
"In one case last year, an attacker gained remote access to the targeted client environment by exploiting a default administrator account for specialist software. Although the compromised account had minimal privileges, a weak password allowed the attacker to gain control of a local administrator account. Unfortunately, the same account and password was on every workstation within the environment, and event logs showed the attacker accessing multiple systems using the account. Surprisingly, although the attacker had access to all data in the environment, including sensitive financial and customer information, all they did was install ransomware."
- Perform inventories and regular backups of important data using (physically or logically) isolated media. Remember, accessible network shares can be infected as well.
- Apply security patches on regular basis (for your operating systems and browsers and for third-party software and plug-ins like Java, Adobe Flash and Reader, and Microsoft Office).
- Run endpoint protection and anti-virus, with the latest signatures, in all environments.
- Browse the web using a secure web gateway. (SWGs should work with IP/domain blacklists and additional web inspection controls).
- Send and receive email using a secure email gateway.
- Practice the principle of least privilege. Do not allow regular users to have administrator privileges in their systems whenever possible.
- Offer security awareness education for employees. Even though incidents like WannaCry arrived through exposed SMB ports and didn't involve user interaction, many ransomware attacks start with a successful phish.
- Have technology and a plan to identify and deal with a successful attack. This includes detection and response. The sooner you can identify a ransomware event is underway, the sooner you can begin the all-important incident response process.