicly releasing sensitive files to increase pressure and force them to make the transaction.

Avoiding a case of ransomware is not simple. But there are measures that can be taken now in any company that can make an invasion more difficult.

Monitor Active Directory changes

Monitoring Active Directory changes, especially after hours and on weekends, is an effective way to catch the signs of an attack before it gets out of hand. In recent ransomware cases, the company was not proactively monitoring Active Directory changes, especially group policies. Attackers modify a group policy to create a scheduled task for a certain activity to be performed, which could be the installation of a malicious file. Thus, in a quick and easy way, the hacker distributes the attack throughout an environment.

Make workstation isolation

Most organizations allow workstations to communicate with each other. If this communication is limited, a compromised workstation cannot be used by the attacker to break into other workstations.

Separate the network into perimeters and create segmentations, such as perimeters for servers, workstations, web servers and databases, and place firewalls in all these areas. If the company uses cloud services, VPNs are also necessary.

Have a vulnerability management programme

This is different from running patches. While patching is extremely important, it is not enough. The purpose of patching is to decrease security holes in software applications. However, they are not the only loopholes you should be concerned about.

Security breaches can be configuration-related. A company may have up-to-date systems, but if the internal systems are operating under insecure protocols, such as NTLMv1, it is a disaster announced.

An ongoing vulnerability management programme, involving regular checks of external and internal assets, is recommended. In addition, it is important to prioritise remediation based on the severity of the vulnerabilities identified, which may or may not be patch-related. And of course, patch everything that is detected.

Implement multi-factor authentication (MFA)

Having strong passwords is insufficient. One thing many attacked companies have in common is that, at the time of the incident, MFA was not in use. Requiring a second form of authentication helps ensure identity, as MFA is often somewhat more difficult for an attacker to obtain.

Make offline backups

In many incidents, the client's enterprise backup solution was completely deleted by the attackers, however, offline backups in the cloud ensured file recovery.

Of course, these are not the only actions that could serve as additional protection against ransomware. But these are some simple and effective strategies that can be easily implemented and provide some victories in the war against ransomware.

By: Anderson Gontijo