Ransomware Protection for Businesses: How to Keep Your Company Safe

Hackers holding your data hostage: It’s a nightmare scenario, but one that has become all too real for many companies. With ransomware attacks on the rise across the globe, more and more businesses are asking themselves how they can prevent their organization from being hit. In this article, we’ll cover the most important steps of ransomware protection for businesses, including the role identity and access management plays in keeping your company safe.

Ransomware Definition – What Is Ransomware?

Ransomware is a type of malware that aims to extract a ransom payment from the affected user. For instance, ransomware may lock you out of your PC, threaten to leak private information or encrypt files to render them inaccessible until you pay. While various forms of ransomware have existed since the 90s, the use of ransomware has increased dramatically since around 2012. In fact, many cybersecurity experts now consider ransomware the number one cyber threat of our time.

Ransomware Attacks On the Rise

There are several factors that make it difficult to pin an exact figure to the growth of ransomware. For one, there’s the question of whether to track the total number of ransomware infections or the collective financial damage caused by attacks. Early forms of ransomware mainly targeted end users in the hopes of extracting small sums of cash from a large number of people. Over the last few years, however, attackers have started to focus on high-value targets like large corporations or government agencies. To complicate matters further, some affected organizations choose not to publicize the incident to avoid damaging their reputation.

Even with these caveats in mind, surveys by cybersecurity firms show a staggering increase in ransomware attacks year over year. While some estimates range as far as a 500% increase, more conservative sources like the SonicWall Cyber Threat Report still note a 60 percent increase from 2019 to 2020. This trend continues on to 2021, with more and more high-profile ransomware attacks making headlines all over the world.

Ransomware & Bitcoin

Cybersecurity experts credit the emergence of Bitcoin and similar cryptocurrencies with the sharp increase in ransomware attacks. For as long as the internet has existed, there have been hackers with the ability to penetrate secure systems, steal company data or shut down critical infrastructure. But until recently, it was difficult to extort money from their victims without getting caught. Bank transfers can be traced. Cash drop-offs are risky. Most alternative payment methods have transfer limits or other restrictions. As an anonymous and virtually untraceable currency, Bitcoin helps attackers get around these issues, allowing them to extract enormous ransoms. More on the subject: How Bitcoin Has Fueled Ransomware Attacks.

Who Does Ransomware Target?

Ransomware has become a sweeping issue that affects both individual users and companies of all sizes. While anyone could be hit by ransomware, the last few years have also seen a dramatic increase in targeted attacks on certain industries and branches of government. Examples of high-value targets for cybercriminals include city and municipal governments, energy and technology companies, financial institutions and hospitals and healthcare facilities.

These kinds of attacks on critical infrastructure can have far-reaching economic effects. Take the Colonial Pipeline ransomware attack, for instance. The hacker group DarkSide gained access to the pipeline’s systems in late April. When ransom notes began appearing on screens on May 7, the company was forced to shut down the pipeline for six days and paid the hackers a ransom of $4.4 million dollars. The outage led to gas shortages and panic buying across the Southeastern United States.

According to a security consultant who investigated the attack, the ransomware gang DarkSide gained access to the Colonial Pipeline via an inactive VPN account. Had this account been closed once it was no longer needed, the attack, along with millions of dollars in damage, might have been prevented. With tenfold, access rights and permissions like these are automatically subjected to periodic user access reviews.

Ransomware Attacks on Small and Medium Businesses

Even though high-profile cases like the Colonial Pipeline attack or the recent attack on JBS Foods dominate the news, smaller companies should not make the mistake of thinking they are safe because they are “flying under the radar”. Small and medium businesses still suffer ransomware attacks at an alarming rate: A survey of 5,400 mid-sized organizations carried out by Sophos found that nearly 40% experienced a ransomware attack during the last year. What’s more, the average cost of these attacks grew to 1.85 million dollars. This figure includes lost revenue, operational costs and similar expenses.

A computer screen showing lines of ransomware code in the shape of a skull.
The cost of a ransomware attack can force your business into bankruptcy. Learn how to stay safe. Photo: (c) James Thew

Ransomware Protection for Businesses: Our Step-by-Step Guide

Unfortunately, there is no single tool that can protect your business from ransomware. Because malware can take many forms, keeping your business safe requires constant vigilance. It is best to think of cyber security as an ongoing process that involves every employee at your organization, rather than a singular issue only your IT department needs to worry about.

Tips for ransomware prevention include security awareness training for your staff, regular backups of critical files, keeping your antivirus software up to date (perhaps with the help of a patch management program) and using a secure, cloud-based storage solution for your business. Implementing identity and access management software also helps increase endpoint security.


Security Awareness Training

Malicious links and email attachments are some of the most common ransomware attack vectors. While many users still associate spam and phishing emails with spelling errors and wild stories about Nigerian princes, the truth is that social engineering attacks have evolved to the point of being nearly indistinguishable from a genuine message. The difference between a real and fake email may be as small as a few tweaked characters in the domain name or email address.

Given the popularity and growing sophistication of attacks like phishing and whaling, it is vital to make sure your employees are aware of the threat and know which signs to look out for. Many companies already include a one-time security training in their orientation process, but experts stress the need for regular reminders in order to encourage good cybersecurity habits. By offering security awareness training on a regular basis, you can reduce the risk that one of your employees will fall victim to a malicious link or email. At a company level, it also helps to establish an incident response plan and set up a clear procedure for your staff in the event of an attack.

How to Spot Ransomware

Ransomware is specifically designed to remain hidden until it accomplishes its task (encrypting files, locking you out of your system, etc.). As a result, it’s very difficult for users to notice an infection before a ransom notice pops up on their screen. However, there are some general signs to look out for, which may help you detect a ransomware attack or general malware infection:

  • increased CPU and disk drive usage for no apparent reason

  • suspicious network activity due to malware sending and receiving information

  • sudden spike in file changes and renames

  • files becoming inaccessible


Regular Software Updates

The world of cybersecurity is a constant arms race between hackers discovering new exploits and developers racing to fix any known vulnerabilities. As an end user, simply making sure that the software you use is patched to the latest version plays a huge part in keeping you safe. Critical security updates should be applied as soon as possible. To ensure that all devices in your company network are kept up to date, you can employ a patch management tool. Additionally, many antivirus programs allow you to perform a vulnerability scan to check for system settings you may have to adjust.


Regular Backups

Ransomware is far from the only way you can lose access to your data: There’s hard drive crashes, laptop theft, power outages, coffee spills, office fires, etc. The point is, backing up your data should already be part of your routine. Most small businesses simply follow the approach of copying their files onto an external hard drive and disconnecting it when it’s not needed. Larger companies typically need a more sophisticated solution than storing all of their data on-premise though.

Maintaining Multiple Backups

Malware has evolved to the point that many viruses are now able to target files on your PC, on network drives and in the cloud simultaneously. To keep your files safe from an attack, experts recommend maintaining multiple redundant backups spread out across different platforms. Make sure that at least one of these backups is disconnected from your company network at all times.

Data stored in the cloud to protect against encrypting malware.
Maintaining backups on multiple platforms reduces the risk of losing your files. Photo: (c) phonlamaiphoto

Network Attached Storage Devices

Network Attached Storage Devices (NAS) are one of the most commonly used solutions for backing up files while still allowing them to be actively used. NAS devices are specialized computers that provide access to their internal storage to your entire network. They are typically configured to use data redundancy like the RAID format and even come in disaster-proof versions that can survive fires and flooding.

Note: NAS devices generally remain connected to the company network for convenience reasons, which can leave them vulnerable to a ransomware attack if the virus manages to access your network.

Network Segmentation

One of the most dangerous features of ransomware Trojans like WannaCry and Petya is their ability to jump from device to device by accessing local networks. Once the malware has penetrated your system, it’s very difficult to keep the infection under control. To make sure your backups are not affected, it is critical to isolate them from the rest of your network. You could accomplish this using offline storage, but keeping track of stacks of hard drives or DVDs can be quite a headache. A more convenient way to increase network security is the use of network segmentation or “zoning”.

Network segmentation refers to the process of splitting up one large network into several smaller subnetworks with limited connectivity. For instance, you could implement separate networks for different departments, with critical IT infrastructure such as backup storage secured by additional firewalls. Think of network segmentation like the bulkheads used on ships and submarines to seal off flooded areas: By splitting your network up, you can restrict lateral movement and limit the amount of systems attackers can access. More information on network segmentation and ransomware.

Professional Backup and Recovery Solutions

Implementing a cyber security concept to secure local files from malware and data breaches is a great first step. But when it comes to your data, you shouldn’t leave anything to chance. A professional data backup solution helps keep your data secure even when local safeguards fail. A great place to start is this overview of data backup solutions by Geekflare.


Ransomware Protection Tools

Traditional antivirus software relies on signature based detection in order to identify malware, essentially matching the fingerprints of programs to a database of known viruses in order to spot bad actors. This approach works well enough once a virus has been caught and classified by researchers, but can give brand-new malware a window to wreak havoc.

In order to stop ransomware before it can cause damage, many security suites have added specialized anti-ransomware tools to their repertoire. These programs try to detect and quarantine threats based on suspicious behavior. There are several approaches to identifying ransomware:

  • Behavior monitoring: This approach to antivirus detection tracks all active processes to catch suspicious activity like file modifications, aiming to protect users from new and unidentified malware.

  • Exploit detection: By using network security settings to track and block common exploits used by ransomware, exploit detection tools can help keep out intruders.

  • Ransomware honeypot: Some tools create specific files as bait in order to trap malware. Since no other program needs or uses these files, any attempt to access them marks the program in question as a virus.

If you’d like to know more about anti-ransomware products, PCMag has compiled the best ransomware protection programs on the market.


Secure Cloud Storage

A word of warning: Without access control and proper network segmentation, malware is free to spread from your company network to cloud storage. However, secure cloud solutions still provide an additional layer of security to your file management and data storage. A cloud backup can help you recover lost data even if ransomware manages to encrypt your entire file server.

A staff member who forgot to install an antivirus patch finds ransomware on his laptop, which has used encryption to render documents inaccessible.
Limiting access rights helps control the spread of ransomware and keep damage to a minimum. Photo: (c) zephyr_p

Identity and Access Management

Sadly, even the most rigorous approach to cybersecurity does not offer 100% safety. Even if you follow these steps to protect your business from ransomware, your company could still fall victim to a new exploit or zero day vulnerability. That’s why a pragmatic approach to ransomware protection should include a plan for damage control and limiting the amount of harm a malware intrusion can cause.

Similarly to network segmentation, identity and access management (IAM) prevents ransomware from spreading uncontrollably by restricting permissions and user access rights.

Privilege Creep

Many companies follow no clear procedure for assigning permissions and access rights. Instead of keeping to the principle of least privilege (POLP) and limiting access rights to what is strictly necessary, IT admins simply assign new permissions whenever a team lead or manager asks for them.

It makes sense: Employees who switch departments or are added to different tasks need access to project folders and IT resources. But without regular user access reviews, nobody remembers to revoke these access rights once they’re no longer needed. As a result, employees accumulate more and more permissions over time, a process also described as privilege creep. This is especially true if your organization still bases new profiles on reference users, meaning that all of these legacy permissions are transferred to every new user.

While privilege creep doesn’t make it easier for attackers to penetrate your system, it effectively gives them free reign once they make it inside. A hacker that gains access to one of your company accounts effectively gains access to every permission granted to that account, making privilege creep a massive security risk.

Restricting Access, Securing Endpoints

The least privilege principle is one of the key steps for implementing IT security best practices. Strict adherence to this principle ensures that users only receive access rights and permissions that are strictly necessary for their jobs. This stops malware like Trojans or keyloggers from exploiting excessive permissions to spread across your entire network.

Restricting access rights for your employees also limits the spread of malware that gains access to their account.

There are many tools that can help you implement the POLP at your organization. The question is how much time you are willing to invest into manual permission management and how you would rate the operational discipline at your company, i.e. whether your staff would adhere to the procedure you set up.

tenfold access management automatically assigns permissions based on the principle of least privilege. It also helps you clean up your file server, get legacy permissions under control and keep track of who in your company has access to sensitive data.

Ransomware Protection for Businesses – tenfold Access Management

The spread of ransomware relies on privilege, particularly excessive privilege like local admin rights or remote access via VPN or RDP. To prevent vulnerabilities like these from being exploited, tenfold relies on role-based access control (RBAC). This means that permissions on your network and across any number of third-party systems are automatically assigned and revoked based on user roles. The recertification feature ensures that permissions are regularly reviewed by the respective data owner, thanks to a handy reminder. This removes the security risk posed by legacy permissions.

Why tenfold?

What makes tenfold the leading IAM solution for mid-market organizations?

Ransomware Protection Checklist

There is no guaranteed way to prevent a ransomware attack on your business. However, taking precautions and implementing best practices for IT security and access management reduces both the risk of a successful attack and the amount of damage an attacker can cause. To summarize, here are our tips for successful ransomware prevention and defense:

  • Provide security awareness training to ensure your staff practices good cybersecurity habits.

  • Set up a clear procedure for the event of a security breach (incident response plan).

  • Use multiple, redundant backup solutions and secure cloud storage to keep your files safe.

  • Restrict access rights for employees to what is strictly necessary.

  • Use a ransomware protection tool to track suspicious activity on your network.

Ransomware Removal

Once a ransomware program has made its way into your network and encrypted your documents, there are very few options left. Removing ransomware is a difficult process with no guarantee of success. Wiping your network clean and restoring your devices to factory settings gets rid of the virus, but also means you lose all of your data. Or you can give in, pay the ransom and hope that you will regain access to your systems. According to Kasperky, over half of all ransomware victims ultimately decide to pay, but only a quarter manage to recover all of their files. Law enforcement and cybersecurity experts also advise against ransom payments, since successful extortion encourages future attacks.

To be perfectly honest with you, all three options are terrible. Many businesses feel that they have no choice but to pay their attacker, but there’s no way to know if they will actually unlock your system and decrypt your files as promised. What’s to stop them from making further demands? If you decide to fight the infection, it will be difficult to know if you really managed to eliminate every trace of the virus from your network or if it remains hidden in some corner of your file system, ready to strike again. A full reset of your network is often the safest option, but it still takes a lot of time and wipes out any work that wasn’t successfully backed up.

Cyber Insurance as Ransomware Protection

While a cyber insurance policy cannot prevent your company from being targeted by cybercriminals, ransomware or other digital threats, coverage for the loss of data can protect you from the financial fallout of a security breach. In this day and age, cyber insurance should be a key part of any company’s risk management strategy. To help you respond to an attack quickly and effectively, many providers offer more than “just” financial support. A typical policy covers:

  • First-party damages: This includes the cost of investigating and documenting the incident, notifying the relevant authorities and restoring files and systems to working order. If an attack disrupts your business, it may also cover lost revenue or the cost of the interruption.

  • Third-party damages: Cyber liability insurance protects you from claims against your business following a breach and covers your legal expenses for privacy lawsuits, negligence suits and similar accusations.

  • Additional benefits: Many providers lend additional support when it comes to managing an IT crisis situation. Services offered by different insurance companies range from supplying data breach coaches to guide your IT department’s response to hiring PR firms to do damage control and help restore your company’s reputation.


Best Practices for Access Management In Microsoft® Environments

Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implentation, reporting and auditing.

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.