Before - ransomware attack prevention measures
1.Precautionary measures – System Protection
- Use antivirus software and update the system and applications in a timely manner：Attackers usually use unpatched vulnerabilities to access unauthorized systems and networks to perform subsequent malicious activities.
- Antivirus/antimalware software should be installed and keep updated for the virus and malicious signature code. Perform a scan for the system and network at least once a week, and scan all received documents.
- When a mobile storage device (such as a flash drive) is connected, an antivirus scan should be performed.
- Update the system and application software to the latest version, also download the latest security update file.
- Strengthen the security of the server with dispatch ability: Because the antivirus software has central control on AD server, asset management system, etc. it is necessary to pay special attention to security updates and closely watch their group policies for abnormal changes.
- Only enable Microsoft Office macros as needed：Ransomware may infect through malicious Microsoft Office files and introduce virus with macros enable when view the file incautiously.
- Minimize open port setting：Ransomware may use exposed services and open ports (such as RDP port 3389 and SMB port 445) to spread on the Internet. In addition to confirming the necessity of opening, it should also be confirmed that the users of these services are trusted.
- Set up a firewall to block any network connection with known malicious IP and URL, prohibit the use of rules that allow any connection, and only allow connections with external service IP and DN.
- Minimum use authority of personnel：In order to reduce the opportunity for attackers to gain administrative rights, we should:： - Provide users other than managers with the minimum authority required for their duty.
- Raise cyber security awareness：Employees should be trained regularly to establish good cybersecurity awareness and Internet use behavior, such as identifying suspicious e-mails, do not click links randomly, and do not open e-mail attachments from unknown or untrusted sources. In addition, conduct social engineering drills to improve training effectiveness.
- System backup：A system backup mechanism should be developed for network-oriented systems to ensure that services can be maintained in the event of a problem with the system.
- Enabling the system event log function can provide important evidence when a system failure or abnormality occurs.
- View and manage all the usage of user accounts and disable inactive accounts.
- Implement multi-factor authentication.
2.Precautionary measures – Data Protection
- Encrypt important and sensitive information：Important and sensitive data should be encrypted. If the data is stolen, it can increase the difficulty for the attacker. In addition, some ransomware only works on common file types (such as images and documents), and encryption can also prevent them from detecting files.
- Separate data according to different importance, tasks, etc... Strict access control for important data.
- Maintain updated backup and keep them offline：Performing data backup regularly helps to restore data in the event of a ransomware attack, and the host or device storing the backup data should not be connected to the network to prevent the ransomware from affecting the backup data through the network.
- 3-2-1 Backup principle：3 backups, 2 storage media, and 1 offsite storage location.
- Regularly maintain image files of important systems：The image file of a virtual machine or server includes a pre-configured operating system and related application software. When an attack occurs and the system needs to be rebuilt, these image files can be used to achieve rapid deployment and recovery.
3. Precautionary measurement for enterprise organizations – Preparation for Incident Handling
- Before an incident occurs, it is very important to develop an incident contingency plan and conduct drill to verify whether the plan is feasible. When attacked, it is difficult to judge the correct course of action immediately. The plan and implementation will help employees understand the actions to be taken and determine the priority of restoration of various systems and environments.
- Prepare a list of external information security units that can seek assistance when a cyber security incident occurs, and a list of police investigations and contact methods.
- Join an information sharing organization, such as ISAC or TWCERT/CC.