The recent cyberattacks from Russia, China, and North Korea have had one thing in common: they all used a cyber-weapon called EternalBlue, created by the National Security Agency of the United States. The ransomware WannaCry used this exploit to cost businesses and local governments billions of dollars on the 12th of May in 2017. A month later, a similar ransomware attack named NotPetya was released into the wild, infecting as many unpatched computers as possible. Since then, this exploit has been used by Russian troll groups to hack hotel Wi-Fi in the 2016 US election and by Iranian groups to target airlines in the Middle East. With state-backed cyberattacks becoming the new normal, no small business and local government IT network is safe from malware anymore.
If you are unaware, ransomware is a form of malware that gains access to a system and locks data unless a ransom is paid for a decryption key. The payment is usually demanded in the form of cryptocurrency or prepaid credit cards, making it extremely difficult to follow the money trail. According to a report by Sophos, the average cost of recovering from a ransomware attack in 2021 reached nearly $2 million, double that of last year’s average cost. Out of all the businesses that paid the ransom amount, only 8% received their data back.

One reason ransomware is so popular is that it provides criminals with an easy linear path to getting paid when compared to identity theft or other forms of cybercrime. Another reason is that the victims are usually eager to pay the ransom to gain access to their files and recover their business losses. Businesses that have been successfully targeted by ransomware are reluctant to report the crime out of the fear of angering stakeholders and risk their stock price plummeting.
Since there is no way to completely secure your system against attacks the National Cybersecurity Center of the United States recommends following a defense-in-depth method. This approach requires several layers of security around your valuable data, allowing you to detect and prevent malware attacks in their initial stages and before any real damage is done. Foremost in any defense strategy is the assumption that a malware attack is going to happen and it’s only a matter of when.
The good news is, in trying to protect yourself against ransomware attacks, you deter all other forms of cybercrime as well. Like any good defense, it starts with having a solid base to start from. Taking the proper basic steps lays the groundwork for the rest of your cybersecurity structure.
Ransomware Defense Strategies
1. Secure and Up-to-Date Backups:
Sticking to an effective data backup strategy is the single most effective way to reduce the damage from ransomware attacks. The most important files for your organization must be backed up regularly. It’s also a good practice to check whether you can restore your files from the backup at any given point.
- Creating offline backups that are preferably also kept off-site is an excellent way to safeguard important company data from ransomware attacks. These attacks actively seek out backups and destroy them to obtain a ransom.
- Store multiple copies of your files and save them using different methods. It is a bad idea to have two copies of a file on the same storage device or the same cloud service.
- Storage devices must not be always connected to your network. Attackers will try to actively look for these devices once they are inside your network, to disable them.
- Your cloud storage solution must be able to save and restore files from a previous point in time. For example, Dropbox Rewind is a feature on the popular cloud storage service that allows you to restore files from any previous versions stored.
- Before starting any recovery process, make sure that the devices being used are clean and malware-free.
- Regularly scan and update products that you use for storage. If they have any known vulnerabilities, attackers can easily gain access to them.
- Use Privileged Access Workstations and firewalls to protect storage devices and to control who can access them within your organization. It is better to remove the need for a lot of people to directly access valuable data systems.
2. Prevent the Delivery and Spread of Malware
Network service applications can prevent malware attacks by filtering files and emails, preventing users from accessing dangerous sites, and using digital signatures to recognize good and bad files. Examples of such services include:
- Mail filtering and spam filtering to remove malicious and executable files from company emails.
- Intercepting proxies that can block known malicious sites.
- Internet Security Gateways provide advanced network protection and inspect web requests against company policies.
With the increasing use of remote access devices, more and more businesses are left vulnerable if these devices and networks are not properly secured. To prevent malware attacks through Remote Desktop Protocol (RDP), companies should:
- Disable RDP if it is no longer needed or necessary.
- Enable Multiple Factor Authentication for all remote devices.
- For remote access to a Software-as-a-Service, using a VPN is recommended.
- Known vulnerabilities in remote devices and networks must be patched immediately.
Lateral Movement is the spread of malware deeper and deeper into a network to search for important user names and passwords, as well as key assets and data. To prevent this:
- Use Multi-Factor Authentication, so even if login credentials are stolen, they can not be reused.
- Make sure that old operating systems that lack the proper security support and updates are segregated from the rest of the network.
- System admins must not use their accounts for activities such as emails and web browsing. They are high-value targets within an organization. Similarly, user permissions that are no longer required must also be removed.
- Emphasize keeping security devices on the network boundary constantly updated and patched. Keeping track of inventory to quickly know which device needs an update is also beneficial.
3. Use Device-Level Security Features
With a multi-layered defense, you should be working with the assumption that malware will eventually reach your devices. Therefore, steps must be taken to stop the malware from running on these devices.
- Devices must be centrally managed, allowing only applications that are trusted by the organization or are from trusted sources.
- If anti-virus products are required, make sure they and their definition libraries are kept up to date on your devices.
- Take steps to prevent malicious scripts and macros from running on your devices.
Attackers can also force their way into these devices by exploiting known or even new vulnerabilities. To prevent this:
- Security updates must be installed as soon as they are available.
- Auto-updates can be enabled if possible.
- Configure network firewalls so that inbound connections are blocked by default.
4. Staff Training and Monitoring
The weakest link in any cybersecurity system will always be the human factor. You could have the most advanced security system in place but if your CEO leaves his password on a post-it note on his office computer, none of it matters. Staff should be able to:
- Recognize phishing attempts and report any incident to a manager or IT professional.
- Create strong devices for their accounts. A lot of the time people neglect to even change the default password on their devices, making them easy targets.
- Physically secure their work devices and never leave them lying around where someone else could gain access to them.
- Report issues to IT management. Reporting issues can help IT professionals mitigate the extent of the damage within the organization.
For industries where employees need to have access to trade secrets and other confidential data, using employee monitoring software is also recommended. Companies can use commercial software to keep a close eye on their employees to prevent espionage and sabotage by disgruntled employees. The software also allows you to monitor their calls, emails, text messages, and browsing history. The software can even enable dark web phone tracking, in case any of your employees are trying to sell your data or obtain ransomware for rent from the black market. Follow the link to read more to understand what is the dark web?
Using employee monitoring software has become more of a necessity post-COVID. With a large number of businesses adopting work from home policies, employees are using more personal devices and out-of-system access points when working with company data. The monitoring software can even be used to measure employee productivity to make sure they are not doing personal tasks on company time. While trust is important, employees also need to know that they are being supervised in order to keep productivity high.
Some businesses may have the need to provide phones to their employees with limited access to the phone’s features. They can use employee monitoring software to prevent them from downloading apps, using social media, and certain web pages. Employers can even set up keywords, such as a company’s secret project name, so anytime that keyword is mentioned by their employees, they get an alarm notification. The use of these monitoring apps depends on your business, and when compared with other mobile tracking apps, Xnspy’s extensive list of features means it can fit all of your needs, no matter what industry you belong to..
5. Have a Recovery Plan
After a data breach, 60% of all small businesses end up closing after 6 months. Ransomware attacks, however, can cripple a business of any size. Even if recovery of data is possible, the damage done to a brand’s reputation and value may never be repaired. It is still necessary to have steps in place that allow you to recover as fast as possible after an attack.
- Keep in mind that many organizations can become collateral damage in an attack not even intended for their system.
- Have a proper communication strategy in place in the event of an attack, so IT and upper management is alerted quickly.
- Have a plan to rebuild data servers.
- After an attack has taken place, review your threat management plan to make sure that an attack can not occur in the same way again.
Bonus Tip: Negotiating or giving in to ransom demands might seem tempting. You’d love to be able to get back to work as soon as possible and have everything return to the way it was. Unfortunately, paying the ransom is no guarantee that your data will be recovered or that the ransom demands will stop after that.
My computer was once hacked with ransomware. It was pretty bad. Had to let go of all of my data because the hackers asked for too much money.
That’s very bad to hear Brad :(
Maybe some of the defensive strategies discussed here would help to prevent ransomware.
I would have loved to read something about ransomware negotiation too. And honestly, I believe that the article has oversimplified the problem at hand. I am not sure if I am fully sold on how something like an app could take care of a ransomware attack. However, such an app could come in handy in other situations.
Wow…these are some handy tips
Thanks, Anna!