**6. Ransomware prevention, detection, and response**

Organizations need to take a multipronged approach to prevent and defend against a ransomware attack. The best strategy to tackle ransomware is a combination of prevention, detection, and recovery capabilities.

## **6.1 Prevention**

Organizations need to have controls in place to cover all the distribution methods as highlighted in Section 3 and as part of defense-in-depth deploy controls at multiple levels.

At the network layer, organizations need to implement solutions such as Email Gateway Security and a sandbox solution to prevent against phishing campaigns which is the most common attack vector for ransomware. Web application firewalls (WAFs) enable in preventing initial access from exploits that target public-facing applications. Intrusion prevention systems (IPS) and content filtering solutions enable in preventing communication with command and control servers. Most sophisticated ransomware operations also exfiltrate data as a form of extortion. Data loss prevention (DLP) solutions are an important control for preventing against data leakage.

At the endpoint layer, apart from an anti-virus (AV) solution, organizations need to implement endpoint detection and response (EDR) solutions to detect malicious activity such as the spawning of a malicious process. In addition, organizations need to configure their information technology (IT) environment to prevent enabling of macros in documents received from outside the network without interrupting any business processes. It is also advisable to install browser protection and ad blocking on end-user workstations as this will prevent JavaScript-based malware from executing on the system [20].

Organizations must also have a robust vulnerability management program that focuses on hardening workstations and servers within the network. Attackers leverage exploit kits to exploit a vulnerability in systems and technologies. As an example, the Locky ransomware is frequently delivered via the Rig exploit kit that targets some of the Adobe flash vulnerabilities [20]. Therefore, it is imperative to have your systems and applications fully patched and up to date.

Most ransomware distribution methods require end-user interaction. Therefore, organizations need to create a robust security awareness training for their employees and train them on how attackers leverage social engineering to trick the users.

### **6.2 Detection**

Detective controls play an important role in the fight against ransomware. In a modern ransomware attack, there is a significant dwell time before ransomware is deployed and executed. With the advent of big game hunting, attackers spend considerable time in identifying high-value targets post-compromise. The dwell can be as little as a few days and can go up to weeks before the deployment of ransomware. This

### *Perspective Chapter: Ransomware DOI: http://dx.doi.org/10.5772/intechopen.108433*

enables defenders to deploy detective controls in order to identifying unusual activity pointing to an ongoing ransomware attack.

Ransomware detection can be done by mirroring the behavior depicted by various ransomware variants. Ransomware behavior involves the generation of network traffic to C2servers that includes domain name service (DNS) queries [21]. Detective controls such as an intrusion detection system (IDS) and a security information and event management (SIEM) have inbuilt signatures and rules to detect for such events. In addition, custom rules can be created to look for specific behaviors such as anomalous SMB traffic, creation of new privileged accounts, anomalous outbound traffic, and monitoring of processes and PowerShell. Alerts from detective controls are investigated in a Security Operations Centre (SOC). Alerts from detective controls have a high false positive rate and it is imperative that SOC analysts work with the threat detection team to tune the platforms and reduce the noise [22].

Organizations need to develop cyber fusion capabilities to tackle advanced persistent threats. This can be achieved by the creation of a Cyber Defense Centre (CDC) that comprises of teams such as CSIRT, Red Team, VA, threat detection, and cyber threat intelligence team (CTI). Cyber threat intelligence plays a vital role in providing intel on ongoing campaigns to ensure that your enterprise defenders are ready for the threat and know what to look for. Organizations also need to conduct Table Top exercises quarterly and look at specific scenarios based on intel received from the threat intelligence team.

### **6.3 Response**

It is imperative to create a Ransomware Incident Response Plan that will be executed by an organization's computer security incident response team (CSIRT).

Identify the infected systems within the network and isolate the infected devices immediately. It is extremely important to determine the scope of the infection. Look for symptoms such as file name changes and service tickets from employees on not able to access files.

Secure your backup data by taking them offline and ensure that the backup data is not infected by running a full scan [23]. Restore compromised files with backup data once all the devices have been decrypted and running antivirus.

The incident response team must also identify the attack vector and chart out the attack timeline. This is important to help in identifying how the attack happened, identifying the control gaps, and preventing recurring ransomware attacks in the future.

Report the incident to law enforcement immediately as typical ransomware attacks involve data leaks. Within the United States, report the incident to the nearest FBI office which can help identify those responsible and prevent future attacks [23].

Once normal operations resume, it is always advisable and recommended to conduct a post-incident activity to review the lessons learned from the ransomware attack.
