25 Feb

How To Not Be A Victim Of Ransomware

Ransomware: it’s in the news daily, and the reports are increasingly dire. This escalation is not a figment of your imagination because both the frequency and the severity of ransomware attacks have grown worse, particularly since the onset of the global pandemic. 

Ransomware is malicious program code that gains control over the infected device, encrypts files, and blocks user access to the data or a system until a sum of money, or ransom, is paid. Attacks are now surpassing four thousand per day, with one attack happening every ten to fifteen seconds. Private businesses and government agencies comprise most targets, but the reality is that no one is immune to ransomware attacks. As of this writing, the average ransom demand made to public and private organizations exceeds $230,000. The average cost to mitigate a ransomware attack, including restoring services, lost data and revenue, and security measures, exceeds $730,000 – and that does not include the cost of any ransom paid. It’s little wonder that more than half of small businesses who suffer an attack go out of business within six months – a ransomware attack can be fatal to cash-strapped firms. While ransom demands against private citizens are typically lower (four or low-five figures), they are no less onerous. 

What can be done? The good news is that you are far from helpless when it comes to fending off a ransomware attack. A good two-part strategy will place you and/or your business in an advantageous position to defend yourself and mitigate potential losses. Part one involves hardening your defenses against the attackers, while part two deals with protecting your critical data if your perimeter is breached.

Harden Your Defenses

Here are a few measures you can take to build a more formidable barrier against ransomware infection. This list is by no means complete, and implementing these measures does not guarantee 100% protection, but your odds of staying safe will significantly increase.

Keep Your Systems Updated. Run security updates for your OS and associated software regularly. This is one of the easiest ways to avoid being compromised by a recently discovered exploit. MS Windows users are all too familiar with critical security updates but don’t neglect other software. For example, quite a few MS Office exploits have been identified and patches made available for some time, but many unpatched installations remain.

Install Antivirus Software. Any decent modern product includes protection from ransomware infection vectors. Select and install a product with a strong reputation for ransomware protection and keep it updated to protect against the latest exploits.

Use A File Integrity Monitoring (FIM) Tool. An FIM will take periodic snapshots of your system (not actual backups, just file metadata) and can be configured to notify or warn when various changes are detected. The FIM functions like a “fire alarm” if a malicious program attempts to alter your file system.

Use Email Filters And SPAM Protection. Use the filtering and spam detection that is part of your email system. Established systems like Gmail, Outlook, Exchange, and the like incorporate various tools that will catch and quarantine many threats or flag email messages and attachments as suspicious. Don’t disable these tools, as they can be your first line of defense against a malicious payload.

Disable And Block Unused Ports and Services. Reduce your attack service by turning off system services that you are not using and blocking connections on unused ports (i.e., RDP, HTTP / HTTPS, etc.). This tactic is a bit more technical than other measures and may require some snooping or trial and error, but it’s worth the effort. Alternatively, you can use a firewall – either the one built into your ISP’s router or a separate, dedicated device – to accomplish this. Most modern firewalls incorporate attack mitigation features that can be quite sophisticated and dynamically respond to threats. 

Control Installation And Launch Of Software. The vast majority of ransomware is in the form of a program installed and run on the infected system. If you configure your operating system to disallow the installation or execution of unknown programs, it can prevent infection. There are several ways to do this, but the techniques typically fall under application whitelisting, blacklisting, or installation locking. Windows has built-in features for all three methods, and there are third-party apps for managing these controls. While these techniques are somewhat technical, controlling the software installed or run on a system is a worthwhile security measure that will reap benefits beyond ransomware prevention.

Train Yourself And Your Staff. This may be the most important preventative measure. Most ransomware infections are initiated by someone doing something: clicking a link, visiting a site, downloading and installing a program. Learn to recognize suspicious activity and content. When in doubt, don’t.

Protect Your Data

Organizations much larger than yours, with correspondingly greater IT budgets and resources, are routinely succumbing to ransomware attacks. So if you do all you can, and you suffer a breach anyway, what to do? Paying the ransom is the worst possible scenario. There’s no guarantee that you will regain full access to your data or that the attackers have not installed backdoors or other malicious code on your systems, allowing them to victimize you again at a later date. You need a way to recover from the compromise without giving in to the attackers. Be ready for this unfortunate eventuality, and you’ll survive. Here are the steps to take.

Backup, Backup, Backup. Backup all of your valuable data, at least once per day, more frequently if warranted. It should not be necessary to say that you need to be doing this anyway for many reasons. In this case, establish additional backup policies for being wholly and suddenly locked out of all of your data. What will you need access to first? Which data will cost you the most if you lose all or part of it? Guided by these considerations, set backup policies and frequency to suit.

Keep Offsite Copies Of Backups. It’s perfectly acceptable to push backups to a NAS (network-attached storage), data file system, or some other resource on your local network. However, it’s critical that you also keep duplicate backups on an unattached system. When a ransomware program infects a system, it will seek out all accessible data stores for files to encrypt, and this can include your local storage pool. Backups that have been encrypted by ransomware are just as inaccessible to you as your encrypted data. Store copies of all backups on a non-connected system that cannot be accessed as a directory or file tree. Means of doing this could include tape storage media or cloud-based storage that is specifically for backup and restore operations, as is available from most major backup service providers.

Store Local Backups On Linux or macOS. Use a non-Windows system to store local backups if at all possible. Most ransomware runs on Windows, so provided that your Linux-based backup store does not support Windows-native file access protocols, the ransomware will not be able to do anything to the backup copies. Windows is increasingly incorporating features to “play well” with Linux, so this strategy may require that you take steps to disable that functionality and use rudimentary file transfer tools like sFTP to push backups to the store. However, doing so can mean locally stored backups that are safe from compromise by ransomware.

Plan For A Complete System Restoration. If you are compromised, wiping and reimaging all connected systems is the only way to gain reasonable assurance of completely removing the infection. There are two schools of thought regarding this step. One approach involves taking daily ‘bare metal’ backups that can be used to completely rebuild the protected desktop or server machine, including installed applications, user profiles, and any locally stored data. This type of backup works much like a Windows System Restore Point or Restoration Disk. While this method provides the fastest recovery, it leaves open the possibility of low-level malicious code surviving the restoration process. The second school of thought is to do a low-level reformatting of all drives, perform a fresh installation of the operating system, and rebuild the environment by reinstalling all applications, recreating user profiles, restoring data backups, and so forth. This method is much more time- and labor-intensive, but it provides the greatest assurance that the rebuilt system is thoroughly “clean.” If you decide to use bare-metal restoration images, the same rules apply as with your data: store offsite copies to protect them against cryptolockers.