Beazley’s 360º approach to ransomware protection A ransomware incident is one of the most disruptive and costly attacks your organisation can suffer. Ransomware is on the rise and is showing no signs of slowing down. Beazley’s claims and breach response services teams are on the front lines and have the knowledge and expertise to help you protect your organisation against these attacks. Along with our forensics service providers Lodestone and KPMG, we have developed a ransomware best practices guide to help you prevent these incidents from occurring.

Ransomware scenario

1 2 3 4

Initial compromise of Malware is installed Ransomware is deployed Extortion

your environment • The user opens the attachment • The criminal group has achieved • The attackers demand £x million • A criminal group targets your and malware is unknowingly the access they need and are for the decryption key. organisation with a phishing installed on the user’s PC. ready to spring their trap. • The attack also becomes campaign. • Unbeknownst to the user, and • They deploy a strain of ransomware public knowledge which causes • Malware is successfully delivered your security and IT teams, the which spreads across your network reputational damage. to one of your un-suspecting users attackers now have a foothold in encrypting indiscriminately. • The regulator also wants to your environment. via a malicious attachment or web • The attackers have now encrypted understand if there has been link in an email. • Using this foothold, the hackers a material portion of your estate a mishandling of customer explore your network (still and parts of your business are sensitive data – there is a risk undetected) looking for vulnerable completely disrupted while other of a significant fine. systems and sensitive data. This parts are partially disrupted. includes other user’s PCs but also servers supporting critical applications and file stores. Protecting your organisation against ransomware

Minimum protection Stronger protection Best protection • Deploy and maintain a well configured and centrally managed End- • Establish a secure baseline configuration: Malware relies on finding • End-point detection and response (EDR) tools: EDR solutions Point Protection (EPP) solution: A robust EPP/anti-virus solution is a gaps to exploit. A baseline configuration for serves, end-points and monitor servers, laptops, desktops and managed mobile devices for basic component of any security program. network devices that conforms to technical standards such as Center signs of malicious or unusual user behavior/activity. These tools also for Internet Security (CIS) benchmarks can help plug those gaps. enable near immediate response by trained security experts. When • Email tagging: Tag emails from external senders to alert effectively deployed and monitored, EDR tools are one of the best employees of emails originating from outside the organisation. • Filter web browsing traffic: Web filtering solutions will help prevent defenses against ransomware and other malware attacks. users from accessing malicious websites. • Email content and delivery: Enforce strict Sender Policy Framework • Intelligent email evaluation: Automatically detonate and evaluate (SPF) checks for all inbound email messages, verifying the validity • Use of protective DNS: Helps deny access to known malicious inbound attachments in a sandbox environment to determine if of sending organisations. Filter all inbound messages for malicious domains on the Internet. malicious prior to user delivery. content including executables, macro-enabled documents and links • Manage access effectively: Ransomware doesn’t have to go viral to malicious sites. • Centralized log monitoring: Centralized collection and monitoring in your organisation. Put in place appropriate measures for general of logs, ideally using a Security Information and Event Management • Office 365 add-ons and configuration: Enable two-factor user and system access across the organisation: privileged access for (SIEM) system, identifies threats which breach your internal defenses. authentication (2FA) on Office 365 and use Office 365 Advanced critical assets (servers, end-points, applications, databases, etc.) and Threat Protection. enforce multi-factor authentication (MFA) where appropriate (remote • Subscription to external threat intelligence services: Provides access/VPN, externally facing applications, etc.) access to external services that can provide details of developing • Macros: Disable macros from automatically running. Ideally disable attacker tactics, techniques and procedures. They also provide access them from running at all if your business does not need them. • Regular testing of back-ups: Reduces downtime and data loss in the to databases of known bad websites, mail attachments, etc. case of restoring from back-ups after a ransomware attack. • Patching: Conduct regular vulnerability scans and rapidly patch • Encrypted back-ups: Prevents use of back-up data by bad actors. critical vulnerabilities across endpoints and servers – especially • Disconnect back-ups from organisation’s network: Prevents back- externally facing systems. ups from being accessed and encrypted by ransomware in case of a • Network segregation: control access and/or traffic flow within the successful attack on an organisation’s main network. network environment. A well-configured firewall rule set will ensure • Remote Access: Do not expose Remote Desktop Protocol (RDP) that only the required traffic can flow from one segment to another. directly to the Internet. Use Remote Desktop Gateway (RDG) or • Separately stored, unique back-up credentials: Prevents bad actors Furthermore, segregate end of life/support systems/software as a secure RDP behind a multi-factor authentication-enabled VPN. from accessing and encrypting back-up data. priority. • Media usage controls: Put in place controls on the insertion and/or • Web isolation: Use of a web-isolation and containment technology to use of media which does not carry appropriate authentication/media create a secure Internet browsing experience for your users. identifiers. • Application permissions: Only permit applications trusted by your • Well-defined and rehearsed incident response process: Helps organisation to run on devices. mitigate losses and rapidly restore business operations after a ransomware attack. • Back-up key systems and databases: Ensure regular back-ups which are verified and stored safely offline. • Educate your users: Most attacks rely on users making mistakes, train your users to identify phishing emails with malicious links or attachments. Regular phishing exercises are a great way to do this. • Firewalls: Use network and host-based firewalls with well considered rule-sets, for example, disallow inbound connections Leaders in cyber defense, our experts provide clients with the KPMG offers a wide range of services to help organizations by default. information and processes needed to address cyber threats defend against and respond to ransomware attacks. across the spectrum—from strategic readiness through To discuss how they can help please contact: breach response. Matthew Martindale – Partner, Cyber Security For more information contact [email protected] [email protected]

The descriptions contained in this communication are for broker preliminary informational purposes only. Coverages can be underwritten by Beazley syndicates at Lloyd’s or Beazley Insurance dac or Lloyd’s Insurance Company (“Lloyd’s Brussels”) and will vary depending on individual country law requirements and may be unavailable in some countries. The exact coverage afforded by the products described in this communication are subject to and governed by the terms and conditions of each policy issued. For more information, visit www.beazley.com Lodestone is a wholly owned subsidiary of Beazley plc. and does not provide insurance services. Beazley does not share insured-specific information with Lodestone. Information you provide to Lodestone and any engagement findings are shared only between your organisation and Lodestone. BZCER034_UK_09/20