How to protect your business against Ransomware



Despite the alarming nature of the threat, the way ransomware gains entry onto a user’s device is actually no different from the methods used by other threats. These pathways onto the user’s device are relatively predictable, and can be successfully identified and defended. This requires identifying potential weaknesses in the device and setting the appropriate safeguards in place, both to block any potential intrusion attempts and to raise the alarm if any penetration does occur.

Many organizations still follow an outdated approach to cyber security, relying solely on a defensive perimeter to protect their infrastructure. We recommend a more robust, iterative approach, which can be broken down into four phases: Predict, Prevent, Detect, and Respond (place anchor links to sections below on these). Yet just like any other threat, a four-phase approach to cyber security - Predict, Prevent, Detect, and Respond - can help an organization defend against, cope with or recover from a ransomware incident.

A corporate exposure analysis is performed to assess the attack surface of the organization’s infrastructure. The findings of these analyses are used to plan the construction of a solid defensive perimeter for the organization.
Defensive solutions are deployed to harden infrastructure and reduce its attack surface. Security software is deployed, vulnerabilities are patched, employees are trained, and the security culture of an organization is generally improved.
Forensic evidence is examined to determine how the breach happened and what impact it had on systems, data and infrastructure. An incident response process is initiated to restore the environment to a known-good state and to fix any security problems found. The findings of this phase are, in turn, fed back into the next Predict phase, and the cycle continues.
The infrastructure is carefully monitored for signs of intrusion or other suspicious behavior, so that breaches can be pinpointed quickly and accurately.
Gray lighter #f5f5f5


Ransomware typically exploits software vulnerabilities and human behavior to gain access to a device or network. Evaluate your infrastructure accordingly.

Very often, the emails used to deliver ransomware are designed to look like legitimate messages, ones that the user would assume to be trustworthy. The user clicks on the attachment in good faith - and gets infected.
This is known as social engineering - and despite its simplicity, it is still surprisingly effective. Evaluating how vulnerable the users in an organization are to social engineering means considering things like:

  • Are the users regularly informed about ongoing spam campaigns that may affect them?
  • Which users are most likely to receive emails from external sources?
  • Can the users recognize the difference between a legitimate email and a fake that closely resembles one?
  • Is there a simple mechanism in place for users to report suspicious emails?

Exploit kits that distribute ransomware are only effective against software that have unpatched vulnerabilities.
Assessing the state of all software in use in the network is therefore the single most effective proactive measure to take against vulnerability-based intrusions. Evaluating the software-related attack surface involves questions such as:

  • What devices are Internet-accessible, and what programs are installed on them?


It’s trite but true - prevention is better than cure. Take these precautions to reduce your attack surface.

  1. Take regular backups of files and test them to make sure they’re reliable. This is by far the most important step in proactively guarding against any kind of infection, not just ransomware. In case you do get hit, you won’t be put in the difficult position of deciding whether to pay.
  2. Keep all software up to date. Ransomware often infects by taking advantage of security flaws in outdated software, so keeping software current will go a long way.
  3. Use robust security software that employs a layered approach to block known threats as well as brand new threats that haven’t yet been seen.
    1. F-Secure offers the following relevant services and technologies:
  4. Watch out for spam and phishing emails. For example, the post office will never send a document as a .zip file. And so- called legal documents that ask you to “enable content” are traps. Businesses should also use a good email filtering system, disable macro scripts from Office files received via email, and educate employees on current spam and phishing schemes.


  • For all applicable versions, set the Group Policy settings for ‘Macro Settings’ to ‘Disable macros with notification’. This blocks macros from running automatically when an Office document is opened.
  • In Office (2013 and 2016), edit the Group Policy settings to block macros from running at all in Word, Excel and PowerPoint documents that come from the Internet.

The Java development platform and Flash Player are very popular productivity and media programs, found on millions of devices around the world. Unfortunately, their ubiquity also makes them perfect for attackers, who can use vulnerabilities in these programs to reach millions of potential targets.
Security researchers now routinely give the following advice when it comes to Java and Flash Player:
If you do not need it, uninstall it. If you do not use it regularly, disable it until it Is needed.

Gray lighter #f5f5f5


Ransomware infections are hard to miss. What’s harder to spot is the full extent of an infection, which is crucial to containment.

Unlike other threats, ransomware is neither stealthy nor subtle. An infection will usually announce itself quite dramatically, as the malicious program first cuts off access to the device or files, then displays the ransom demand.
Despite the immediate urgency of dealing with the affected device, it is also important to consider whether the ransomware is able to spread to other connected machines or shared storage, where it can potentially magnify the impact of an infection. To assess the full extent of a ransomware incident, the following questions need to be addressed:

  1. Is a network / device monitoring system in place that alerts administrators to suspicious behavior? A monitoring system that uses behavioral analysis to detect suspicious activity on devices in a local network can give system administrators the critical time they need to identify an infection and mobilize resources to contain it.
  2. Is the device connected to the Internet, or the local network? If there is still an active Internet connection, the threat may still be sending or receiving data to or from the attackers operating the ransomware. If it is still connected to the local network, some ransomware can move laterally to affect other connected devices.
  3. Is it connected to network shares or shared cloud storage? Some ransomware will encrypt or block access not only to files on the device, but also to those on any accessible shares or cloud storage. This can then lead to a domino effect as other users who try to use the affected files in the shared location encounter the ransomware.
  4. Have the encrypted files been synchronized to a backup solution? Are there other, clean backups of the data available? If an automated backup process is in place, it may inadvertently transfer the affected files to the backup, making it more difficult to contain and recover from the infection.
  5. What changes did the threat make to the device or files? For example, what domains does the threat try to contact, what values were edited in the registry, processes, system parameters, etc. Forensic analysis of the changes made by the threat help to identify the same changes in other devices, which might indicate a spreading infection. This information can also be used to identify and block any subsequent reinfection attempts.
  6. Can you identify the ransomware that infected the device? Some ransomware identify themselves quite obviously, while others are less helpful. Knowing the specific family involved makes it easier to search online for information about remedial options. The ID-Ransomware project site may be able to help to identify the ransomware.


An incident response process should not only include restoring the device, files or network, but also hardening them to prevent recurrence.

  1. IMMEDIATELY disconnect the device from the local network. Contain the infection as much as possible by disconnecting the affected device from any network.
  2. Scan all connected devices and shares for similar flaws and additional threats. Not only should other connected devices and shares be checked for infection by the same threat, but also for any other threats that may have been installed on the side.
  3. If possible, format and reinstall the device. For larger companies, it may be more expedient to simply wipe the affected device clean and  start afresh. Alternatively, there are removal tools available for specific ransomware families.
  4. Reinstate data from backups. If available and clean, the affected data can be restored from backup files. It may be more efficient to restore files in network shares or cloud storage first, to maintain continuity and productivity for other users.
  5. Use incident response findings to reassess attack surface. Based on the results of investigations into the incident, update any relevant security precautions or systems.
  6. Report the incident to the appropriate local law enforcement authority. Each country handles incidents of electronic crime differently, but in general most national law enforcement agencies urge companies to report incidents and avoid paying any ransom demanded. 


Download our hands-on guide to fighting emerging cyber security threats like ransomware.

In this workbook, we’ll help you assess your current approach to endpoint protection, so you can prioritize what you need to do next to safeguard your business.

Next: How to remove and stay safe against ransomware