Build A Stronger Ransomware Defense in Six Steps

Having a stronger ransomware defense and remaining ahead of threat actors is a cat-and-mouse game, with threat operators frequently having the upper hand. LockBit was the most widely used ransomware variant across the world in 2023. Regarding the number of victims claimed on their data leak site the previous year, LockBit was known to be the most active global ransomware group and RaaS provider. New strains of ransomware are emerging as the ransomware threat grows and evolves. Rorschach, the most recent ransomware strain, is proof of this. It’s currently one of the fastest strains on the ransomware market. One cybersecurity company tested 22,000 files on a 6-core machine and found that all files were partially encrypted in 4.5 minutes.

Compared to LockBit, which was previously thought to be one of the fastest ransomware strains, Rorschach quickly compromised a system. What is the purpose of the partial encryption of the files? A new encryption approach known as intermittent encryption encrypts only a portion of the file, rendering it unreadable. By drastically reducing the time required to encrypt files, security software and personnel have only a limited amount of time to prevent an attack. The speed with which encryption is performed is critical because it limits the amount of time for users to IT companies to a security breach. It increases the chances of a successful attack. Rorschach ransomware can construct a Group Policy that spreads the ransomware to all machines in the domain, even if the attack initially targets just one system. What are the best practices for building a stronger ransomware defense and defending against ever-increasing threats? Here are six critical steps companies can take to build a stronger ransomware defense and protect themselves against ransomware attacks.

Six Steps in Building a Stronger Ransomware Defense

1. Access Controls – One of the first steps companies can take in building a stronger ransomware defense and protecting their business is to ensure that each user has only the required access. Implementing RBAC (Role-Based Access Control) or ABAC (Attribute-Based Access Control) strategies assures that no users or compromised accounts can access data outside its confines. With proper controls, companies can audit when an account does an action that exceeds its permitted permissions, and fast onboarding and offboarding enable swift responses to security events.
2. Password Policies – A proper password policy underpins accounts. It can include following industry standards like NIST 800-63B or checking for previously breached account passwords. Industry standards and breached password protection can be challenging to comply with. However, software, including Specops Password Policy with Breached Password Protection, can help make the process easier in building a stronger ransomware defense. Companies must ensure that users changing their passwords adhere to the policy and aren’t using previously compromised passwords to protect companies.
3. Multi-Factor Authentication (MFA) – Account compromises are possible, although implementing two-factor (2FA) or multi-factor authentication can help decrease the risk and have a stronger ransomware defense. Threat actors who penetrated accounts may be unable to use the stolen passwords if strong passwords are combined with a second level of authentication. MFA (multi-factor authentication is especially critical for privileged accounts since it increases account security even if the passwords are compromised. With data breaches becoming more widespread, employing various techniques, including a time-based one-time (TOTP) number or biometric factors, including fingerprints, will make threat operators’ job more difficult.
4. Zero-Trust Architecture – Moving to a zero-trust architecture is one of the industry’s recent security measures in building a stronger ransomware defense. Every connection and action must be approved and validated rather than relying on implicit trust. Zero-trust assures that even if accounts are compromised, they can be stopped from further access almost instantaneously by removing the default trust implied to everything within a week.
5. Penetration Testing – Despite all the proper precautions, penetration testing is essential for being truly proactive and identifying areas where security may be lacking to build a stronger ransomware defense. Companies can quickly discover security vulnerabilities by actively seeking to infiltrate and attack their infrastructure before threat actors do.
6. Data Backup – Proper comprehensive data backups that cover companies’ entire infrastructure are critical, even in the event of a ransomware attack. Companies can quickly recover their infrastructure and restore services and functionality if the worst happens. By salvaging promptly, companies can mitigate the impact of a successful ransomware attack and learn what may have been compromised.

While the previous six steps in building a stronger ransomware defense can’t guarantee perfect security, they can protect companies against more sophisticated threats, including Rorschach. Even though the Rorschach ransomware uses unique code to accelerate encryption, numerous improvements are inevitable in the future. Because the threat actors frequently target low-hanging fruit, including previously compromised passwords, adopting a stricter password policy can prevent the attacks and drive them to look elsewhere. A free download will also check companies’ Active Directory for over 940 million compromised passwords. Companies can make sure users aren’t utilizing stolen credentials. Companies can keep ahead of threat actors by emphasizing proactive security and deploying security measures to defend their frontline defense. At SpearTip, our certified engineers are continuously working at our 24/7/365 Security Operations Center, monitoring companies’ data networks for potential ransomware and ready to respond to incidents immediately. Our remediation team focuses on restoring companies’ operations, isolating any malware in reclaiming their networks, and recovering business-critical assets. SpearTip will examine companies’ security posture to improve the weak points in their networks to measure the maturity of their technical environment.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.