Ransomware Attacks: What to do BEFORE you’re infected


November 17, 2020

In the ever-evolving cybersecurity landscape, ransomware attacks loom large, posing a persistent threat to organizations worldwide. As the age-old adage goes, “You can’t stop or avoid what you’re not prepared to handle,” in the realm of ransomware, preparedness is paramount. This comprehensive guide delves into many strategies and practices to fortify your defenses against ransomware attacks. From implementing robust Security Awareness Training Programs to bolstering Email Inbox Security, adopting Next-Generation Endpoint Protection, maintaining secure backups, whitelisting, blocking the known bad, and monitoring your IT environment around the clock – each strategy plays a vital role in building resilience against the pernicious threat of ransomware.

Section 1: Security Awareness Training Program

Education is the first line of defense in today’s interconnected world, where most ransomware attacks are solicited through Social Engineering campaigns and initiated by end-users. A well-designed Security Awareness Training Program can empower your employees to recognize and thwart ransomware attacks before they can infiltrate your Internet of Things (IoT) ecosystem. This section explores the importance of such programs, offering insights into their design, content, and ongoing management to ensure your workforce is equipped to navigate the ever-evolving threat landscape.

1.1 The Ransomware Attack Landscape

Before delving into the specifics of security awareness training, it’s essential to understand the evolving ransomware landscape. Ransomware attacks have become increasingly sophisticated, with attackers employing various tactics to deceive and compromise unsuspecting victims. From phishing emails to exploiting software vulnerabilities, cybercriminals relentlessly pursue ill-gotten gains.

1.2 Designing an Effective Training Program

A robust security awareness training program encompasses a range of topics and techniques to educate employees effectively. Training modules should cover common ransomware attack vectors, identify suspicious emails, and promptly report any security concerns. Additionally, simulations and exercises can help employees practice their skills in a controlled environment.

1.3 Ongoing Education and Testing

Cyber threats are continually evolving, making ongoing education and testing crucial. Regularly updating training materials and conducting simulated phishing exercises can help employees stay vigilant. Moreover, establishing a reporting mechanism for suspicious emails or incidents ensures that potential threats are addressed promptly.

Section 2: Email Inbox Security

Email remains a primary vector for ransomware attacks, with attackers often luring unsuspecting victims into clicking on malicious links or opening infected attachments. Here, we delve into the critical aspect of Email Inbox Security. We discuss the mechanics of these attacks, share best practices, and introduce technologies like DMARC DKIM and solutions like Cyren’s Office 365 Inbox Security platform that can help preemptively intercept these threats, saving organizations from the devastating consequences of human error.

2.1 Understanding Email-Based Attacks

Ransomware attacks via email often employ social engineering tactics to trick users into taking the bait. Phishing emails, disguised as legitimate messages, aim to manipulate recipients into clicking on malicious links or downloading infected attachments. Understanding the anatomy of these attacks is crucial to email security.

2.2 Implementing Email Authentication Protocols

Organizations should implement email authentication protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance) and DKIM (DomainKeys Identified Mail) to thwart email attacks. These protocols help verify the authenticity of incoming emails, reducing the risk of falling victim to spoofed or phishing emails.

2.3 Leveraging Third-Party Solutions

In addition to email authentication protocols, third-party solutions like Cyren’s Office 365 Inbox Security platform provide an extra layer of protection. These solutions employ advanced threat detection mechanisms, real-time analysis, and machine learning to identify and quarantine potentially harmful emails, safeguarding your organization against ransomware threats.

Section 3: Next-Generation Endpoint Protection

Traditional endpoint protection solutions, reliant on signature-based detection, need to be equipped to combat the rapidly evolving landscape of ransomware. Enter Next-Generation Endpoint Protection powered by machine learning and artificial intelligence. We explore how solutions like Blackberry Protect (formerly Cylance) employ these technologies to proactively assess software’s safety, making it an essential tool in the fight against ransomware.

3.1 The Limitations of Traditional Endpoint Protection

Traditional endpoint protection solutions rely on databases of known malware signatures. While effective against known threats, they struggle to detect zero-day vulnerabilities and previously unseen ransomware variants. Attackers frequently evolve their tactics to bypass these traditional defenses.

3.2 Machine Learning and AI in Endpoint Protection

Next-generation endpoint Protection solutions like Blackberry Protect leverage machine learning and artificial intelligence to analyze file behavior and assess its potential threat level. By training on vast datasets, these solutions can detect suspicious patterns and anomalies, even in previously unseen ransomware strains, offering a proactive defense.

3.3 The Role of Threat Intelligence

Effective endpoint protection relies on real-time threat intelligence. Updating threat databases with information on emerging ransomware threats and attack techniques ensures that your protection remains relevant and resilient against the latest attacks.

Section 4: Backup Best Practices

While prevention is crucial, preparedness for a ransomware attack is equally vital. This section underscores the importance of regular and secure backups. Ransomware attacks encrypt endpoints and demand a ransom in exchange for decryption keys. By maintaining air-gapped backups stored securely and independently from the network, organizations can mitigate the impact of attacks, rendering ransom demands irrelevant.

4.1 The Value of Secure Backups

The adage “hope for the best, prepare for the worst” rings true in cybersecurity. Secure backups provide a lifeline in a ransomware attack, allowing organizations to restore their systems and data to a pre-infection state without succumbing to ransom demands.

4.2 Air-Gapped Backups

To safeguard backups from ransomware attacks, they should be air-gapped, meaning they are physically disconnected from the network. This isolation ensures that ransomware cannot reach and encrypt the backup copies, providing a fail-safe recovery option.

4.3 Regular Testing and Verification

There needs to be more than just maintaining backups; regular testing and verification are essential. Ensure that backups are functional, up to date, and readily accessible when needed. A well-executed backup strategy can differentiate between quick recovery and prolonged downtime.

Section 5: Whitelisting and Blocking

Effective network management plays a pivotal role in ransomware prevention. We delve into the concept of allowlisting, allowing only approved applications and processes to run within your organization’s network. Simultaneously, blocking known malicious entities and limiting exposure by restricting traffic from hazardous regions like Russia, China, North Korea, and Iran fortifies your defenses.

5.1 Allowing Approved Applications

Allowlisting is a proactive approach to security that defines a list of approved applications and processes allowed to run within your organization’s network. By restricting execution to trusted software, you reduce the attack surface for ransomware and other malicious threats.

5.2 Blocking the Known Bad

In addition to allowlisting, organizations should adopt a strategy of blocking known malicious entities. While blocking everything under the sun may not be practical, restricting traffic to and from countries hazardous to enterprise security can significantly reduce the risk of ransomware attacks.

5.3 Maintaining Network Vigilance

Network security is an ongoing process. Regularly review and update your whitelist and blocking policies to adapt to changing threats and organizational needs. Continuous monitoring and refinement are essential for maintaining a robust defense against ransomware.

Section 6: Credential Management and Access Control

Human error remains a glaring vulnerability in cybersecurity, particularly concerning credential management and password hygiene. This section advocates for proactive measures, including dark web scans to identify leaked credentials. We also introduce the Principle of Least Privilege, emphasizing the need to limit access to the bare minimum required for daily tasks, even among high-ranking personnel.

6.1 The Human Factor

Humans are fallible; this vulnerability extends to credential management and password practices. Acknowledging this weakness is the first step in addressing it. Employees should be educated about weak passwords and careless credential management risks.

6.2 Dark Web Scans

Dark web scans can help organizations identify if their credentials have been compromised in data breaches. These scans provide valuable insights into potential security risks and can prompt organizations to take corrective action promptly.

6.3 Principle of Least Privilege

The Principle of Least Privilege is a foundational concept in cybersecurity. It dictates that individuals, including administrators and high-ranking personnel, should have access only to the resources necessary for their day-to-day tasks. Implementing this principle reduces the potential impact of insider threats and minimizes the risk of ransomware spreading.

Section 7: Continuous Monitoring

In the ever-evolving cybersecurity landscape, constant vigilance is essential. The final section discusses the importance of continuous monitoring, covering critical aspects such as watching for changes to operating system components, detecting rogue applications, monitoring process and port activity, and identifying system incompatibilities.

7.1 Continuous Threat Monitoring

Cyber threats are dynamic, making continuous monitoring a fundamental aspect of ransomware prevention. Monitoring should extend to critical operating system components, file changes, directory modifications, and registry key alterations.

7.2 Rogue Application Detection

Ransomware attackers often attempt to execute rogue applications on compromised systems. Continuous monitoring should include detecting unauthorized or suspicious software and immediate remediation measures.

7.3 System Compatibility and Health Checks

Monitoring should encompass regular system health checks, ensuring all components operate as expected. Incompatibilities, unusual processes, port activity, or signs of compromise should trigger immediate investigation and remediation.


Ransomware attacks remain a formidable threat, but armed with knowledge and a comprehensive strategy, organizations can significantly reduce their risk exposure and enhance their ability to thwart these malicious incursions. By implementing robust security practices, including Security Awareness Training Programs, Email Inbox Security, Next-Generation Endpoint Protection, Backup Best Practices, Whitelisting and Blocking, Credential Management, Access Control, and Continuous Monitoring, organizations can build resilience and fortify their defenses against ransomware attacks. In a world where cyber threats continue to evolve, preparedness and vigilance are our strongest allies in the battle against ransomware. With these strategies, organizations can bolster their cybersecurity posture and safeguard their valuable assets from the ever-present ransomware threat.

Interested in learning more about what Integris can do for your cybersecurity posture? Click here: https://integrisit.com/services/cybersecurity/

Carl Keyser is the Content Manager at Integris.

Keep reading

What to Know Before Installing Copilot for Microsoft Word

What to Know Before Installing Copilot for Microsoft Word

Imagine having an AI assistant that pulls from your notes, marries them to an existing document format, and writes a document for you. That's the power of Copilot for Microsoft Word, which is planned for rollout in 2024 for those who buy the Copilot M365 license....

Bridging the Gap between Automation and Innovation

Bridging the Gap between Automation and Innovation

Automation and Innovation. Some people might say those two words cancel each other out. Yet, I believe these two concepts can create capacity for each other—if your business leverages the free time automation creates to foster innovation. Automation can be...