In this article

The threat from ransomware dominates various threat reports published in recent years. The threat isn't just from the crypto-locking of your data and systems but also data exfiltration. There is also the threat of further extortion and reputational damage as the blackmailers approach the owners of the leaked data for payment.

So how does an organization build a multi-layered defense against this particular threat?

First, an organization needs to know what information assets (data and systems) it has, how vital they are to the business and what threats are posed to them. We security architects call this "system categorization." If you don't know what you've got, how can you defend it? If you don't know what it is worth, how do you know if the security controls you deploy are a good use of a finite security budget? To use an analogy: You wouldn't use a $10 lock to secure a $5 bike, would you?

You may categorize an application as low value; however, a critical asset may be dependent on it. Failing to secure that lower value system appropriately may endanger your critical system. Dependency mapping between your applications and the infrastructure upon which they operate will reveal these critical interdependencies that must be protected. 

Read more: WWT's Application Dependency Guide 

Let's look at the anatomy of a modern ransomware attack as defined by Exabeam:

  1. Distribution campaign – attackers use techniques like social engineering and weaponized websites to trick or force users to download a dropper that kicks off the infection.
  2. Malicious code infection – the dropper downloads an executable file which installs the ransomware.
  3. Malicious payload staging – the ransomware embeds itself in a system and establishes persistency to exist beyond a reboot.
  4. Scanning – the ransomware searches for content to encrypt on the local computer and network accessible resources, including back-up files, thus reducing the victim organization's options for recovery. 
  5. Encryption – the discovered files are encrypted.
  6. Payday – a ransom note is generated and shared with the victim while the hacker waits to collect the ransom.

According to WWT research, the four most common delivery methods for ransomware are:

  1. Phishing emails
  2. Remote desktop protocol (RDP)
  3. Drive-by downloads from a compromised website
  4. USB devices and removable media

Let's split our response into two halves: preventive controls to stop ransomware before infection and detective/recovery/compensatory controls to respond to a ransomware outbreak should it get through the preventative controls.

Preventive controls

The human element of cybersecurity 

One of the key defenses against ransomware is strengthening the human firewall by training all users in your environment. 

According to Terranova Security, 19.8 percent of users will click on the link in a phishing email. If your users can't recognize phishing attempts and download malware as a result, it doesn't matter how good your technical defenses are. Organizations need to make sure that users know how to recognize and report suspicious activity to the cyber operations team.

We also need to educate users on safe use of USBs and removable media. The Cybersecurity and Infrastructure Security Agency (CISA), recommends that users understand best practices associated with removable media use:

  • Do not plug an unknown media device into your computer, even if you are trying to identify the owner.
  • Use passwords and encryption to secure your data on the drive and ensure that the data is backed up in case it is lost.
  • Keep personal and business media devices separate.
  • Disable autorun so that files do not open automatically when plugged into a computer. 
  • Keep your security software up-to-date and keep anti-virus definitions current. 

Group policy objects (GPOs) or third-party tools can be used to control and/or restrict the use of USB and removeable media. These tools can deny USB use full stop or apply restrictions such as anti-virus (AV) scanning of a device's contents before granting users access to files. 

While you can educate and monitor your own users, what about third parties? Many malware outbreaks breach an environment via these types of connections. Vendor and external users must be monitored, educated and secured similarly to your own employees. 

Network security 

Your network edge defenses should be configured to block RDP, and host-based firewalls should restrict access to RDP to only those who need it. Consider enforcing multi-factor authentication and/or a lockout policy (to limit the number of invalid log-on attempts an attacker has) for RDP use in order to reduce risk.

Network flow data analysis is a detective control that can help identify the tell-tale signs of the spread of ransomware between systems. The analysis tool can be used as an orchestration point to organize the appropriate response from firewalls and other policy enforcement points in the affected environment. This orchestration is called Network Detection & Response (NDR).

Drive-by downloads can be prevented by inspecting web traffic content with an on-premises proxy/next generation firewall or cloud-based secure web gateway. These tools will help detect known malware using network-based anti-virus protections and unknown malware and zero-day threats using sandboxing features. 

Unfortunately, sandboxing takes time to analyze files so in many cases the infected file is successfully passed to the recipient. This means that "patient zero" gets infected and we only know the file was malicious after the fact. In this case, we are reliant on the organization's endpoint protections as the last line of defense. For high-risk environments or user groups, consider the use of web browser isolation technology.

In a similar way, organizations can defend against phishing-based attacks using anti-spam, anti-virus and sandboxing tools in the email ecosystem. If these do not detect the ransomware or bad URL, then the network-based defenses outlined above come into play in the download phase, demonstrating the importance of multiple layers of protection. 

Read more: WWT's Network Security Guide and WWT's SASE Guide

Endpoint protection

Endpoint protection is the last line of defense. Modern endpoint anti-virus systems are called endpoint detection and response (EDR) platforms. 

The main functions of an EDR platform are to:

  • Collect pertinent telemetry data from endpoints.
  • Perform analytics on this data to identify malicious activity that could indicate a ransomware infection.
  • Provide an automated response to a ransomware infection to stop, contain or remove the threat and alert your SOC team.
  • Provide forensics and analysis tools to research identified ransomware and aid threat hunting. 

Look for EDR systems that have the ability to:

  • Detect and block known ransomware.
  • Detect and block unknown zero-day ransomware infections through the use of machine learning. 
  • Block the exploits leveraged by ransomware to execute and spread via unpatched vulnerabilities.
  • Ability to spot "indicators of attack" (IOAs) as an added layer of defense against unknown ransomware and fileless ransomware which often can't be detected by traditional AV systems. 

Combined with SIEM/SOC tooling, NDR tools and intelligence feeds (STIX/TAXI feeds and information sharing programs with industry peers), EDR can enhance your response to a ransomware outbreak and provide vital situational awareness.

Read more: WWT's endpoint security guide

The majority of successful ransomware attacks leverage known vulnerabilities. An effective vulnerability detection, monitoring and remediation program is essential, and prompt remediation will minimize the window of opportunity for bad actors.

For really sensitive systems, architects should consider implementing unidirectional flow control, protocol break and content disarm/reconstruction along the lines of the UK's NCSC data import for sensitive systems design pattern. The "transform" function of this process deconstructs the data flow down to its basic essence, thus ensuring ransomware removal. The data flow is then sent across a diode (which ensures one-way data flow) to the "validate" function, which reconstructs the data flow minus any malware that might have infected it.

Detective and restorative controls 


Should a piece of ransomware get through your defenses, you'll need to look at some detective, compensating and restorative controls. One of the most fundamental is to reduce the blast radius of an incident. Segmentation can help with by putting barriers in place that can stop the spread of ransomware. Both macro-segmentation (using firewalls, VLANs and other network controls) and micro-segmentation (using host-based firewalls to restrict the other devices that a server can communicate with) can provide separation between systems within an environment preventing the spread of a ransomware outbreak.

In a similar way, using zero trust network access (ZTNA) services can segment your users from each other and their applications.

Taking a zero trust approach lays the foundation for the use of a positive security model (everything is denied unless explicitly allowed) which supports the principle of least privilege (users only have access to the data and applications that they need). By restricting users and devices to only having access to the systems they need, with only the privileges they need to perform their role, an organization can reduce its attack surface (and therefore risk). Applying least privilege to local administrator accounts on endpoints will reduce the scope for attackers to leverage users' existing privileges.

Read more: WWT's zero trust guide

Adopting an "assume breach" posture means that your security operations team is continuously looking for signs of breach, a discipline known as threat hunting. The timeline between initial infection and the launch of an encryption attack is usually around 200 days, so threat hunters should be continually looking for indications of compromise (IOCs). These IOCs could be files, folders, processes, user activity and network activity associated with a malware infection. This will help your team spot ransomware attacks earlier in the kill chain.

In cybersecurity, you must know what is normal activity and be able to identify abnormal. UEBA (user-entity behavioral analysis) can spot abnormal activity on endpoint devices. If an infected endpoint device starts carrying out abnormal and suspicious activity, you need to know and be able to react as soon as possible. Adding UEBA to your SIEM or analytics platform gives your threat hunters a heads up. 

Read more: WWT Lab as a Service

Having a tested and practiced incident response plan telling your teams what to do during a ransomware outbreak is a must have. When every second counts in your response, having an incident response team with an understanding of their role, procedures and expectations will minimize the scope of the incident and increase the speed of recovery.

Finally, the ability to recover infected systems after a ransomware attack is critical. Ensure that you have up-to-date server images and a robust and tested back-up platform. The former will allow you to rebuild servers quickly to a base, or gold build, while the latter will allow you to restore the data required to support applications.

Choose a back-up technology that provides you with the ability to create and securely store immutable back-ups, which should be unchangeable and able to deploy to production servers immediately in case of ransomware attacks or other data loss. This back-up should also be air-gapped from your production network to minimize the changes of the attackers finding and corrupting it.

How can WWT help? 

Our comprehensive services portfolio is designed to help at every stage of your journey to security transformation.  Our team combines strategic consulting expertise with the ability to seamlessly execute complex IT strategy worldwide. 

  • Combine the insights of a traditional consulting firm with the ability to execute complex infrastructure solutions at scale globally. 
  • Work collaboratively to find the optimal way to develop high-quality, easy-to-use software that delivers value early and often. 
  • Cut your proof-of-concept time from months to weeks, if not days, by leveraging the WWT Advanced Technology Center's (ATC) testing and automation infrastructure. 
  • Accelerate the planning, design and implementation of complex technology investments at scale around the world.