Free DownloadWhat is ransomware? How it works and how to remove it
Ransomware is malware that locks and encrypts a victim's data, files, devices or systems, rendering them inaccessible and unusable until the attacker receives a ransom payment. A ransomware attack can shut down a business for days, even weeks and -- even when the company pays the ransom -- there's no guarantee it will ever get its assets back, or that it won't be attacked again. This guide covers the history and basics of ransomware, identifies the most common targets and offers expert instructions on how to prevent an attack. Or, if the worst happens, how to recognize an attack's taken place and remove the ransomware as swiftly as possible.
Organizations sometimes learn difficult lessons about gaps in their cybersecurity defenses. Here's what to know about ransomware preparation, detection, response and recovery.
The ransomware threat continues to plague organizations of all types and sizes. The SANS Institute reported a 73% increase in ransomware activity between 2022 and 2023, and Corvus Insurance identified 55 new ransomware groups in 2024. Preparation for a potential ransomware attack should be a priority.
Take stock of existing cybersecurity controls and processes to ensure you are ready if ransomware makes an appearance. To prepare, let's look at the tactics, controls, technologies and capabilities that can help any organization defend itself against the ransomware threat.
Secure workloads and endpoints
To try to prevent a ransomware attack, start with your workloads and endpoints. These are common initial compromise vectors.
Review your endpoint security capabilities. These tools should be up to date and deliver strong prevention, detection and response capabilities.
Your ransomware prevention tools should scrutinize browsers, email clients, PDF readers, PowerShell, Visual Basic, Java and document interaction (Microsoft Word and Excel, for example). You'll want these tools to alert you when there are indicators of bulk file encryption and memory-based malware. They should detect and monitor the use of USB and removable media.
Look for products that have data loss prevention capabilities based on content types, that conduct threat hunting and evidence collection, and that provide flexible alerting.
You will also want integration and orchestration with other products, such as network detection and response (NDR), extended detection and response and/or SIEM.
Next, consider configuration management and patching capabilities. Initial ingress methods for ransomware often exploit newly exposed vulnerabilities, such as remote access bugs, application flaws or exposure in protocols, including remote desktop protocol. Proper patch management practices will reduce exposure to these risks.
Be sure to consider additional endpoint security strategies that can help to prevent and detect ransomware. To bolster defenses:
Don't allow end users to store important files on endpoints. If possible, direct them to a central file store or cloud-based storage.
Consider the use of virtual desktop infrastructure for critical applications and privileged users and use cases.
If possible, replace VPNs with zero-trust network access (ZTNA) options that broker all access. Many of these services also offer remote browser isolation capabilities that sandbox browser activity.
Another critical area to focus on for ransomware defense is email and collaboration tool/service security. Ransomware is often disseminated via email. It is also propagated through SharePoint and similar collaboration services or via cloud storage apps such as Dropbox and OneDrive.
First, apply email security controls in the following ways:
Advise users to check sender email addresses carefully and look for unusual date formats or language peculiarities.
Instruct users to avoid opening emails or clicking on links or attachments from unknown senders.
Implement standard email authentication protocols to secure your email domain against domain forgery. Examples include Domain-based Message Authentication, Reporting and Conformance; DomainKeys Identified Mail; and Sender Policy Framework.
Adopt email security gateways/services from leading providers.
For all key collaboration services, implement the following security measures to the best degree possible:
Access controls.
Authentication.
Roles and privileges.
Data security.
Sharing settings.
Monitoring.
Malware protection.
It’s never a bad idea to conduct regular permissions and access reviews. To find where excessive privileges are enabled in cloud collaboration tools and services, examine the following:
Orphaned accounts.
Guest accounts.
Third-party accounts.
Mismatched team membership/groups.
Any ransomware defense plan should align with business continuity controls and processes. And be sure to coordinate business continuity and disaster recovery (BCDR) testing plans and schedules: A backup isn't really a backup unless it is regularly tested.
Consider tertiary backups, too. These replicate critical data to an off-site data storage service, typically in the cloud. For the short term, tertiary/auxiliary backups have 30 to 90 days of total retention. Use a daily schedule and avoid any continually open network ports or services that a ransomware attacker could exploit.
Be highly selective about the data you replicate. Consider aligning this replication effort with BCDR efforts that emphasize data and application prioritization. Give priority to data that is time-sensitive -- financial transactions, for example -- or essential to continuing business operations.
Also, consider the air gap model. With backups, air gapping simply means storing backup data offline and physically separated from where it's being generated. This can be done with virtual disk and cloud storage. Specialized ransomware-focused cloud services are available, too.
Another common ransomware defense is immutable storage. Major cloud providers now support object locking, also referred to as write once, read many (WORM) or immutable storage. Implement a backup that integrates seamlessly with this object lock feature to create immutable backups. Some backup solutions also offer policy-based scheduling for retention time periods and migration as needed.
Your backup strategy should, without fail, follow the 3-2-1 backup rule. In the 3-2-1 strategy, you have, at minimum, the following:
Three copies of your data.
Two media types for your backups.
One backup stored in an off-site location.
Some common 3-2-1 workflows combine disk with cloud, network-attached storage with cloud, and disk with tape.
Update incident response processes and procedures
Every organization needs to update its incident response procedures and playbooks to include ransomware scenarios.
Preparation
First, create ransomware-specific playbooks for rapid response. Seconds count. Also, ensure you have playbooks and plans for ransomware response stored offline. Update communications plans to include legal considerations and ransom negotiators. Determine specific notification requirements for insurers, if applicable.
While not always palatable to executive leadership, it's not a bad idea to create a cryptocurrency wallet so that you are prepared to pay a ransom -- if that is the course of action your organization ultimately takes.
Be sure to conduct ransomware-specific drills and tabletops, and check that law enforcement contacts are up to date.
Detection and analysis
Develop detection playbooks so that you know what to expect in various scenarios, such as user-reported problems, ransom notes, alerts from endpoint detection and response (EDR) or SIEM tools, threat intelligence or law enforcement notifications, and seeing advertisements from malware operators selling access to your networks.
Learning to identify the type of malware you are confronting is important, as this will help you understand how it will behave and what response to take. Determine the scope of the infection, the initial infection vector to prevent reinfection, and whether data exfiltration has occurred. This requires training and a dedication to continuous research.
Containment and eradication
Develop containment and isolation playbooks so that you are ready to act. Some common tactics include the following:
Use out-of-band communications, since attackers might be monitoring email or other online forms of communication
Take file shares offline.
Restrict remote entry points like VPNs until the incident is contained.
Use your EDR tool's network-containment functionality to isolate systems.
Ideally, you can consider unlocking systems with a decryption key provided by law enforcement -- or from the hackers after a ransom is paid. Sometimes a decryption solution can be discovered through malware analysis, which is essentially a reverse-engineering process, or online research. Otherwise, you'll need to restore data and systems from known, clean backups, starting with the most critical systems. Be sure to implement EDR and NDR signatures and monitoring. You'll want to be able to spot indicators of compromise (IOCs) and uncover the attackers' tactics, techniques and procedures. Finally, change any additional account/system passwords, if required.
Post-incident activity
The final phase of incident response includes documentation, communication and coordination with a variety of internal and external parties. Consider lessons learned during the incident to develop improvement plans. Prepare data breach notifications (if required), as well as other regulatory reporting requirements such as Securities and Exchange Commission materiality notifications.
Update technical controls and processes to prevent future occurrences. Share IOCs with law enforcement and information-sharing organizations such as CISA.
Additional considerations for ransomware prep
With ransomware preparation and protection, there's almost no limit to the range of control areas worth considering or to the types of processes that might need to be created or updated. The following are some important areas to focus on:
Strengthen security awareness training. When employees fail a phishing simulation or other test, treat this as an opportunity to educate these people with additional awareness training. Reward those who pass the tests or who spot real attacks. Put specific metrics in place for awareness training and testing, including the number of violations within a specific time period as well as the types of violations observed.
Limit privileges and access. Look for cases of excessive privilege use and remote access to data. Tools such as SolarWinds Permissions Analyzer, BloodHound Enterprise, NTFS Permissions Auditor and Copernic Business Server Search can help with this. Consider privileged user management tools and bastion hosts, and examine ZTNA concepts and products to see if they might complement your organization's security strategy.
Evaluate cyber insurance. Expect an insurance provider to intensely scrutinize your security controls and capabilities. Document your program thoroughly, ideally following some type of framework, such as one from ISO or NIST. Also document any updates and items of note in your program over the past 12-18 months.
Look for insurers that are clear about payments and coverage. Exclusions are common, and these need to be explicitly understood and stated.
Look for insurers that are clear about payments and coverage. Exclusions are common, and these need to be explicitly understood and stated. Understand which events require notification and which do not. Coordinate meetings with the insurance carrier, CISO and other stakeholders, and be wary of so-called clarification endorsements from a broker -- this is a fancy term for "exclusions."
Prepare for ransom payment
While some organizations take a hard line against ever making a ransomware payment, most will at least consider doing so under the worst circumstances. When discussing and planning for this, be sure to involve key stakeholders, including legal counsel, insurers, law enforcement and any consultants and specialists. Also consult lawyers to determine the legal implications of paying a ransom.
Dave Shackleford is founder and principal consultant at Voodoo Security, GIAC technical director as well as a SANS analyst, instructor and course author.
