Story image

Best practices: Preventing and recovering from ransomware attacks

06 Jul 2018

Article by StorageCraft APAC sales head Marina Brook

In May 2017, the WannaCry attack jolted the public into awareness of ransomware’s destructive capabilities.

WannaCry infected over 300,000 Windows computers by encrypting data on the machines and then demanding Bitcoin to unlock the data.

Ransomware is a lucrative endeavour.

There is a good chance that an organisation will have to deal with ransomware at some point if they have not done so already.

Here are best practices for preventing ransomware attacks, plus a few suggestions on how to respond to an attack.

Several factors have led to the rise in ransomware attacks:

Ransomware has moved beyond amateurs to professionals, who are more likely to be aware of security holes that make attacks more successful.

The anonymous nature of Bitcoin has driven investment in the cryptocurrency while making it ideal for making demands on attack victims.

Computers are providing value for longer than ever, but many now lack the latest security updates to operating system updates that can repel attacks.

IT professionals are often reluctant to patch older computers because OS updates usually slow down old systems.

Most ransomware attacks arrive through email, and many employees have not been properly trained to recognise a malicious email attachment.

How to mitigate attacks

The most effective step for an organisation to take to combat ransomware is to perform a regular backup of its most important files.

The most sophisticated attacks encrypt both data files and Windows restore points.

Backing up critical data and ensuring it is easy to recover is the best defence against ransomware attacks.

In addition to performing regular backups, consider the following:

  • Update all software according to a regular maintenance plan. If a workstation or server is too old to update, retire it. The few tasks it can perform do not outweigh the risk it presents to machines on the network.
  • Restrict administrator accounts to only a few people in the organisation and create user (not admin) accounts on each workstation for each employee. End users should not be logged into machines as administrators. The most destructive ransomware is designed to gain access to network areas that are accessible only via administrator accounts.
  • Verify backups. Performing backups is just the first step because these will not be effective unless they work. Be sure they do by verifying backups and testing the data restore process regularly. Occasionally, the backup restores properly but does not include all critical files.
  • Employee training is often overlooked or not regularly updated for new employees. Do not assume the employees are tech-savvy enough to recognise malware sent via email. Regular training takes time and resources, but apart from backup, can have the biggest impact in deterring the spread of ransomware.

How to respond to an attack

An organisation suspecting that someone on the network has been a victim of a ransomware attack should perform the following steps:

  • Take a snapshot of the system and then shut it down. A snapshot will attempt to save system memory, which might the help in decryption and gives further details about the attack. Some professionals recommend the quarantine of any computers known to be infected, but it is safer to shut down all systems to keep the ransomware from spreading.
  • Block remote desktop protocol (RDP) at the network level. Consider blocking all email attachments until the attack’s origin is fully understood.
  • Assess the damage and determine the point of entry. This is where backups come into play. The organisation will need to revert to its backup plan at this point depending on which systems were infected. Pulling a server offline may take more planning. The key here is to have a reliable backup to get the business up and running quickly.
  • What if there is no backup? IT will need to assess the value of the encrypted data and decide if it is worth hiring a security/ransomware expert, or simply paying the ransom. Thieves often increase the ransom the longer they have to wait.

Ransomware attacks are a perfect crime because the cybercriminals ‘win’ even if only one out of a thousand companies decides to pay the ransom.

The anonymity makes it nearly impossible for authorities to track down the perpetrators, so they move on in search of more potential victims.

One thing we know for certain is that attacks will continue and will evolve as companies learn to combat them. 

Defending data is critically important when fighting back from a ransomware attack.

Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.