How to train employees to avoid ransomware

Why ransomware training is important

Employees might be an organization's weakest link, but they are also its first line of defense against ransomware and other malware attacks. Supplement existing security awareness trainings with ransomware-specific guidance, or hold separate educational sessions on ransomware to drive home the severity of the threat and the role employees play in mitigating it. It is important to reiterate this last part -- the importance of humans in prevention -- to build a strong security culture and a workforce that recognizes its members are critical pieces of the larger cybersecurity puzzle.

Having employees who recognize the warning signs of an attack and can implement prevention measures goes a long way toward building a security awareness culture and keeping bad actors and malware out of the network. Educated users help the organization avoid the financial, legal and reputational costs of a ransomware attack.

What to include in a ransomware training program

Before overwhelming employees with information, ensure they understand the basics of ransomware. It's likely not a new topic for anyone, given its prevalence in the headlines, but be sure to cover what ransomware is and emphasize the important role employees play in ransomware prevention, detection and mitigation.

Once employees are familiar with the concept of ransomware as part of their ongoing cybersecurity training, delve deeper into the specifics, including types of ransomware attacks and attack vectors, signs of a ransomware infection and how to respond to a possible ransomware attack.

Types of ransomware attacks and attack vectors

Multiple types of ransomware exist. Knowing the differences might not be as important to employees as understanding the intended consequences of ransomware attacks: data encryption, data loss and data exfiltration -- and a potentially costly ransom, as well as expensive and time-consuming recovery for the victim.

That said, it can be beneficial to understand the various varieties of ransomware users could encounter -- although they all usually appear under the same guise. The types of ransomware include locker, crypto, scareware, extortionware, wiper malware, double extortion, triple extortion and ransomware as a service.

More importantly, employees should be aware of how attackers infiltrate networks. This way they better understand what to look for and how to prevent it. The top three ransomware attack vectors are as follows:

1. Social engineering and phishing. Attackers use seemingly innocuous emails with malicious links or attachments to trick users into inadvertently downloading malware. Types of social engineering and phishing attacks include smishing, vishing, spear phishing and watering hole attacks.
2. Remote Desktop Protocol (RDP) and credential abuse. Attackers use legitimate credentials -- usually sourced from brute-force or credential-stuffing attacks or purchased off the dark web -- to log into corporate systems, often via RDP, a protocol that enables remote access.
3. Software vulnerabilities. Attackers exploit unpatched or insecure versions of software to gain access to an organization's network.

Ransomware can also infiltrate systems via drive-by download attacks, malvertising, removable media such as USBs and pirated software.

Signs of a ransomware infection

Teach employees to recognize the warning signs of an impending ransomware attack. These could include receiving more phishing emails or getting alerts that someone is attempting to change their passwords.

Some signs of infection are obvious. For example, a pop-up window that informs a user the device is locked speaks for itself. Other signs aren't quite as clear, such as device performance degradation. Unfamiliar files or programs could unexpectedly appear on a device, or their contents could suddenly become inaccessible or their file names scrambled. The appearance of legitimate but previously uninstalled software is another warning sign. Malicious actors often use legitimate programs, including port or network scanners, to assess the best way to further infiltrate a target system.

Advise users to report any suspicious emails, files, programs or device behaviors to management and the IT department.

How to respond to a possible ransomware attack

Instruct employees to disconnect their device(s) from the internet at any suggestion of a possible ransomware attack. This could help prevent the malware from spreading to other devices. Ensure remote employees know that other devices on their home network could also be infected. Likewise, in-office employees should understand that any devices on the corporate network could be compromised.

Advise employees to contact their manager, security team, IT team or other designated incident response team as soon as possible. Encourage them to report any questionable device or system activity, as well as any communication from a purported attacker. Stress that it's always better to be safe than sorry.

While employees are not usually the main target in a ransomware attack, train them what to do if they ever receive a ransom note from a ransomware group. Tell employees to never negotiate or engage in any dialog with the attackers.

Best practices for ransomware prevention

Ransomware prevention is twofold. From an end-user perspective, follow these best practices:

• Be on the lookout for phishing and social engineering scams, including emails, text messages, social media messages and collaboration platform messages. Indications of phishing messages often include typos and poor grammar.
• Always check the sender's email address. Never click links or download files from unknown persons. Likewise, be cautious of texts from unknown phone numbers.
• Beware of malicious URLs. Don't click or copy and paste links from emails. Hovering over a link might help discern if it is legitimate, but some attackers spoof the link hover text as well, so this isn't always reliable.
• Never use removable media, such as a USB, if its source is unknown or if it could have fallen into the wrong hands at any point.
• Frequently save and back up data.
• Keep software and devices on the home network patched and up to date.
• Use strong passwords and multifactor authentication.

From an enterprise perspective, follow these key ransomware prevention best practices:

• Maintain a defense-in-depth security program. This should include antimalware and antivirus software, as well as firewalls, web filtering, email security filtering, application and website allowlisting or denylisting, and other security tools and processes.
• Consider advanced protection technologies. These may include extended detection and response, managed detection and response, user and entity behavior analytics and zero-trust security, among others.
• Patch regularly. Keep all applications, OSes, devices, services, servers and infrastructure patched and up to date.
• Make frequent backups. Frequently back up data to ensure access to it in the event an attacker locks and encrypts it.

And, of course, hold regular employee ransomware awareness trainings. Conducting ransomware tabletop exercises is key for disaster recovery and other IT and security staff. But involving all employees in regular sessions about how to spot and prevent ransomware is one of the best ways to build up the human defenses.

In line with cybersecurity awareness and cyber hygiene best practices, tailor trainings to fit employees, their roles in the organization, their cybersecurity knowledge levels and their learning styles. Ensure trainings are informative and comprehensive, but, importantly, engaging and fun as well.

Performing phishing and ransomware simulations could also be a useful component of a ransomware awareness program so employees can experience an incident -- and practice how to respond -- in a real-world scenario.

To keep employees up to date on ransomware between trainings, consider sending newsletters or emails about the latest ransomware news and any applicable advice.

Ransomware is something every organization today faces. Ensuring employees know what to do when confronted with the threat can significantly lower its impact if -- or rather, when -- an attack occurs.