- Education: employee awareness training should be in place to ensure the threat of ransomware is properly understood and steps individual users can take to reduce the risk of compromise from user interaction with both malicious emails and websites.
- Ensure you have a clearly documented and agreed upon incident response plan detailing the steps the organisation will take in response to a ransomware compromise. A backup copy of this plan should be stored offline.
- Understand the value of your organisations information to others. Apply the appropriate level of controls such as encryption and two-factor authentication to ensure your most valuable information is protected.
- Back-up. Ensure you have a recovery system in place so a ransomware infection can’t destroy your information. In additional to creating a local copy of your data, we also recommend creating an off-network copy of your all sensitive information.
- Restore of backed up data should be tested regularly to ensure they are reliable and effective.
- Keep all the software on your computer up to date. When your operating system (OS) or applications release a new version, install it. Enable the feature to automatically apply updates if available.
- Trust no one. Any account can be compromised and malicious links can be sent from the accounts of friends on social media, or colleagues.
- Never open attachments in emails from someone you don’t know. Cybercriminals often distribute fake email messages that look very much like email notifications from an online store, your work, a financial institution, the police, tax office, Australia Post, luring recipients into clicking on a malicious link and releasing the malware into their system.
- Implement application whitelisting or, at least, software restriction policies to hinder the ability of malware to execute successfully.
- Use network segmentation (via VLANs and ACLs) to assist with preventing the spread of a ransomware infection throughout your organisation’s IT infrastructure, isolating the infection to one network segment.
- Deploy and manage appropriately configured firewalls and network and host based prevention/detection systems to identify, prevent and issue alerts for outbound communication attempts to malicious IP addresses.
- Deploy and manage spam filtering tools to intercept ransomware variants that are spread via malicious email attachments.
- Use up to date endpoint-based solutions such as anti-virus (either a next-gen anti-virus product that has strong ransomware detection capabilities such as Cylance, CarbonBlack etc.) or a signature-based solution .
- Establishing and enforce removable media policies to reduce the risk of ransomware spreading via USB drives etc.
Advice prepared by Louise Schuster, Director Cybersecurity, AARNet.
We would like to acknowledge Nick Ellsmore from Hivint for assisting with developing this advice.