Home » Articles » Mitigating the Risk of a Ransomware Attack

Mitigating the Risk of a Ransomware Attack

Xantrion’s cybersecurity program takes a risk based approach to preventing, detecting and recovering from a potential ransomware attack. We provide multilayered protections which consider the various methods criminals might use to penetrate a client’s network and protect against each of these attack vectors.  We monitor client systems so that, should compromise occur, it can be quickly detected and shut down. Even if these measures fail, clients should never have to pay a ransom as we employ robust backup and recovery systems.

Here are some of the common risk factors we consider and the protections we employ:

1. Prevention
1.1 Client System Compromise

An attack typically begins with criminals attempting gain a foothold on a target network by sending an employee an e-mail message phishing for credentials, containing a malware attachment or with a link to a website containing malware.We protect against compromise of the client system by:

  • Filtering mail to block phishing messages and deeply scanning any e-mail attachments to ensure they are safe.
  • Educating employees and testing them with simulated phishing messages so they recognize, and don’t fall for, these attacks.
  • Filtering web access to block known malware / ransomware sites.
  • Patching systems so they are not vulnerable to known exploits.
  • Ensuring that all employees use multi-factor authentication so that, even if they fall for a credential phishing attack, the criminal will not be able to use their compromised credentials to gain access.Protecting computers using SentinalOne enhanced endpoint protection.
    • SentinalOne uses AI to determine whether a program should be allowed to run.  This approach identifies malware even if signatures have not been developed. SentinalOne goes beyond examination of file based executables toinclude:memory-only malware, macros in documents, browser-based drive-bys, scripts and credential scraping threats.
    • SentinalOne’s AI engine monitors software behavior to identify malware-like actions, block the software and isolate potentially infected systems from the network in real time.
    • Post execution the software provides detailed forensic logs which automate remediation and update the detection engine.


1.2 Brute Force Credential Compromise

Criminals will look for publicly accessible login portals and attempt to exploit these to guess a password using a combination of brute force techniques. Attacks can occur against web-based mail, CRM systems or exposed remote access servers.Several protocols are used to protect against this type of attack.

  • Require that all user accounts use multifactor authentication.  This mitigates nearly all such attacks.
  • We ensure basic password hygiene for all accounts e.g. password complexity, requirement for periodic change, lockout after a limited number of bad attempts.
  • Log analytics allow us to identify and mitigate suspicious behavior – e.g. access attempted from two locations which are far enough apart so that it’s impossible that the user legitimately initiated the attempt.*
  • Remote access is securedby using SSL gateways.
    • User accounts, particularly those with administrative privileges or in use as service accounts, are automatically monitored for the presence of common names. For example, use of “administrator”, “scanner”, “backupadmin”. These accounts are made less vulnerable by changing their name, reduction of privilege, or stronger password policies.
    • Accounts are periodically audited for the presence of weak passwords.*


1.3 Compromise of the MSP

Criminals are increasingly exploiting weaknesses in the security of an MSP to compromise several organizations at once.  This is what happened in Texas.  There are several things we do to protect against this.

  • Xantrion’s systems are protected in all the ways we use to protect client systems.
  • We ensure that our documentation and remote management systems are routinely updated with the latest security patches.
  • We require single sign-on and multi-factor authentication for access to all systems which contain sensitive data, or which have access to client systems.
  • We don’t list client names on our website. This hinders the potential effort of a criminal to exploit the MSP supporting an organization they want to target.
  • All firm administrators use separate accounts for day to day use (e-mail) vs the accounts used for network administration.
  • We undergo a rigorous annual third-party penetration test. This is far more than a simple scan of external ports. For example, we provide the penetration testing firm with a working username and password, simulating a scenario where criminals execute a successful phishing attack. Even under such circumstances the testers have been unable to penetrate our systems.
  • We undergo an annual audit of our security program against the SSAE 16 SOC 2 standard. This audit reviews our security program to ensure that it is comprehensive and tests to ensure that all aspects of the program are followed in practice.


2. Breach Detection and Mitigation

Early detection of a breach can help to limit damage and speed recovery. To this end:

  • We analyze user behavior for anomalies. This helps detect if an attacker gains foothold and attempts to laterally move around the network.*
  • We monitor security logs and respond to alerts which may indicate an early stage of an attack.*
  • All systems, including computers and network devices, are regularly scanned for known vulnerabilities. The vulnerability scanning system employed is independent of the Windows patching engine. Patches are applied as needed to protect against exploits. Closing off known exploits hinders the ability of an attacker to expand their access from any potential initial point of compromise*
  • If a computer is compromised, a criminal’s next step is often to attempt an escalation of privilege attack to create a new privileged account (e.g. domain admin).  Xantrion monitors the membership of all groups with administrative privileges so that we are notified of any change in membership and can respond to mitigate the threat.
3. Recovery

Should a client be compromised we ensure that we can fully recover without needing to pay a ransom.

  • We protect all servers using image-based backups which can be restored should the primary systems be compromised.
  • Backups are monitored daily to ensure they are successful. Once a quarter there is a manual audit to ensure that all systems that should be protected are in the back up schedule.
  • All backups are moved off-site to our data center daily. These “air-gapped” backups are not susceptible to deletion or encryption even in the event of full client compromise.

* These elements are not included in our Managed Security Essentials program but are included in our full Managed Security Program.