Avoiding Ransomware as part of IT Security.
Ransomware is a type of malware (malicious software) which criminals use to extort money. It holds data to ransom using encryption or by locking users out of their device. A lot of the ransomware attacks that have happened in the past have been linked to poor protection practices by employees or by insecure networks.
Here are a few dos and don’ts when it comes to ransomware and its attacks.
- Never pay the ransom! It only encourages and funds the people that have attacked you. Even if the ransom is paid, there is no guarantee that you will be able to regain access to your files. The hackers might request more and more ransom money and you’ll never get your data or access back.
- Do not provide your personal information or give access to your PC or laptop when answering an email, unsolicited phone call, text message or instant message. Phishers will try to trick employees into installing malware or gain intelligence for attacks by claiming to be from your IT department or your broadband provider. Contact your IT department as soon as possible to notify them if you or your co-workers have been a target for scammers. It will prepare the IT team for any possible attacks and allow them to block any suspicious IP’s and numbers.
- Always use reputable, paid for antivirus software and a firewall. Maintaining a strong firewall and keeping your IT security software up to date are critical. Make sure your firewall is configured correctly. By default, most business class firewalls will have everything blocked by default and you will need to open any specific ports to allow certain software or access from outside of your network to inside. Never open default ports for things like remote access. Always use NAT (Network Address Translation) and lock down any access as much as you can (i.e by only allowing certain external IP addresses). If you are using your broadband providers router as a firewall double check the settings, capabilities and firmware to ensure it is providing the security you need.
- Do employ content scanning and filtering on your mail servers. Inbound e-mails should be scanned for known threats band phishing before they even get to your network and this should also block any attachment types that could pose a threat, such as native Microsoft Office documents which can contain Macros. When releasing mail from Quarantine be very careful that it is a genuine email with a genuine attachment. If in doubt, leave it.
- Make sure that all systems and software are up to date with relevant patches. Exploit kits hosted on compromised websites are commonly used to spread malware. Regular patching of vulnerable software is necessary to help prevent infection. To this end, ensure that your Operating Systems and other line of business software is current and within support from the manufacturer so that it is being kept up to date and any bugs and loopholes are fixed.
- If traveling, alert your IT department beforehand, especially if you’re going to be using a public Internet service. Where possible, use a secure VPN which will help protect you on public networks. Be aware that you may not be able to access your Company’s systems when on a public network or a different IP from your home address.
- Make sure your backups are working and that you test restore regularly. Its no good backing up your data every night if you don’t know how to get it back or know how long it will take to restore. Try to use an offsite backup service rather than USB drives. If you do use local devices to back up to make sure they are ejected from the server after the backup has completed as ransomware will affect all drives connect to the machine. Although most Ransomware attacks will disable Volume Shadow Copy, make sure it is on and working as some basic level Ransomware won’t affect this and it can be a quick way of getting data back if only a small amount has been infected. It can also be an alert to your anti-virus software that something is amiss which can prompt it to block the offending software and therefore stop the attack.
- Don’t use Mapped drives. Most Ransomware will originate on a user’s PC. If they have drives mapped to data it will jump across these and infect the server. In more modern server systems, mapped drives are replaced with shortcuts to data folders which reduces this risk.
Ransomware can affect businesses of all sizes and types. We have seen attacks on individuals, small businesses and large corporates. Unfortunately, due to the fact that a lot of attacks are user instigated (ie a user opening an email, releasing an email from quarantine or allowing access to their PC from an unsolicited source) sometimes all the protection in the world won’t stop an attack. Because of this it is important to educate employees about cyber security and make them aware of the dangers and what to look out for. With our colleagues at ProofPoint we can offer online IT Security Awareness training for your employees which includes simulations of phishing attacks so they recognise how plausible they can seem.
If you are unlucky enough to be affected by a Ransomware Virus the first thing to do is to turn off your server and/or PC. This should stop the encryption process.
Most of the time the infection will have originated on a PC rather than the server itself so check the C’s on your network for any infected files as this will generally show you where the infection originated. Disconnect this machine for the network until it can be cleaned and confirmed clear from infection.
Its best to restart the server in Safe Mode and disconnected from the network so you can check for any unknown services or applications which may have been installed by the infection.
Once you are sure the machine is clean you can reboot normally and start the process of restoring your data.
If your server has been correctly configured and the infection originated on a PC rather than the server itself, only the data should be affected, not the server operating system itself.
To determine the source of an infection then a good place to check is the individual Users folders which Windows creates when you set up your client accounts. These should be only accessible by the individual user so therefore if one has encrypted data this will usually confirm which user account was compromised on your network.
If your entire server has been affected, including the C drive, then it is likely that the server itself has been targeted and this is far more serious. Ensure you check your firewall and security before reinstating your server as this is usually caused by someone accessing your server from outside your network. Make sure your server admin passwords are changed along with those of your firewall and any remote access software.
If you would like help securing your network, ensuring your backups are working and secure or employee security training please contact a member of the team and we’d be pleased to help.