The cost of remediating a ransomware attack will always be significant, therefore it is worth spending time to ensure that you have the defences in place to prevent an attack or to mitigate data loss in the event that your defences are breached.
What is Ransomware?
Ransomware is a piece of malicious software that once executed, blocks access to the contents of files (typically documents and data files) by encrypting the files. In order to regain access to your documents, a sum of money must be paid to the attacker – a “ransom”. If you pay the ransom, then you receive a key and software that you can use to unencrypt your data.
Some of the ransoms that have been demanded have been over $250,000. That kind of outlay can put an SME out of business and that is exactly what has happened to some SME’s that have suffered a ransomware attack.
The ransomware attack is done either through automated bot software written specifically to inject ransomware into a system or by an attacker gaining remote access to a computer and then executing ransomware directly on that system. The latter “remote control” type of attack has become more prevalent in recent times and is particularly dangerous because where the attacker has remote access to the target computer they are able to perform a “custom” attack based on the attributes of the particular network that they’re attacking (e.g. they can attempt to identify backups (both local and off-site) and seek to delete or encrypt these backups rendering them useless).
Prevent the attack
From a purely technical standpoint, ransomware is just another kind of malware, a malicious program that has been allowed to run on your systems with sufficient privileges to cause damage. That damage, the encryption of your files, is what differentiates ransomware from other malware.
There are a small number of ways that ransomware attackers can get a foothold in your network: phishing for credentials, running other malware to gain remote access to a computer on your network, allowing remote access to your network through unsecured ports.
Steps that you can take to prevent an attack:
- User education.
- Nobody wants to be the person responsible for allowing their computer to be the source of a ransomware attack.
- Ensure that your staff are alert to the fact that attackers frequently send e-mails with malicious attachments or links to malicious software. If your staff don’t recognise the threat, then you’re relying on your anti-virus software to identify and quarantine the threat.
- We have written a separate article about e-mail threats:
- Apply security updates to software promptly.
- Security updates are addressing known vulnerabilities, so don’t give attackers a “free kick” at your network by not addressing these vulnerabilities. This is particularly pertinent for servers that host services that are publicly accessible on the Internet.
- Implement a multi-layered anti-virus approach.
- No single anti-virus product should be considered infallible all the time.
- Therefore, it is prudent to implement a layered approach.
- Each product should have a small “footprint” (i.e. use minimal resources so as not to affect computer performance).
- Look for strong Ransomware protection in at least one of the products deployed.
- E-mail screening
- Many malware attacks are attempted via e-mail, therefore consider implementing an e-mail gateway that can screen all e-mail and filter / quarantine malicious or potentially suspicious e-mail.
- Effective e-mail screening can identify many hostile e-mails before they reach the Inbox of your staff – thus reducing the risk that you need to rely on the vigilance of staff to recognise a threat.
- We can provide e-mail screening for $4ex per mailbox, per month. No installation or other charges
- The e-mail screening incorporates a combination of automatic rules plus messages that are assessed to be ‘suspicious’, but not definitely malicious, are flagged for manual review by a competent person. So, while not guaranteed to be infallible, in practice this approach has proven to be effective.
- Use role-based authentication and apply least-privilege rules to these roles
- What this means is that you only provide users with the privileges that they need (and no more) to perform a task
- For example, users on a desktop or laptop, should normally only be logged on with an account that has ‘user-level’ privileges so that they can run applications. This means that by default they cannot install software (and they also cannot inadvertently install malware). When a user needs to install a new application, then they will be prompted to authenticate with a different set of credentials which has the higher privileges needed to allow them to install or update applications.
- Enforce strong authentication rules, including using two-factor authentication (2FA).
- Password management:
- Choose passwords that would be difficult for others to guess and then don’t update them regularly. A strong password should contain a mix of upper- and lower-case letters, numbers and symbols.
- If users choose strong passwords, then so long as they’re not compromised there is no need to change them. This approach works best when used with a password manager.
- Use a password manager like LastPass or RoboForm to simplify the management and administration of passwords. Both LastPass and Roboform have a free product offering which is quite capable.
- Use a different password for every account/profile – that way if a password is compromised only one account / profile / service is affected – not all.
- Don’t share your passwords with anyone
- Use an SIEM (security information and event management) solution to keep up with developments on your network.
- Lock down externally accessible services (such as RDP) where they are not necessary and enforce secure access restrictions for services that are accessible externally where they are necessary.
Backups – your last line of defence
Backups are an essential last line of defence to address a multitude of issues. At the end of the day computer hardware can be replaced, but your critical data will be unique to your business and will be either irreplaceable – or at the very least difficult to recreate.
Backing up your data is a key part of the defence against ransomware and other malware. However, if your backups are wiped out by ransomware, then this defence is rendered useless.
We have written a separate article about protecting your backups from Ransomware.