Story image

Best practices: Preventing and recovering from ransomware attacks

06 Jul 18

Article by StorageCraft APAC sales head Marina Brook

In May 2017, the WannaCry attack jolted the public into awareness of ransomware’s destructive capabilities.

WannaCry infected over 300,000 Windows computers by encrypting data on the machines and then demanding Bitcoin to unlock the data.

Ransomware is a lucrative endeavour.

There is a good chance that an organisation will have to deal with ransomware at some point if they have not done so already.

Here are best practices for preventing ransomware attacks, plus a few suggestions on how to respond to an attack.

Several factors have led to the rise in ransomware attacks:

Ransomware has moved beyond amateurs to professionals, who are more likely to be aware of security holes that make attacks more successful.

The anonymous nature of Bitcoin has driven investment in the cryptocurrency while making it ideal for making demands on attack victims.

Computers are providing value for longer than ever, but many now lack the latest security updates to operating system updates that can repel attacks.

IT professionals are often reluctant to patch older computers because OS updates usually slow down old systems.

Most ransomware attacks arrive through email, and many employees have not been properly trained to recognise a malicious email attachment.

How to mitigate attacks

The most effective step for an organisation to take to combat ransomware is to perform a regular backup of its most important files.

The most sophisticated attacks encrypt both data files and Windows restore points.

Backing up critical data and ensuring it is easy to recover is the best defence against ransomware attacks.

In addition to performing regular backups, consider the following:

  • Update all software according to a regular maintenance plan. If a workstation or server is too old to update, retire it. The few tasks it can perform do not outweigh the risk it presents to machines on the network.
  • Restrict administrator accounts to only a few people in the organisation and create user (not admin) accounts on each workstation for each employee. End users should not be logged into machines as administrators. The most destructive ransomware is designed to gain access to network areas that are accessible only via administrator accounts.
  • Verify backups. Performing backups is just the first step because these will not be effective unless they work. Be sure they do by verifying backups and testing the data restore process regularly. Occasionally, the backup restores properly but does not include all critical files.
  • Employee training is often overlooked or not regularly updated for new employees. Do not assume the employees are tech-savvy enough to recognise malware sent via email. Regular training takes time and resources, but apart from backup, can have the biggest impact in deterring the spread of ransomware.

How to respond to an attack

An organisation suspecting that someone on the network has been a victim of a ransomware attack should perform the following steps:

  • Take a snapshot of the system and then shut it down. A snapshot will attempt to save system memory, which might the help in decryption and gives further details about the attack. Some professionals recommend the quarantine of any computers known to be infected, but it is safer to shut down all systems to keep the ransomware from spreading.
  • Block remote desktop protocol (RDP) at the network level. Consider blocking all email attachments until the attack’s origin is fully understood.
  • Assess the damage and determine the point of entry. This is where backups come into play. The organisation will need to revert to its backup plan at this point depending on which systems were infected. Pulling a server offline may take more planning. The key here is to have a reliable backup to get the business up and running quickly.
  • What if there is no backup? IT will need to assess the value of the encrypted data and decide if it is worth hiring a security/ransomware expert, or simply paying the ransom. Thieves often increase the ransom the longer they have to wait.

Ransomware attacks are a perfect crime because the cybercriminals ‘win’ even if only one out of a thousand companies decides to pay the ransom.

The anonymity makes it nearly impossible for authorities to track down the perpetrators, so they move on in search of more potential victims.

One thing we know for certain is that attacks will continue and will evolve as companies learn to combat them. 

Defending data is critically important when fighting back from a ransomware attack.

Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.