Key actions in NIST's guidance against ransomware

In recent years, ransomware cyberattacks have increased both in number and virulence, threatening organizations of all types and sizes. In fact, according to Cybersecurity Ventures, they generated global losses of $20 billion in 2020 alone, surpassing the previous year's figure of $11.5 billion.

Wannacry is probably the most common ransomware, affecting thousands of companies across the world in 2017. However, there are also recent examples of public institutions that really should be better protected, as was the case when Babuk infiltrated the Washington D.C. police department or when Ryuk hacked into Spain’s Public State Employment Service (SEPE). Although these examples are relatively recent, WatchGuard has put together an infographic on the history of ransomware that includes many more attacks, demonstrating the proliferation of these threats.

Framework of measures

Against this backdrop of increasingly prevalent threats, the US National Institute of Standards and Technology (NIST) has released draft guidance containing a framework for organizations to manage ransomware risk. This draft includes quick references with resources, documentation and links on how to implement them. The framework is set out in a table that NIST calls "The ransomware profile," which is split into 5 main sections:

• Identify: This is about having a complete overview of the organization, providing an inventory of all professionals, assets, data and capabilities, in order to be better prepared to manage threats when they occur.

• Protect: Planning preventive measures to ensure the operability of the organization's key services. This should always include the ability to limit or contain the impact of a potential cybersecurity incident.
• Detect: Carrying out activities aimed at identifying a cybersecurity incident.
• Respond: By executing the most appropriate actions when the incident has already occurred within the organization.
• Recover: By developing resiliency plans to restore any capabilities or services affected by the incident. This includes the return to normal operations.

Preventive measures

To complement the framework, this document also provides summaries of general recommendations in order to prevent and mitigate ransomware-related incidents. These measures are:

• Keep systems up to date and run update reviews periodically.
• Only allow applications that have been pre-authorized by cybersecurity or IT professionals.
• Restrict the use of personal devices on corporate networks.
• Promote the use of standard user accounts rather than accounts with administrative privileges whenever possible.
• Avoid using non-corporate applications and software, such as personal email, chat and social networking clients, on corporate devices.
• Be careful with unknown sources. Do not open files or click on links from unknown sources unless a scan has been executed beforehand.
• Block access to ransomware sites, using cybersecurity solutions that block access to ransomware sites already identified as such.
• Always use antivirus software and configure it to automatically scan emails and flash drives.

Although most of these recommendations can be described as good cybersecurity practices, technological tools play a key role in several of them. This is the case of blocking ransomware sites and scanning for threats, both in external sources (links, files, etc.) and in the system itself.

In this respect, WatchGuard Endpoint Security addresses these needs, so that MSPs can deploy the best possible protection against the growing ransomware risks in organizations. WatchGuard EPDR brings together endpoint protection (EPP) and detection and response (EDR) capabilities in a single solution. It also includes the Zero-Trust Application service, whereby any binary is distrusted by default before scanning, and features such as URL filtering, device control and a managed firewall. This means cyberattackers will have far fewer options when attempting to infiltrate, execute or block the organization's systems using ransomware.