How to Protect Against Ransomware
Recent well-publicized ransomware attacks have heightened the awareness and trepidation of malware intrusions. Hospitals, utilities, transportation services, business and others have been locked out of accessing the files they need to stay up and running. Ransonware, is a form of malware that effectively holds a user’s data hostage until a “ransom” fee is paid. The malware will typically encrypt the files (encryptors) on your system leaving them inaccessible until decrypted with the decryption key. Additionally, cyber criminals could also restrict system access and lock (lockers) you out of computer or the might bundle your files into a password protected zip folder and there are ransomware versions that threaten to publish stolen personal information from a victim’s computer (leakware). Because of the proliferation of these programs devised by bad actors, we regularly hear from IT professional who ask advice on, “how to block ransomware.”
How to avoid ransomware
The first line of defense in attack protection is to warn and educate your co-workers about potential malicious downloads. Alert them to the fact that attachments from unknown senders, unexpected emailed faxes, suspicious download request, etc., should not be clicked on or downloaded. Software installations should vetted by IT and not left to the rest staff.
Cyber criminals also target social engineering as a means of infecting systems. Be alert for click bait. It’s been reported that 97% of phishing emails are triggers for ransomware downloads. They encourage downloads of malware attachments or urge victims to click on a spoof website link that then transmits the venomous program that stealthily attacks computers. Some companies actually send out simulated phishing attacks to test their employees’ resolve in avoiding click temptations.
Watering hole attacks are used by cyber crooks to spread ransomware. They track the browsing habits of prospective victims and then infect the most visited websites with their malware. Social networking attacks permeate social sites by hijacking attached accounts and installing their programs using social click bait. Teach co-workers to be skeptical of the emails they receive, the offers they see, the websites they go to and the downloads they are asked to perform.
With relentless attacks and virtually unlimited variants, you simply cannot fully protect against ransomware. While there are some “ransomware blocker” anti-malware options that may catch some of the invasions. The fact is with 4,000 attacks daily (according to the FBI) and predictions that the number of ransomware attacks will increased by 25% in 2017 (Trend Micro), there is no surefire way to block ransomware. Additionally, ransomware hackers are coding their programs to avoid malware detection. Ultimately, if you want ransomware protection, your best bet is to safeguard your data by performing regular backups.
Once you are hit with ransomware the ideal solution to avoid the consequences is to have a secure and tested backup and recovery plan. Outsmart the attackers and limit your vulnerability with a viable backup that you can use for disaster recovery. Having these reinforcements means that when ransomware infiltrates your system you can turn to your backup to recoup encrypted files.
However, your backup cannot protect you against invasions unless you can confirm that it can actually be used for disaster recovery. Regularly test your backups for ransomware and other issues that could impact a successful recovery. It’s critical to make certain your files, settings, applications and structured data are available for instant and successful disaster recovery.
Some vendors are beginning to automate backup testing and verification. It is designed to ensure that your backup data can restore your system as planned. More advanced solutions can even incorporate security testing as part of the process. They can automate checks for traces of ransomware. Successful recovery needs to be free of ransomware.
IT pros need to keep in mind that a ransomware infiltration may be a gradual attack. Ransomware may lay dormant on your network for days and even weeks. With these iterations malware stealthily encrypts your files. Even with backup, the time span between infection and detection, may create blocks of data that is no longer accessible. However, if you can detect the attack as it occurs, you can immediacy spin up from your backup files allowing you to safely and securely restore your system with minimal data loss. Part of your protection plan should include ransomware detection at the device, network and storage and backup levels. If that seems like a lot, it is. However, given ransomware can attack all of those areas, it is critical to ensure you can detect its presence wherever it could attack.
Comply with IT Best Practices
Being mindful of IT best practices seems like an obvious protection point in the effort to defend against ransomware. This is an important reminder of some of those procedures.
Deploy software updates
The global WannaCry attack in May 2017 was based on a vulnerability found in Microsoft’s Windows platform. This version of the cyber attack could have been prevented if users had simply installed the Microsoft patch that was made available to counter this exposure. Software updates are vital for system security. The updates are often fixes for security susceptibilities that hackers could otherwise exploit. Not updating can leave your system open to viruses, malware and other types of attacks. Ultimately, regularly installing software updates and system backups are important steps in protection against ransomware.
The 3-2-1 Rule
Implement the industry best practice of the 3-2-1 Rule. IT pros should make 3 backup copies of the data, using 2 different media, with 1 version being offsite. Some industry professionals talk about keeping an additional backup offline, using tape or rotational media. This can be helpful as well, but will slow recovery times. Recovery times must be considered in the strategy. If your business cannot afford to be done, then a recovery process that violates your recovery service level agreement (SLA) could be more harmful than paying the ransom.
Many organizations lack clear recovery SLAs. These objectives tell you at a site, system or application level how much data you are willing to lose in an outage (RPO – Recovery Point Objective) and how much downtime you are willing to accept (RTO – Recovery Time Objective). While most prefer zero downtime and data loss, budget does not typically allow an organization to achieve those objectives. Therefore, you should be honest with what your budget and solution can handle, test to benchmark your results, and quickly close gaps with updated solutions, as needed. You may even find cost saving opportunities if less critical data happens to be protected with SLAs that are far greater than what is necessary. Doing so can significantly increase storage and licensing costs. So it is worth the effort to define this plan so your company does not pay the price later after an outage or an attack.
“Unitrends had the most advanced ransomware solution, as it looks for behavior patterns within the backed up data. It looks for things like too many changed files, system files changing that shouldn’t change, and other things. If it notices things like that, it notifies the appropriate people, allowing them to directly address the problem.”
– W. Curtis Preston (a.k.a. “Mr. Backup”), StorageSwiss.com – The Home of Storage Switzerland
“We did have an incident involving ransomware that affected several of our systems. And utilizing our Unitrends data protection infrastructure we were able to respond, contain, and eliminate the infection, and recover in a matter of minutes! With our old data protection solution this would have taken days.”
– John Little, Gila Regional Medical Center