Part 1 - Prevention is the best medicine.
We've all heard of someone being hit by a ransomware attack at this point. But how does ransomware work? Where does it come from? How can we as a community reduce the frequency of these types of attacks happening? And what are the best first line of defenses against it? We explore this and a few other things in this two part blog post about ransomware attacks.
How Does Ransomware Work?
Ransomware works when a malicious piece of software gets installed on your computer, encrypts all your data, and presents you with a screen to pay the hackers (usually with cryptocurrency, such as bitcoin) to decrypt your file. This software can get on your system a variety of ways:
- You open a malicious software attachment.
- You browse to a malicious website and authorize a piece of malicious code to run.
- Someone or something else on your network has been exploited and is transmitting the malicious software to other machines.
- You've accidentally acquired and run this malicious software on your computer some other way.
Where Does Ransomware Come From?
Regardless of how you've acquired it, this type of software is some of the "best" malicious software ever written for computers. Since the hackers and bad actors have a direct profit motivation from the attack they are willing to expend both financial and labor resources to execute it on your network and make sure it works well. In fact, a whole industry has been born where more sophisticated hackers develop these software packages and sell them as a service to lesser skilled bad actors who can execute it for profit. The original developers get a cut of the revenue.
How Can We Reduce Ransomware in the World?
The best way to stop any criminal activity is to make sure it doesn't pay anymore. For business owners that means making sure you have the proper safeguards in place so you can handle the threat without paying the ransom. The less often people actually pay the ransom, in other words the less often the crime actually works, the less of a threat it will be worldwide because it will become less profitable.
Safeguards You Must Have:
- A solid backup, restoration, disaster recovery, and business continuity system and plan in place.
- Make sure your users don't save important data to their local computer.
- Endpoint protection including anti-virus and anti-malware software on each device.
- Network protection including an advanced firewall and network segmentation for larger networks.
- Good network account security practices.
- Don't allow users to be network or local administrators of their systems.
- Train your staff what to watch out for online.
- Deploy Internet monitoring and filtering.
If you don't have any of these safeguards in place or aren't sure, ask your IT person or service provider for details. And if they don't have good answers, be on the alert. If you're in Los Angeles, give us a call and we would be happy to review your environment for you.
When Backups Alone Aren't Enough
The number one safeguard listed above that you need is a solid backup, restoration, disaster recovery, and business continuity plan. One of the things we learned the hard way at Be Structured is just having a really good copy of the companies' data isn't enough. Ransomware never strikes at a convenient time and the backup, restoration, business continuity, and disaster recovery systems have to be ready to respond with enough performance to meet the organizational needs.
- Backup System Architecture: First off, you know you need all your systems backed up. That's a given, right? But what you might not think about is how often you need backups. For instance, critical database systems might need snapshots every hour... or even every 15 minutes depending on the business need. So just nightly backups don't cut it anymore for some systems. Make sure you systems are architectured to provide granular file based recovery as well as image-based full system recovery. Both types of recovery are critical these days for ransomware and other malware attacks. Additionally, there are horror stories out there about backups being hit by the same ransomware their primary systems are. Make sure you have sufficient offline backup systems and consider protecting systems with disparate operating systems (i.e. protect Windows with Linux and vice versa). Generally a malicious program will only be written for one operating system and thus wouldn't affect both at the same time. Our prefered backup partner, Unitrends, gives us the ability to architect all these things and more!
- Performance Considerations: Something very few backups systems consider these days is backup system performance. We know we can grab a full backup overnight or over a weekend and do incremental updates during the day; however, what if you need all that data back fast? How fast is good enough for your business? If you need your systems back online in a matter for a couple hours you could need to invest tens of thousands of dollars in high performance backup systems and networking gear. And if you don't want to make the investment and can settle for a full days downtime, make sure you have a contingency plan for your business to operate without those systems for the day while they are being restored.
- Planning The Response: If you've architected your systems to be able to restore the environment in a couple of hours and made the investment, then you know what to do. But for most businesses that have a solid backup plan in place but not the performance to restore quickly, you're left with some difficult choices. Do we restore only critical files right now, losing a few hours of work, and deal with larger restorations going forward? Or do we shut down the whole office for 8 hours while we do a complete restoration? Do we risk data integrity with partial restores or even possibly restoring the original malware/ransomware? Or do we build new systems and restore the data to a clean slate? The more awareness of these issues and decisions you can make ahead of time will help with the response if that fateful day does come.
Stay Tuned for Part 2:
Stay tuned for my second part of responding when the ransomware hits in the worst case scenario... you can't restore everything or can't restore it fast enough. Also, know the above planning goes a long way in making sure you're backup policies are in absolutely tip-top shape too.