The FBI has developed a brochure of safety and risk mitigation tips for the growing threat of ransomware.
* Implement an awareness and training program. Because end users are targeted, employees and individuals should be made aware of the threat of ransomware and how it is delivered.
* Patch operating systems, software, and firmware on devices, which may be made easier through a centralized patch management system.
* Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted.
* Manage the use of privileged accounts. Implement the principle of least privilege: no users should be assigned administrative access unless absolutely needed; those with a need for administrator accounts should only use them when necessary.
* Configure access controls, including file, directory, and network share permissions, with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
* Disable macro scripts from office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite applications.
* Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers
Business Continuity Considerations
* Back up data regularly, and regularly verify the integrity of those backups.
* Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might be securing backups in the cloud or physically storing offline.
* Implement application whitelisting; only allow systems to execute programs known and permitted by security policy.
* Execute operating system environments or specific programs in a virtualized environment.
* Categorize data based on organizational value, and implement physical/logical separation of networks and data for different organizational units.