Originally posted at Netwrix Blog – “Quick Guide: How to Prevent Ransomware”
Quick Guide: How to Prevent Ransomware
This year, ransomware has been high on the list of the security issues giving CISO sleepless nights. Although ransomware attacks have been on the rise for some time, this year included an apocalyptic event: WannaCry infecting over 300,000 computers in 99 countries, including those of well-known companies and government organizations worldwide, including Renault, LATAM Airlines, Deutsche Bahn, FedEx and the UK’s National Health Service.
There is no silver bullet for preventing ransomware attacks, as cybercriminals are constantly innovating. However, a smart combination of the measures listed below will help you shore up your defenses.
Here’s a quick guide for preventing ransomware attacks:
#1. If You Use Windows, Ensure that Your Version Is Windows 10
One of the reasons that ransomware hit the NHS in the UK so severely is that it was using an obsolete version of Windows that hadn’t been updated since 2014. Organizations that ran Windows 10 were unaffected by WannaCry and Petya. Because defending against malware and viruses is like a constant game of cat and mouse, Microsoft provides feature upgrades for Windows 10 twice per year to ensure that users of that OS are protected against the latest attack vectors. More so than the twice-per-month quality updates, feature upgrades include changes that are able to protect Windows 10 users against new threats.
Organizations have the option of using the Long-Term Servicing Branch, which receives feature upgrades once every 3 years. Microsoft doesn’t recommend using this servicing branch because it puts Windows users at a greater risk of compromised security.
Windows Defender is built into Windows 10 and the Enterprise E5 SKU includes Windows Defender Advanced Threat Protection, which provides better protection against zero-day exploits by improving detection through behavioral analytics and machine learning.
#2. Don’t Ignore Patches
Because Windows 10 is an example of software as a service, Microsoft requires devices that are not joined to the Long-Term Servicing Branch to receive updates or else be excluded from the latest feature upgrades. Windows Update for Business utilizes the cloud-based Windows Update service to deploy and manage Windows updates, thus giving organizations some flexibility in deciding when quality updates and feature upgrades are applied, but these updates cannot be deferred indefinitely.
Large organizations must test updates, and, although this is still a best practice, applying updates sooner rather than later will help protect your business. IT departments are naturally under a lot of pressure, but they need to find ways to ensure that devices are up-to-date to protect against the latest threats.
#3. Set Up Application Control
PowerShell has become a favorite way for hackers to compromise Windows, so you should ensure that only trusted scripts can run in that software. ConstrainedLanguage mode severely restricts what PowerShell can do with code that is not signed and trusted by Windows. Enabling the AppLocker script rules is the only supported way of putting PowerShell into ConstrainedLanguage mode.
Another favorite way for hackers to compromise Windows is by using Visual Basic for Applications code. If your users have Microsoft Office, consider restricting their ability to run macros. You can do this by configuring the Group Policy settings in the Office Trust Center to block macros on most devices.
#4. Follow Security Best Practices
Many organizations fail to follow basic security best practices. Microsoft publishes its recommended security baseline settings for Windows as a part of its Security Compliance Toolkit. Rather than decide how hundreds of individual settings should be configured, you can let Microsoft do the job for you.
The baseline settings that were published before WannaCry disabled Server Message Block v1, the legacy protocol (i.e., one that is no longer updated) that WannaCry exploited to remotely infect Windows machines, allowing the ransomware to propagate quickly. If organizations had taken the measures described above, many of them would have avoided the Wannacry disaster.
It is also important to follow privileged account-management best practices. Removing users’ administrative privileges, restricting the use of domain admin accounts to domain controllers, and making sure that local administrator accounts have unique passwords on each device can protect against pass-the-hash and token attacks. Credential Guard in Windows 10 Enterprise provides extra protection for domain accounts by isolating credentials with the help of hardware virtualization.