ARN

9 most important steps for SMBs to defend against ransomware attacks

Here's how small- to medium-sized businesses can effectively protect their networks against the risk of ransomware without breaking their security budgets.

Ransomware is impacting firms around the world. Mandiant has indicated that ransomware is on the rise and doesn’t appear to be slowing down one bit. These are the nine tasks that SMBs should focus on to mitigate risk from ransomware attacks.

1. Have a backup plan and tested recovery process

Some might argue that multi-factor authentication (MFA) is the best way to protect a firm, but I’d argue that having a tested backup and recovery process would be better. 

Too often businesses overlook having a backup and a tested recovery process. Especially for firms with on-premises servers and domain controllers, have a process where someone – in the firm or a consultant or managed service provider -- perform a dry run of an actual recovery process. 

When I’ve done a dry run, I often find that I need to perform some step that I’ve forgotten to restore from a bare metal process. You may find that a HyperV parent needs additional steps or you need to take ownership of the restoration image to fully restore a Hyper V server or virtual machine to full working condition. 

Ensure that you have a recovery script or manual in place so that staff tasked to recover know the steps. The documented steps will help lower the stress of the event.

2. No public-facing remote desktop connections

Do not expose servers to public-facing remote desktop connections. Many ransomware attacks start with attackers either guessing the passwords or finding repositories of administrative passwords left behind in online databases and GitHub repositories. 

We are often our own worst enemies when it comes to credentials, so never use public-facing Remote Desktop Protocol (RDP) in production networks.

3. Limit administrator and domain administrator credentials

Review your network for the use of local administrator credentials as well as domain administrative credentials. I have SMBs too often take the easy road is taken and allow users to be local administrators with no restrictions. Even worse is when a network is set up giving users domain administrator rights.

There is no reason for a network user to have domain administrator roles or rights while they are a user. 

For many years vendors often assigned domain administrative rights because it was an easy fix to get an application to work properly. 

Vendors have moved away from granting administrator rights to requiring installation in the user profile, but I still hear reports of consultants finding networks where the users are domain administrators. On your domain controller, run the command get-adgroupmember "Domain Admins". No user in your organisation should be a domain administrator.

4. Have a policy for confirming financial transactions

To ensure that your organisation won’t be caught by business email compromise (BEC) attacks, ensure that you have an agreed-upon process to handle financial transactions, wires and transfers. 

Never rely upon an email to provide you with the account information for fund transfers. Attackers will often know that you have projects underway and send emails attempting to lure you to transfer funds to an account they own. 

Always confirm with the receiving organization that the account information is correct. If any changes to the process are made, there should be a documented approval process in place to ensure that the change is appropriate.

5. Isolate public-facing servers

For any server that is public facing, consider placing that server in an isolated position or even putting it in a hosted situation. Public-facing web servers should not be able to connect to internal systems if you are an SMB because the resources needed to properly secure and maintain them are often too high. Look for solutions that place limits and divisions between external web resources and internal domain needs.

6. Retire out-of-date servers

Investigate whether you can retire out of date servers. Microsoft recently released a toolkit to allow customers to possibly get rid of the last Exchange Server problem.

For years the only way to properly administer mailboxes in Exchange Online where the domain uses Active Directory (AD) for identity management was to have a running Exchange Server in the environment to perform recipient management activities.

Exchange Management Tools were released with Exchange Server 2019 CU12 and includes an updated Exchange Management Tools role designed to address the scenario where an Exchange Server is run only because of recipient management requirements. 

The role eliminates the need to have a running Exchange Server for recipient management. In this scenario, you can install the updated tools on a domain-joined workstation, shut down your last Exchange Server, and manage recipients using Windows PowerShell.

7. Review consultant access

Investigate the consultants and their access. Attackers look for the weak link and often that is an outside consultant. Always ensure that their remote access tools are patched and up to date. 

Ensure that they understand that they are often the entry point into a firm and that their actions and weaknesses are introduced into the firm as well. Discuss with your consultants what their processes are.

8. Focus on known exploited vulnerabilities

Focus on the known exploited vulnerabilities. While security consultants urge businesses large and small to turn on automatic updates, small firms often don’t have many resources to test patches. They often hold back to ensure there are no side effects with updates. Monitoring the list in the link allows you to focus on those items that are under active attack.

9. Deploy or update endpoint detection and response

Endpoint detection and response (EDR) is becoming more affordable for SMBs. Microsoft 365 Business premium enabled EDR in the form of Microsoft Defender for Business.