Dealing with Ransomware attacks is a bit like Russian Roulette, in the end paying the Ransom might be the last option you have for recovering your locked data.
Taking action prior to an attack to prevent or limit its effects is the prudent approach.
In response to the growth of ransomware, the security industry has created a plethora of tools to prevent and recover from ransomware. Almost none of them are bulletproof.
One option, of course, is don’t connect your computer to a network or the internet.
Because none of the feasible solutions are 100% reliable, users should use multiple rings of defense against these threats.
This article proposes some of the actions that users should be undertaken:
1. Backup, Backup, Backup – First, middle and last this is your final solution!
In the end, if you suffer an attack, there are three things you can do:
- Restore from your backup,
- Pay the Ransom and pray you get a correct decryption key as it probably won’t work,
- Delete your encrypted files and start from scratch.
Your backup solution needs to have multiple backup locations and storage types. Ideally it will include an offline/disconnected storage location within the solution.
Cloud storage products like Google-Drive are not a solution, for this type of event. If your local files are encrypted, then your Google-Drive files will be as well.
2. Education
Discussion and education is important in learning to recognise emails that are Phishing emails.
Some areas for discussion include:
- Refrain from opening attachments that look suspicious,
- Think twice before Clicking on that link,
- Know whether you should be expecting an email from your banking institution, e-commerce, the ATO or my.gov .au etc. If you don’t, don’t open it.
- Refrain from reading mail, browsing the internet or running applications on your server.
3. Review and Update your Anti-Spam options
Ransomware requires that an executable be initiated on your workstation.
Altering your spam settings to block suspect attachments such as .exe, .vbs or .scr files can prevent you from infecting your system.
Enable scanning of compressed and archive files to reduce the chance of threats from reaching your system.
4. Keep your systems patched and AntiVirus signatures up to date.
Keeping your systems up to date can prevent an attack and prevent it spreading.
But for a business, having the update processes in place is not enough, knowing that your systems are up to date is just as important.
5. In the event that you suspect that you have been infected, immediately disconnect your system from the network and power it off.
In the early stages of an attack, this can save other systems from being infected and may prevent the encryption phase from affecting your whole system.
6. Keep your Windows Firewall turned on and properly configured at all times.
Most desktops don’t need to be accessed from remote systems. If the firewall is enabled, it prevents your system from being accessed by another system.
7. Make sure you disable file sharing.
If you don’t have access to it, it can’t be encrypted.
Only give access to shared areas on you system that you need to share.
8. Enable Advanced firewall and Webfiltering devices on the perimeter of your Network
Consider implementing one of the many Advanced Firewall and WebFiltering solutions that can block the Ransomware software to provide an additional line of defence.
9. Scripting, Powershell and Autoplay
Consider disabling windows scripting, powershell and autoplay. All of these can be used as an attack method.
10. Microsoft Offices has features that can be exploited.
- Disable macros and Active X.
- Block external content from being accessed from within the applications
11. Remote services, BlueTooth and Infrared ports
Consider disabling these services, there are exploits that use them.
12. Consider disabling the Volume Shadow Copy Administrator (vssadmin.exe)
If it is disabled on a computer at the time of the attack, ransomware will fail to use it for obliterating the shadow volume snapshots. This means you can use VSS to restore the blatantly encrypted files afterwards.
13. Prevent executables from running in download locations.
The directories most heavily used for hosting malicious processes include ProgramData, AppData, Temp and Windows\SysWow.
Define Software Restriction Policies that keep executable files from running when they are in these specific locations in the system.
14. Block known-malicious IP addresses.
Ransomware must communicate with command servers and TOR routers (https://www.torproject.org/). Therefore, blocking those may impede the critical malicious processes from getting through. There are a number of DNS blocking solutions available to compliment, firewalls and Anti-Virus/Anti-Spam solutions to provide another layer of security.
15. Review your Remote Access Policy
Ransomware can infect systems across your local network. This means that any system on your network can potentially infect any other system.
Review all systems that access your network, especially those that connect via VPN or remote access or are owned by someone else and make sure they follow the above TODO list as well.
16. Review your Disaster Recovery Position
Many companies have DR solutions in place. These solutions provide an offsite replica of the live systems.
However, some do not provide historical recovery points which means in the case of a replicated environment the damaged files will be replicated to the DR system.
In Conclusion
Ransomware is definitely today’s number one cyber threat due to the damage it causes and its ability to propagate. Whether you are a large company or a single user, on a Windows, Linux or Apple device, you are at risk!
Ignoring the issue and trusting that you will be able to decrypt files after an attack is no longer a viable business solution and will probably result in your most important files being unrecoverable.That is why the above counter measures are a must.
The key recommendation, though, is the one about backups – offline or in the cloud. In this scenario, the recovery consists of removing the ransom Trojan and transferring data from the backup storage.
Currently, dealing with the consequences of ransomware isn’t very promising from the file decryption perspective. That is why thwarting the virus attack and having a recovery process that takes ransomware out of the equation can save you a pretty penny and guarantee peace of mind.
Pegasus Technology Assistance
In response to the ransomware threat, Pegasus Technology has developed a Ransomware Technology Review for Office Managers and Business Owners to provide an actionable tasklist tailored to your systems and peace of mind.
Pegasus Technology can provide consulting services to assist you in the implementation of the above tasks.