Countermeasures for Ransomware

Ransomware has emerged as one of the top national security concerns confronting the United States and is a top concern for most chief information security officers (CISOs) today. These sophisticated cyber threats not only disrupt vital infrastructure and major corporations, but they also can be detrimental to local communities and interrupt daily life for many people.

Ransomware attacks have evolved into multistage payload attacks where email and web (drive-by compromise) play an integral part in the attack chain, often delivering the initial payload as a malware downloader. These downloaders are designed to gain entry into a user’s system or steal credentials to access the network, spread laterally and infect victims with ransomware.  

Proofpoint Threat Analysts have observed ransomware threat actors becoming more hands-on with their campaigns and conducting additional surveillance of potential victims. They’re using targeted lures to focus on larger industries that could lead to critical implications if disrupted for prolonged periods. These threat actors will not only leave ransomware payloads but also exfiltrate data and threaten to release it for double extortion, leaving organizations helpless.

Ransomware mitigation strategies

Implementing detection tools like the Proofpoint Advanced Threat Protection can help prevent ransomware attacks during the initial distribution and infection stages. These tools use multilayered controls that can detect, block and provide visibility into ransomware and malware downloaders that lead to ransomware.

Following is an overview of other countermeasures your organization can use to help avoid or reduce the impact of ransomware attacks:

1. Use technology controls to block malicious payloads

This includes controls for email and cloud detection. For example, you could:

• Dynamically detect and block email and cloud threat variants
• Identify various threat tactics and trends
• Tag external email to alert recipients of its origin
• Analyze multiple email attributes (email header, sender’s IP address, reputation, and message body) for urgency
• Use Advanced BEC Defense from Proofpoint, a machine learning-based detection engine that learns in real time and analyzes every message detail
• Identify data exposure in the cloud and limit what you share with threat actors
• Protect from command-and-control with web security
• Limit the ransomware blast radius with zero-trust network access controls
• Prevent ransomware from being distributed from your cloud apps

There are also authentication controls you can employ, such as:

• Enforcing email authentication, like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and DMARC
• Block all attempts to send unauthorized emails from your trusted domains
• Report on lookalike domains dynamically across digital channels

Increasing visibility can also help you reduce the risk of a ransomware attack. For instance, you can:

• Identify the Very Attacked People™ (VAPs) in your organization to identify which users are being attacked with impostor threats
• Provide granular threat details
• See which suppliers pose the highest risk to your organization
• Uncover malicious lookalikes of your domains and your suppliers’ domains
• Reveal who is sending emails using your domain, including trusted third-party senders

Additionally, automated response mechanisms allow you to: 

• Quarantine or remove suspicious or unwanted messages with one click—or automatically
• Automate the abuse mailbox process
• Enable users to report suspicious messages directly from the warning tag
• Isolate user browsing sessions automatically based on their risk profile

2. Implement administrative controls 

Implementing administrative controls is another strategy. It includes security awareness training designed to ensure users understand the do’s and don’ts of email fraud and security. User knowledge and awareness play a critical role in improving email security. By keeping users aware of the techniques and tricks of cybercriminals, you can help them transform from targets to defenders who can identify, avoid and report malicious emails—and help keep the organization’s data, operations and finances safe.

User awareness should focus on safe computing practices and cautions. Users are your last line of defense, after all, so it’s important they know how to look out for suspicious emails. Also consider using tools that provide routine microlearning to help users improve their knowledge and awareness about common security threats involving email. 

The following is a summary of good practices that security awareness training for users should cover to help your organization reduce the risk of ransomware:

• Be wary of unexpected emails that have links or attachments.
• Always look at the email address carefully; the email address may not match the actual address of known companies, work colleagues or friends.
• Be sure to back up your data routinely in case ransomware is accidentally loaded; you can then restore your data and not pay.
• Be careful of “scary” emails informing you that an account or personal information has been compromised and that you must take immediate action by clicking a link or providing secret information.
• Be wary of “too good to be true” emails that provide windfall offers or lead you to believe you’ve won a prize and provide a link to claim the offer or prize.
• Always carefully examine email addresses to ensure they match who the email is purportedly from.

3. Get started now on raising user awareness

To help organizations raise user awareness and knowledge about ransomware, we’ve curated a selection of free resources to support users’ understanding of best practices to apply to work and personal email. 

The Proofpoint Ransomware Awareness Kit provides written, video and other visual content that can be emailed, displayed, posted or presented to reinforce safe email practices. In the kit, you’ll find a description of how to use the materials, a suggested communication plan and a deployment schedule. You’ll also find guidance and tips for executing a password improvement awareness campaign successfully using the materials provided.

Learn more about ransomware protection 

Check out this page on the Proofpoint website to learn more about our market-leading solutions and mitigation strategies to help you defend against phishing, email fraud, ransomware and more.