Mitigation steps for businesses

Keep corporate devices’ operating systems and applications updated.

Apply the latest security patches and ensure critical software is up to date, including on mobile devices.
Enable the option for automated updates if possible. Having the latest updates will ensure that the devices are not only more secure, but also perform better.
Assess whether antivirus and anti-malware products are required and keep them up to date.
Conduct regular scans to ensure that your operating systems work efficiently.
Consider using a centralised patch management system and use a risk-based assessment strategy to determine which systems should be part of the patch management program.
Regularly back up your systems, online and offline. Up to date backups are the most effective way of recovering from a ransomware attack.
Ensure that you create offline backups that are kept in a different location (ideally offsite), from your network and systems, and/or in a cloud service designed for this purpose. Keep in mind that ransomware actively targets backups to increase the likelihood of victims paying to retrieve their data.

Know your assets and compartmentalise them.

Sensitive data must be treated differently from day-to-day data.

Store sensitive data in compartmented locations.
Implement and ensure effective network segregation, in order to limit the ability of adversaries to pivot from one segment of the network to another.
Ensure compartmentalisation of areas with different characteristics and security profiles, isolating and limiting access to those segments that are more exposed to threats.

Secure access to Remote Desktop Protocols (RDPs)

Limit access to resources over networks, especially by restricting RDP. After a proper risk assessment, if RDP is deemed absolutely necessary for your organisation, restrict the originating sources and require multi-factor authentication.

Monitor data exfiltration.

Many ransomware campaigns come with the threat of releasing data to encourage businesses to pay the ransom. The earlier data exfiltration is detected, the less damage any release can do. Watching for data exfiltration provides insight into exactly what data is at risk of exposure.

There is no guarantee that the attacker will not release the data or re-use the same data for additional blackmail. Consider both scenarios possible regardless of whether the ransom is paid.

Test your systems.

Regularly run penetration tests against your network's security and perform tests in the critical information restoring process to ensure that it works as expected.

Reduce the likelihood of malicious content reaching your networks.

Disable scripting environments and macros.
Configure your systems to actively inspect content, only allowing certain file types and blocking websites, applications, protocols, etc. that are known to be malicious.
At network level, consider filtering network traffic, implementing policies to monitor, filter and block illegitimate or malicious traffic from reaching your networks.
Implement blacklisting/whitelisting rules based on live threat intelligence feeds in order to prevent users from accessing malicious websites, malicious IP addresses, Phishing URLs, anonymous proxies, the Tor network and other anonymization services, etc.

Use enhanced passwords and change them on a regular basis.

Numbers, symbols, and combinations of upper and lower case will help you create stronger passwords.
Train and encourage your employees to use strong passwords both in their professional and private lives and promote the use of a password manager.

Use strong authentication.

Require multi-factor authentication to access accounts on critical networks in order to minimize the risk of access through stolen or hacked credentials.

Manage the use of privileged accounts.

Restrict your employees’ ability to install and run software applications on corporate network devices.
Ensure that user and system accounts are limited through account use policies, user account control, and privileged user access management.
Organise access rights based on the principles of least privilege, need to know principle and segregation of duties. A potential compromise of a privileged user account would lead to much bigger exposure compared to that of a simple user account.

Secure your teleworking equipment.

Implement measures such as hard disk encryption, inactivity timeouts, privacy screens, strong authentication, Bluetooth disability and removable media control and encryption (e.g. USB drives).
Implement a process to remotely disable access to a device that has been lost or stolen.

Install apps from trusted sources only.

Companies should only permit the installation of apps from official sources on those mobile devices that connect to the enterprise network. As an option, consider building an enterprise application store through which end users can access, download and install corporate-approved apps. Consult your security vendor for advice or build your own in-house.

Be wary of accessing company data through public Wi-Fi networks.

In general, public Wi-Fi networks are not secure. If an employee is accessing corporate data using a free Wi-Fi connection at an airport or coffee shop, the data may be exposed to malicious users. It is advised that companies develop effective use policies in this regard.

Provide your staff with cybersecurity education and awareness training.

Educate your employees about the company’s policy on online safety. Take the time to raise awareness of cyber threats, especially phishing and social engineering, as well as what to do if they come across suspicious activity.
Consider implementing a user training program that includes simulated attacks for spear phishing to discourage employees from visiting malicious websites or opening malicious attachments.
Provide your staff with a seamless way to report phishing emails and reward them when they do so. A simple thank you pop-up or point system helps drive employees to be wary and report what they find suspicious.

Explore cyber liability insurance.

Consider finding an insurance agent that offers coverage in the event of a cyber-attack.

Turn on local firewalls.

Turn on local firewalls to help against unauthorized access.

Disable Windows PowerShell.

Disable Windows PowerShell if not used. Some ransomware variants use PowerShell to execute.

Infected… What to do next?

1) Immediately disconnect, but don’t switch off the infected device(s) from all network connections, whether wired, wireless or mobile phone based.
2) In very serious cases, consider whether turning off your Wi-Fi, disabling any core network connections (including switches), and disconnecting from the internet might be necessary.
3) Reset credentials, including passwords (especially for administrator and other system accounts), but verify that you are not locking yourself out of systems that are needed for recovery.
4) Report the incident to your national police or other competent authority.
5) Preserve any evidence, in coordination with the competent authorities investigating the attack: create a forensic image of affected systems (or a system snapshot), create a RAM dump of the affected systems, and preserve any netflow or other network traffic logs.
6) Visit www.nomoreransom.org to check whether your business was infected with one of the ransomware variants for which we have decryption tools available free of charge. If that’s not the case, proceed with the recovery steps.
7) Safely wipe the infected devices and reinstall the OS.
8) Before you restore from a backup, verify that it is free from any malware. You should only restore if you are very confident that the backup and the device you are connecting it to are clean.
9) Connect devices to a clean network to download, install and update the OS and all other software.
10) Install, update, and run antivirus software.
11) Reconnect to your network.
12) Monitor network traffic and run antivirus scans to identify if any infection remains.