With the rise of Ransomware-as-a-Service, even low-skill attackers are hitting small businesses. What are the top three technical controls we should prioritize beyond just having backups? I want to know how to stop the encryption process before it starts or detect the exfiltration phase.
3 answers
To combat RaaS, you must focus on EDR (Endpoint Detection and Response). Most modern ransomware strains exhibit predictable behaviors, such as mass file renaming or shadow copy deletion. Setting up automated playbooks to isolate an infected host the moment these triggers occur is a lifesaver. Additionally, focus on blocking the initial access vectors, which are usually phishing or exposed RDP ports. We implemented a "Canary File" system where certain hidden files trigger an immediate alert if modified, allowing us to catch the encryption process in its very infancy during a test run.
Are you more concerned about the encryption of your local servers, or are you worried about the "double extortion" tactic where they leak your sensitive data online?
You should enforce a strict "Allow-list" for software execution. If the ransomware binary isn't on the approved list, it simply won't run, regardless of how it got onto the machine.
Application whitelisting is powerful, Laura. It's often overlooked because it's hard to maintain, but it is arguably the most effective way to stop unknown malicious executables.
Steven, the double extortion is definitely the bigger headache now. To stop that, we use Data Loss Prevention (DLP) tools to monitor for large outbound data transfers to unknown IP addresses. If someone tries to move 50GB of data to a random cloud storage site at 3 AM, the connection is instantly severed and our SOC team gets an urgent page. This has become a mandatory part of our stack.