Ransomware Part 3: Recommendations from the Trenches

Ransomware Part 3: Recommendations from the Trenches

In the first two parts of this blog series we explored both a high-level overview of dealing with the ransomware epidemic and an in-depth look at how different strains of ransomware can infect your network. In this post we examine actionable recommendations to protect your environment from ransomware threats. 


Backups – It is critical for organizations to have a consistent, tested disaster recovery plan that includes solid backups. 


  • Provides easy recovery from ransomware attacks – wipe the infected system and restore from backup.
  • Test backups at regular intervals to make sure data is valid and useful.


Patch Flash and Java – Flash and Java are commonplace tools within corporate environments with several documented vulnerabilities. 


  • They are common vectors for attackers.
  • Be sure they are always up-to-date and patched to the latest version.
  • If possible, remove them from the environment.


Endpoint Monitoring – Tools that give a team visibility into the behavior occurring on the endpoint is tremendously useful in combating ransomware. 


  • Anti-virus tools lag behind in detection of ransomware due to their nature.
  • Endpoint monitoring solutions allow visibility into processes and network traffic running on endpoints.
  • Endpoint monitoring solutions can block rogue processes pending further verification. 


AppLocker and Software Restriction GPOs – A low-cost and effective way to restrict malware (not just ransomware) from running on systems is AppLocker and associated software restriction GPOs. 


  • Full documentation is available from Microsoft and is completely free.
  • Features are similar to the Software Restriction Policies of previous Windows versions. 
  • AppLocker is a more robust tool that provides more granular control over program execution. 


Email Filtering – Filtering extensions in email will stop a lot of malware attacks, including the Locky ransomware, in its tracks. 


  • Optiv recommends blocking executable and zip file attachments, and filtering all other attachments for manual review. 
  • Safer to block attachments and use a secure transfer option than to allow attachments that may harbor malicious software. 


Cloud Access Security Broker (CASB) – CASBs are a helpful way to block traffic calling home to ransomware command and control servers.


  • Protects against more than just ransomware including traditional malware, botnets, etc.


Security Awareness Training – In the long run, it doesn’t matter what tools are implemented if a user is actively clicking on malicious attachments or taking actions that violate the acceptable use policy for a network. 


  • Security awareness training is an effective method of reducing the susceptibility of humans to ransomware campaigns. 
  • Optiv offers several training courses, including how to spot phishing attempts, user created vulnerabilities and how to spot malicious downloads.


At the end of the day, companies must understand their environments and the capabilities of their staff. The items covered in this post are very high-level recommendations, but should provide a starting point for protecting against ransomware.

Nick Hyatt
Senior Consultant
Nick Hyatt is a senior consultant with Optiv’s enterprise incident management practice. In this role, he specializes in incident response, threat hunting and digital and malware forensics.