Posts Tagged :


How to prevent a Ransomware attack 1024 634 Vaughan

How to prevent a Ransomware attack

The cost of remediating a ransomware attack will always be significant, therefore it is worth spending time to ensure that you have the defences in place to prevent an attack or to mitigate data loss in the event that your defences are breached.

What is Ransomware?

Ransomware is a piece of malicious software that once executed, blocks access to the contents of files (typically documents and data files) by encrypting the files. In order to regain access to your documents, a sum of money must be paid to the attacker – a “ransom”. If you pay the ransom, then you receive a key and software that you can use to unencrypt your data.

Some of the ransoms that have been demanded have been over 100K. That kind of outlay can put an SME out of business and that is exactly what has happened to some SME’s that have suffered a ransomware attack.

The ransomware attack is done either through automated bot software written specifically to inject ransomware into a system or by an attacker gaining remote access to a computer and then executing ransomware directly on that system. The latter “remote control” type of attack has become more prevalent in recent times and is particularly dangerous because where the attacker has remote access to the target computer they are able to perform a “custom” attack based on the attributes of the particular network that they’re attacking (e.g. they can attempt to identify backups (both local and off-site) and seek to delete or encrypt these backups rendering them useless).

Prevent the attack

From a purely technical standpoint, ransomware is just another kind of malware, a malicious program that has been allowed to run on your systems with sufficient privileges to cause damage. That damage, the encryption of your files, is what differentiates ransomware from other malware.

There are a small number of ways that ransomware attackers can get a foothold in your network: phishing for credentials, running other malware to gain remote access to a computer on your network, allowing remote access to your network through unsecured ports.

Steps that you can take to prevent an attack:

  • User education.
    • Nobody wants to be the person responsible for allowing their computer to be the source of a ransomware attack.
    • Ensure that your staff are alert to the fact that attackers frequently send e-mails with malicious attachments or links to malicious software. If your staff don’t recognise the threat, then you’re relying on your anti-virus software to identify and quarantine the threat.
    • We have written a separate article about e-mail threats:
  • Apply security updates to software promptly.
    • Security updates are addressing known vulnerabilities, so don’t give attackers a “free kick” at your network by not addressing these vulnerabilities. This is particularly pertinent for servers that host services that are publicly accessible on the Internet.
  • Implement a multi-layered anti-virus approach.
    • No single anti-virus product should be considered infallible all the time.
    • Therefore, it is prudent to implement a layered approach.
    • Each product should have a small “footprint” (i.e. use minimal resources so as not to affect computer performance).
    • Look for strong Ransomware protection in at least one of the products deployed.
  • E-mail screening
    • Many malware attacks are attempted via e-mail, therefore consider implementing an e-mail gateway that can screen all e-mail and filter / quarantine malicious or potentially suspicious e-mail.
    • Effective e-mail screening can identify many hostile e-mails before they reach the Inbox of your staff – thus reducing the risk that you need to rely on the vigilance of staff to recognise a threat.
    • We can provide e-mail screening for $4ex per mailbox, per month. No installation or other charges
      • The e-mail screening incorporates a combination of automatic rules plus messages that are assessed to be ‘suspicious’, but not definitely malicious, are flagged for manual review by a competent person. So, while not guaranteed to be infallible, in practice this approach has proven to be effective.
  • Use role-based authentication and apply least-privilege rules to these roles
    • What this means is that you only provide users with the privileges that they need (and no more) to perform a task
    • For example, users on a desktop or laptop, should normally only be logged on with an account that has ‘user-level’ privileges so that they can run applications. This means that by default they cannot install software (and they also cannot inadvertently install malware). When a user needs to install a new application, then they will be prompted to authenticate with a different set of credentials which has the higher privileges needed to allow them to install or update applications.
  • Enforce strong authentication rules, including using two-factor authentication (2FA).
  • Password management:
    • Choose passwords that would be difficult for others to guess and then don’t update them regularly. A strong password should contain a mix of upper- and lower-case letters, numbers and symbols.
    • If users choose strong passwords, then so long as they’re not compromised there is no need to change them. This approach works best when used with a password manager.
    • Use a password manager like LastPass or RoboForm to simplify the management and administration of passwords. Both LastPass and Roboform have a free product offering which is quite capable.
    • Use a different password for every account/profile – that way if a password is compromised only one account / profile / service is affected – not all.
    • Don’t share your passwords with anyone
  • Use an SIEM (security information and event management) solution to keep up with developments on your network.
  • Lock down externally accessible services (such as RDP) where they are not necessary and enforce secure access restrictions for services that are accessible externally where they are necessary.

Backups – your last line of defence

Backups are an essential last line of defence to address a multitude of issues. At the end of the day computer hardware can be replaced, but your critical data will be unique to your business and will be either irreplaceable – or at the very least difficult to recreate.

Backing up your data is a key part of the defence against ransomware and other malware. However, if your backups are wiped out by ransomware, then this defence is rendered useless.

We have written a separate article about protecting your backups from Ransomware.

If you have further questions or would like a no-obligation review of your existing security arrangements, please don’t hesitate to contact us.

Protecting backups from ransomware is as easy as 3-2-1 1024 411 Vaughan

Protecting backups from ransomware is as easy as 3-2-1

Ransomware attacks will not only encrypt your data and documents, but the attackers will also attempt to locate your backups and encrypt them. If you can prevent this, you can recover from an attack without giving in to blackmail.

Ransomware has been a red-hot problem for some time now. Backing up your data is a key part of the defence against ransomware and other malware. However, if your backups are wiped out by ransomware, this defence is rendered useless.

Ransomware attackers often try to find and delete or encrypt backups, many of which are accessible through compromised accounts. The loss of backups, even just recent backups, makes an attack a much more costly event and limits your ability to resist the attacker. What are practical ways to ensure that this does not happen?

As with most security precautions, there is no 100% guaranteed way to protect your backups. But by following best practices, you can significantly increase your chances of being able to use backups for recovery from the attack with minimal losses of time and business.

Follow the 3-2-1 rule of backup

The 3-2-1 rule of backups:

  • Three copies of the data being backed up are made
  • Two different storage media are used for the backup
  • One copy (at least) of the data is kept off site.

The goal of the 3-2-1 rule is to increase the chances that a backup will be available. Keeping a copy remote protects you even in case of a fire or natural disaster. Plus, a remote copy, properly done can also be significantly harder for the attackers to access – and thus more likely to be preserved in the event of an attack.

One of the most effective ways to implement offline backups is to use removable media and physically “rotate” the backup media regularly. If this simple practice is done regularly and consistently then there will always be a relatively up-to-date copy of the backup media which is not connected to the network at any point in time. And if the backup media is not connected to the network then it is safe in the event of an attack.

However rotating backup media regularly has its own challenges. As it requires discipline to swap the media regularly day-after-day, week-after-week, month-after-month. The media needs to be rotated all year-round to be effective – no exceptions. As a result, many organisations will instead look to rely on an automated process – where the computer does the work – using cloud backups.

One of the critical characteristics of the off-site backup in the 3-2-1 rule above is that it should be offline. This makes it inaccessible to the attacker. But the benefits of being offline mean that “standard” cloud storage isn’t necessarily appropriate for the off-site copy. If the attacker, through stolen credentials, can obtain enough privileges to delete cloud storage, the whole point of off-site storage is lost.

The key with the off-site backup, is that even if the attacker completely compromises your local network; that your cloud backups should remain protected.

One possible barrier you could place in the way of attackers attempting to reach your cloud-based backup is to use unique credentials, not from your company network, along with a separate second authentication factor to access and manage the backups. Even if the attacker completely compromises your network, the cloud backups should remain protected. Another approach is to use a “private” cloud storage solution where custom arrangements can be made to maintain an additional copy of the off-site backup which is not directly accessible via remote access.

What to do next?

If implementing a backup solution that meets the above criteria sounds too difficult; rest assured that ZEN can provide a backup system that complies with the 3-2-1 rule automatically. Contact us for further details.

Join our Newsletter

We'll send you newsletters with news, tips & tricks. No spams here.

Input this code:captcha