What is Ransomware?
Ransomware is nothing new to the scene, but the most recent strains have been more vicious than previous and are getting a lot of publicity for how devastating they are to companies. Ransomware prevents users from using their computers by blocking their screen with pop-ups and encrypting a majority of the files on your computer as well as any device that you have access to from that computer.
This is where it gets the name of ransomware as it then demands that you pay a ransom to decrypt your files and remove the malware from your computer. If the amount is not paid the files will remain encrypted and you will not be able to restore them without reverse engineering the encryption. While some strains of ransomware have been decrypted, you are essentially playing whack-a-mole by not solving the actual problem.
Standing up to Crypto
There are several ways to protect yourself against the usual Cryptolocker or Cryptowall virus. When it comes to fighting back against either, the best offense is a strong defense. We believe in taking a five step approach that starts from the user and stops with your infrastructure.
Step #1: Informing your users on the best practices
Your users are the main infection point for ransomware, so informing them of the problem and how to avoid becoming a victim to a spoofed attack is a key part of protecting you and your company. A few quick tips to tell your users:
- Refrain from opening emails from strange or unfamiliar email addresses
- Don’t disable or deactivate your antivirus solution on your computer
- Don’t download software from third party sites
- If you receive an email from a normal contact with an attachment, verify that the person actually sent it to you
The most common infection happens through an attachment on an e-mail. While it may seem like an inconvenience to have to verify that your co-workers actually are sending you that specific attachment it is very important. Ransomware usually comes in an e-mail with a typical e-mail subject, the following being just some of the subjects that have been related to the virus:
|USPS – Your package is available for pickup ( Parcel 173145820507 )||USPS – Missed package delivery (“USPS Express Services” <firstname.lastname@example.org>)|
|USPS – Missed package delivery||FW: Invoice <random number>|
|ADP payroll: Account Charge Alert||ACH Notification (“ADP Payroll” <*@adp.com>)|
Within the attachment is a .zip file that is normally disguised as a common extension like a .doc or a .pdf, but in reality the .zip contains an .exe which downloads and runs on that computer. Once the file runs it communicates back with the hacker who sent it and your files are then encrypted.
Step #2: Setting up protection on your desktops
Keeping your users devices up to date with the most recent version of antivirus is important to stopping ransomware before it is able to encrypt your files. Though ransomware is constantly evolving, so should your antivirus solution. If your company is going through a managed service provider it is their job to keep all of your user’s workstations on the latest version and work with you on your current state of protection. It is also important to make sure that you are keeping up to date with other updates such as Windows Update and also just upgrading your operating system when it is no longer supported.
Step #3: Don’t allow .exe’s to run from AppData or LocalAppData folders
Modern ransomware such as Cryptolocker operates within the AppData and LocalAppData folders. Working together with your IT staff and managed service provider you can setup the appropriate rules to prevent illegitimate files from running in those folders. While there are some programs such as GoToMeeting and Spotify that run in the same folders, those can be whitelisted so that they continue to work. This type of ruleset can be implemented by using a Group Policy so that all computers even newly added will have the same rules.
Step #4: Setup email security features
With the main infection point being your user’s email it is important that you address the security features of your email service. With most businesses switching from locally hosted email to Office 365, some vulnerabilities are overlooked. Office 365 by default does not block .exe files, so you have to go through setting that up. If your user ever needs to send an .exe or receive one, they can do so by downloading it from a hosted storage solution like Dropbox or simply by sending it over your local network. This protects your users from making a simple mistake and ending up with encrypted files.
Step #5: Backup your data offsite and onsite
Backing up your servers is a keystone in data protection not only for preventing ransomware but also for setting up a great disaster recovery solution. Many solution providers will try to shoehorn you into their one solution but a backup solution can be unique to your company.
Offsite backups are key to both a disaster recovery scenario and preventing Cryptolocker infections. Why offsite? Cryptolocker has the ability to infect local drives and network shares that are mapped as a drive on the infected computer. However, this same setup can take place if your offsite backup is not setup correctly.
Choose the right solution
When setting up an offsite/cloud backup solution it is important to keep the following things in mind:
- The ability to choose between cloud-only backup and local and cloud backups.
- Encrypting file transit between your local site and your off site location
- Definable retention policies and archiving
Keep multiple days worth of backups
By keeping multiple days of restore points this allows for a more likely chance of restoring to a successful state if ransomware is not immediately detected by the user. If you only back up a single day you may end up restoring to an infected version of the data still.
Backup both your servers and your workstations
Many backup solution providers will end up only backing up your physical and virtual servers. It is key to remember that your users hold a majority of the data that your company runs on. Backing up your workstations allows for fast recovery of local user files. With the right solution you should be able to launch a recovery procedure from the same computer that had the infection on site within hours and be back online with the most recent verified backup.
The MSP makes all the difference
Data encryption due to ransomware is not a thing to scoff at. It is a continuously evolving money driven virus that thrives on social engineering to infect your users. By taking the necessary preventative steps you are ensuring that your company does not fall ransom to this scenario. While your business should first be concerned with preventing an infection. It is most important to have a plan for the likely situation that some ransomware will make it through their protection. Frequent backups are the key to recovery, while education and creating a secure wall aids in infection prevention.