How to Manage Ransomware Attacks against Your Remote Workforce

By Cyril James

The Covid-19 pandemic has brought about an unprecedented crisis in the cybersecurity environment and has confined people to their homes. As a result, work from home has taken precedence, and organizations have adapted quickly to this new change to enable employees to work from home. 

This has created chaos with no control, which the cybercriminals are exploiting.

Why is there a rise in attacks?

The pandemic’s unique situations and conditions are resulting in more and more businesses going online and digital. Cybercriminals are aware of this development and huge growth in remote working, the primary reason why ransomware attacks are on the rise and have become more pervasive and effective.

Employees working from home now have a makeshift workstation that is cobbled together with various simple cybersecurity measures which are easy to hack into. The employees no longer have the protection of a sophisticated cybersecurity system and strong firewalls to thwart attacks or to detect ransomware threats. 

The cybercriminals or the threat actors now have a larger surface area to attacks not because of the number of employees but because they are all in different locations, use multiple devices to access the organization’s network, and are operating from different unsecured networks. 

They are no longer functioning in the organization’s network permitter, which is much safer and more secure.

Working remotely and bereft of any organization’s cybersecurity benefits, employees do not have enough resources and are not educated enough to detect warnings or threats.

Another work from the home issue is that some employees don’t have different systems or computers for work and personal use, which means their work system is their personal system. 

This is a ripe opportunity for cybercriminals to launch phishing attacks against personal email addresses, which can be hacked to gain access to the corporate network by launching lateral attacks through the system. While there is a rise in ransomware attacks, there are certain ways in which remote attacks can be curbed.

The following are the ways in which an attack can be curbed:

Educating the employees

A global survey conducted by Proofpoint in 2020 found out that less than one-third of the employees working could explain the term ransomware.  

Employee awareness should be the first line of defense against a ransomware attack. Training and guidance should be given to employees on how to detect suspicious activities and emails and what to do when they encounter them. 

Employees should be encouraged to use a proper Antivirus and a firewall to avoid penetration by attackers using RDP. Employees should be encouraged not to click on suspicious or phishing emails, messages, and links and also to follow basic password hygiene protocols. 

Employees should be advised to refrain from using the work computer for personal use as they are much more prone to attacks.

Enable multi-factor authentication

Multi-factor authentication requires the user to authenticate or verify themselves multiple times before gaining access to a network or a resource. 

MFA is a must-have system when dealing with constant ransomware threats. So, for instance, even if an employee gives in to phishing emails or a cybercriminal is able to guess or access a weak password, MFA enables the second layer, which makes it difficult for the threat actor to penetrate or hack into a system. 

The second layer of authentication or verification can be one-time passwords (OTP), a memorized pin, or something you are like fingerprints or facial recognition.

Network Segmentation

Network segmentation is separating or segmenting networks based on their criticality. Once an attacker gains access through the first point of contact and compromises that particular network, he can pivot the compromised network and move laterally, penetrating other networks that are critical for the organization’s functioning. 

Network segmentation helps in preventing the attacker from moving laterally towards other networks restricts the attack to a small part of the network, not allowing it to spread to other networks. 

Network segmentation also allows having a different set of cybersecurity measures for different network segments. Critical networks may have controlled access and a sophisticated cybersecurity system to thwart the attack.

Make sure to update the Anti-Virus and to apply regular patches

Though this may seem the obvious thing to do, many organizations ignore or don’t apply regular patches to their Anti-virus software. Nowadays, many Anti-virus packages offer dedicated ransomware protection and threat detection add-ons that help monitor unexpected behavior, which helps prevent attacks. 

Also, as the threat and attacks are evolving, regular patches must be applied to curb these evolving threats and attacks.

Have an effective backup strategy for your critical data

Having an effective backup strategy is a potent method to counter ransomware attacks. If an attack or systems are compromised, backup data means you can restore your data and be functioning and operational again without any delays or glitches. Knowing which data to back up and frequently backing up data allows you to be proactive and prevents loss of time and resources.

Have a response or a recovery plan ready in case of a ransomware attack

A recovery plan or a response plan should be an integral part of business planning. A robust recovery plan not only mitigates delays and losses but also prevents wastage of time and resources. 

A recovery plan should include both technical as well as business responses. For example, a technical response may include cleaning the systems, recovering the data and restoring from backups, monitoring the system for further attacks or dangers, forecasting the attackers’ next moves, and so on. 

A business response includes how to handle delays in operations, if any, attending customer queries in case of a system halt, notifying about the attacks to stakeholders, police, and insurers. 

The recovery plan should be thoroughly tested and ironed out before it is put to actual use to minimize damages.

Have a no ransom payment policy

Consider a situation wherein the attackers have gained access to critical systems and held your ransom data. Even though you have a recovery plan, the backup or recovery of data may take several days, affecting business operations. The attackers want a relatively small amount. 

Is it time to pay up? As an organization, you should have a no ransom payment policy for many reasons. Firstly, there is no guarantee that the criminals will hand over the access or the encryption key even after you pay the ransom. 

Secondly, your organization may appear as pushovers who are willing to pay, and this may encourage future attacks on your organization. 

From an ethical perspective paying a ransom either from your funds or from cyber insurance will only fund further criminal activities and will reward these gangs for the criminal activities. 

This will result in the cybercriminals having more funds and resources to launch an even more sophisticated attack on your or other organizations in the future. 

Paying the ransom may seem to be an easy and effective way out and even might save some money and resources in the short term, but in the long-term, paying a ransom will only fuel the ransomware infestation.

Work from home caused by the pandemic allows a larger surface area of attack and more opportunities for cybercriminals to take advantage of any vulnerability cause by working remotely and carry out frequent ransomware attacks. 

But these attacks can be prevented and risks mitigated by adopting preventive measures and by having an effective backup and recovery plan. By moving quickly and by detecting breaches at an earlier stage, we can easily deflect and prevent ransomware attacks.

Cyril James has a solid foundation in the Information Technology and Communication industry with over 13 years of experience. His expertise lies in Information Security, specializing in network, web, and mobile applications, and cloud penetration testing across various industry domains like banking, insurance, energy, telecom, IT products and services, and others. He is well-versed in penetration testing methodologies, including OWASP, OSSTMM, and PTES. In addition, he has a solid understanding of the technical concepts of cloud computing, machine learning, and various programming languages. Cyril is a visionary and strategy-builder, has good communication skills, and is great with managing teams. He has founded and currently leads SecureTriad, a Penetration Testing Services Company.

Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.