Best practices: Preventing and recovering from ransomware attacks
In May 2017, the WannaCry attack jolted the public into awareness of ransomware's destructive capabilities.
WannaCry infected over 300,000 Windows computers by encrypting data on the machines and then demanding Bitcoin to unlock the data.
Ransomware is a lucrative endeavour.
There is a good chance that an organisation will have to deal with ransomware at some point if they have not done so already.
Here are best practices for preventing ransomware attacks, plus a few suggestions on how to respond to an attack.
Several factors have led to the rise in ransomware attacks:
Ransomware has moved beyond amateurs to professionals, who are more likely to be aware of security holes that make attacks more successful. The anonymous nature of Bitcoin has driven investment in the cryptocurrency while making it ideal for making demands on attack victims. Computers are providing value for longer than ever, but many now lack the latest security updates to operating system updates that can repel attacks.
IT professionals are often reluctant to patch older computers because OS updates usually slow down old systems. Most ransomware attacks arrive through email, and many employees have not been properly trained to recognise a malicious email attachment.
How to mitigate attacks
The most effective step for an organisation to take to combat ransomware is to perform a regular backup of its most important files.
The most sophisticated attacks encrypt both data files and Windows restore points.
Backing up critical data and ensuring it is easy to recover is the best defence against ransomware attacks.
In addition to performing regular backups, consider the following:
- Update all software according to a regular maintenance plan. If a workstation or server is too old to update, retire it. The few tasks it can perform do not outweigh the risk it presents to machines on the network.
- Restrict administrator accounts to only a few people in the organisation and create user (not admin) accounts on each workstation for each employee. End users should not be logged into machines as administrators. The most destructive ransomware is designed to gain access to network areas that are accessible only via administrator accounts.
- Verify backups. Performing backups is just the first step because these will not be effective unless they work. Be sure they do by verifying backups and testing the data restore process regularly. Occasionally, the backup restores properly but does not include all critical files.
- Employee training is often overlooked or not regularly updated for new employees. Do not assume the employees are tech-savvy enough to recognise malware sent via email. Regular training takes time and resources, but apart from backup, can have the biggest impact in deterring the spread of ransomware.
How to respond to an attack
An organisation suspecting that someone on the network has been a victim of a ransomware attack should perform the following steps:
- Take a snapshot of the system and then shut it down. A snapshot will attempt to save system memory, which might the help in decryption and gives further details about the attack. Some professionals recommend the quarantine of any computers known to be infected, but it is safer to shut down all systems to keep the ransomware from spreading.
- Block remote desktop protocol (RDP) at the network level. Consider blocking all email attachments until the attack's origin is fully understood.
- Assess the damage and determine the point of entry. This is where backups come into play. The organisation will need to revert to its backup plan at this point depending on which systems were infected. Pulling a server offline may take more planning. The key here is to have a reliable backup to get the business up and running quickly.
- What if there is no backup? IT will need to assess the value of the encrypted data and decide if it is worth hiring a security/ransomware expert, or simply paying the ransom. Thieves often increase the ransom the longer they have to wait.
Ransomware attacks are a perfect crime because the cybercriminals 'win' even if only one out of a thousand companies decides to pay the ransom.
The anonymity makes it nearly impossible for authorities to track down the perpetrators, so they move on in search of more potential victims.
One thing we know for certain is that attacks will continue and will evolve as companies learn to combat them.
Defending data is critically important when fighting back from a ransomware attack.