How to prevent ransomware attacks

Backing up data, regularly updating software, and using a Zero Trust security approach are all ways to prevent ransomware infections from taking down a network.

How to prevent ransomware attacks

Ransomware is an ever-growing threat — but good security practices, like regular software updates, frequent data backups, and user email security training, can decrease the odds that it will impact an organization.

Ransomware is a type of malicious software, or malware, that locks up files and data and holds them for ransom. It usually does this by encrypting the files and data, and the attacker keeps the encryption key. Ransomware can enter a network in a number of different ways, from malicious emails to vulnerability exploits to piggybacking on other malware infections.

There is no 100% foolproof way to prevent ransomware from entering a network, but taking the below steps can vastly reduce the risk of attack.

Ransomware prevention best practices

Although ransomware attacks are pervasive, there are effective methods to prevent ransomware attacks and protect sensitive data. Below are six tactics that companies can use to prevent ransomware.

1. Update software regularly

A common way for ransomware to both enter and spread within a network is by exploiting vulnerabilities in outdated software. A "vulnerability" is a software flaw that someone can use for malicious purposes. As vulnerabilities are discovered, software vendors regularly issue fixes for them in the form of software updates. Not updating operating systems and applications regularly is like leaving a house's front door unlocked and allowing burglars to wander right in.

For example, in May 2017, WannaCry ransomware famously used the "EternalBlue" vulnerability to spread to more than 200,000 computers, even though Microsoft had previously issued a patch for the vulnerability.

Ransomware attacks also exploit vulnerabilities to spread within a network once they are already inside. For instance, Maze ransomware scans for vulnerabilities to exploit once it is already on a network, then uses those vulnerabilities to infect as many machines as possible.

To help prevent ransomware, along with many other kinds of attacks, enterprises can update software as often as possible. This will patch vulnerabilities, essentially re-locking the front door so that criminals (or ransomware attackers) cannot get in.

2. Use two-factor authentication (2FA)

Many ransomware attacks start with a phishing campaign: they obtain user credentials (username and password), then use those credentials to enter and move within a network. In other cases, ransomware attackers attempt to use known default credentials until they find a server or a network that uses those credentials and thereby gain access. (Maze attacks have used this technique.)

Two-factor authentication (2FA) is a more secure approach to authenticating users. 2FA involves checking an additional factor, such as a hardware token that only the authentic user possesses. This way, even if an attacker manages to steal a username and password combination, they still cannot gain access to the network.

3. Keep internal email secure

A critical ransomware prevention tool is email security. There are a variety of methods that ransomware attacks use to compromise devices and networks, but email is still one of the most used. Many ransomware attacks start with a phishing attack, a spear phishing attack, or a trojan hidden inside a malicious email attachment.

Look for email security vendors that involves the following key areas:

  • In-the wild discovery of attacker infrastructure and phishing campaigns partnered with heuristic-based and ML-based detection techniques to filter out emails and email attachments from untrusted sources

  • Automated and managed phishing triage and remediation

  • Protection against all 4 Gartner-defined attack types

4. Implement endpoint security

Another step to prevent ransomware is with endpoint security. Endpoint security is the process of protecting devices like laptops, desktop computers, tablets, and smartphones from attacks. Endpoint security involves the following:

  • Anti-malware software can detect ransomware on devices, then quarantine infected devices to prevent malware from spreading. Additionally, some ransomware attacks spread via preexisting malware infections — for example, Ryuk ransomware often enters networks through devices that are already infected with TrickBot malware. Anti-malware can help eliminate these infections before they lead to ransomware. (However, anti-malware is of little help once ransomware is activated and has already encrypted files and data.)

  • Application control helps block users from installing fake or attacker-compromised applications that contain ransomware.

  • Hard disk encryption does not help stop ransomware, but it is an important part of endpoint security nonetheless, as it prevents unauthorized parties from stealing data.

Read more about endpoint security.

5. Back up files and data

Regularly backing up files and data is a well-known best practice to prepare for a potential enterprise ransomware attack. In many cases, an organization can restore their data from a backup instead of paying the ransom to decrypt it or rebuilding all of their IT infrastructure from scratch.

Even though backing up data does not prevent ransomware, it can help an organization recover from a ransomware attack more quickly. However, the backup can be infected as well unless it is partitioned from the rest of the network.

6. Use a Zero Trust model

Many organizations think of their networks like a castle surrounded by a moat. Defensive measures that guard the network perimeter, such as firewalls and intrusion prevention systems (IPS), keep attackers out — just as a moat kept invading forces out of a castle in the Middle Ages.

However, organizations that take this castle-and-moat approach to security are highly vulnerable to ransomware attacks. The fact is, attackers regularly are able to breach the "moat" through a variety of methods, and once they are inside, they practically have free rein to infect and encrypt the entire network.

A better approach to network security is to assume there are threats both inside and outside the "castle." This philosophy is called Zero Trust.

Zero Trust security models maintain strict access controls and do not trust any person or machine by default, even users and devices inside the network perimeter. Because Zero Trust continuously monitors and regularly re-authenticates both users and devices, it can prevent ransomware attacks from spreading by revoking network and application access as soon as an infection is detected. Zero Trust also follows a principle of "least privilege" for access control, making it difficult for ransomware to escalate its privileges and gain control over a network.

Cloudflare One is a Zero Trust network-as-a-service (NaaS) platform. It combines security and networking services to securely connect remote users, offices, and data centers (a model known as SASE, or secure access service edge).

Want to learn more about ransomware? Dive deeper into the topic with these articles:

FAQs

What is the most effective way to prevent ransomware from entering a network through software vulnerabilities?

Regularly patching operating systems and applications is a vital defense against vulnerability exploits.

How does two-factor authentication (2FA) protect against credential theft?

Many ransomware attacks rely on phishing to steal usernames and passwords, thereby gaining access to secured networks or devices. By requiring an additional authentication factor, such as a physical hardware token, 2FA ensures that even if an attacker manages to obtain legitimate login details, they still cannot access the network without that secondary proof of identity.

Why is email security considered a critical tool for ransomware prevention?

Email remains a primary method for spreading ransomware via phishing links or infected attachments. Robust email security services use advanced detection techniques to filter out messages from untrusted sources and block malicious files before they can reach a user's inbox.

What steps can an organization take if a device is already infected with ransomware?

If security teams detect a ransomware infection, they should immediately disconnect the affected machine from all networks to prevent the malware from spreading. Once isolated, they can use anti-malware software to remove the malicious files and attempt to recover the device's data using a secure backup or a specialized decryption tool. Recovery from the device itself may not be possible, which is why regular data backups are crucial for containing the effects of a ransomware attack.

Can data backups prevent a ransomware attack from occurring?

While backups do not stop an initial infection, they are essential for recovery. Maintaining up-to-date copies of information in a secure or offline location reduces the pressure to pay a ransom, as it allows businesses to restore their systems and return to normal operations even if a ransomware attack trashes their original systems.

How do DNS filtering and browser isolation help protect users?

These technologies address different web-based threats. DNS filtering prevents users from reaching known malicious websites, while browser isolation adds a layer of safety by keeping web-based attacks and automatic drive-by downloads away from the user’s actual device. Both techniques help prevent many kinds of malware infections, including ransomware.