Ransomware has been on the front page of the news for a few years, and attacks are getting more frequent and vicious. From Q2-2016 to Q2-2017, an estimated 5 percent of small and medium businesses (SMBs) globally fell victim to ransomware attacks. If that is not scary enough, consider that a ransomware virus remains on a business’s system even after the first attack 29 percent of the time, according to a Datto MSP survey. The rate of attacks is increasing, and they are expanding beyond on-premise systems to data in the cloud.
Ransomware proofing a business has become a major focus of proactive IT professionals as they strike a balance between the need to be connected with the need to protect.
With ever more sophisticated attacks, hardening an IT environment against attacks such as ransomware encompasses these major areas:
• Securing systems
• Performing regular maintenance
• Traffic monitoring
• Raising user awareness.
Systems are secured through regular maintenance and protective measures. Best practices call for information to be properly protected by using up-to-date patching policies, anti-virus software, firewalls and traffic analysis.
An up-to-date anti-virus software subscription prevents about 50 percent of all attacks. The anti-virus software should run on all machines that touch the network. At times, users ignore the warning messages that their anti-virus software subscription has expired. This makes them extremely vulnerable to attacks.
In addition, newer infections now use file-less malware, which don’t require software to be installed but rather takes over existing Windows tools. Since there is no signature for anti-virus software to find, this is even more difficult to detect.
Firewalls scan for malicious content, and many use active software to do an inspection of all data received. In this type of inspection, the firewall compares the label of the data packet to the content and discards mismatches as malicious data packets. State–of-the-art firewalls also include a technique called “sandboxing,” where suspicious content is executed in a safe cloud environment away from your network, verifying if data can be trusted or not. Using a smart firewall keeps a lot of malicious content out of your network and greatly reduces the amount of attacks that systems have to deal with.
Maintenance and Monitoring
Regular maintenance includes up-to-date patching of all systems. For Windows systems, that means keeping up with the fixes that are released by Microsoft. They are usually released once a month, with emergency patches released to address critical vulnerabilities as soon as they become available.
The best practice is to install routine patches within a week of release. Waiting a few days reduces the risk of installing a faulty patch that is later pulled back by the vendor.
Emergency patches released to address a specific vulnerability should be installed immediately. Many virus attacks exploit weaknesses in the operating systems and programs. Once they become known, the manufacturer usually releases a fix in a patch, but often, users do not install patches in a timely manner. Hackers exploit this reluctance and release viruses that use the identified weaknesses. It is important to make a distinction between routine patching and emergency patching.
Viruses can be introduced into a network by many means, including email attachments, infected websites or even removable media, such as a flash drive. The most common infections, ransomware and key-loggers have one trait in common: they communicate with a “mother ship” server operated by cyber criminals.
Ransomware encrypts a user’s data and requests a ransom, usually payable in untraceable crypto-currency, to restore the data. Each ransomware incident has a unique encryption key, which has made it difficult to defeat these infections. But its greatest strength is also its greatest weakness: each infection has to contact the “mother ship” to get its own encryption key. Using a DNS service that blocks traffic to known malicious sites can shut these attacks down effectively. Key-loggers are shut down in similar fashion by the DNS service blocking the transmission of data to the cyber-criminal’s data repository.
User awareness is an important piece of the puzzle. Not everything that comes through email or websites is safe to click on. A common attack is a phishing e-mail. In this email, users are tricked into clicking on a link through an enticing offer. Once the user clicks on this link, malicious content tries to settle in on the computer.
These emails can be convincing (Example: “Click here for free Advertising”) and have the look and feel of a genuine email, but closer inspection can show that it is a fake. Closely inspect the mail header for the sender’s domain. If it does not look right, it usually is not. Also hover with the mouse over the link before clicking it. A little yellow box with the link address will pop up. If it is an offer from a well-known vendor, it shows a link that is clearly identifiable as legitimate. If it shows something different, it’s probably bad. When in doubt, don’t click, just delete.
To educate users, many companies conduct their own phishing campaigns. Users are being sent emails that have some indicators that it is not genuine. When users click on the link in this email, they are redirected to educational content that helps them to spot the fake the next time around. A small investment in training can have a big ROI by reducing the risk of infection.
The central point of any IT security policy is a solid backup and disaster recovery process. If a ransomware attack is successful, and a good backup exists, the damage is contained. There is a range of methods for backup, and the choice of method is driven by the business’s ability to cope with downtime. Restoring a server can take days or seconds, depending on the backup method used.
Imagine a transaction-oriented business, such as a retail or ticketing system. Any downtime is visible to potential customers and can result in lost business. In these cases, a business continuity and disaster recovery (BDR) device is often the best strategy. In other scenarios, a simple and inexpensive cloud backup of the user data is often sufficient.
A solid prevention strategy ensures data security, productivity and lessens disruptions to a business, while a well thought out recovery strategy ensures that a business will live to see another day even after a successful cyber attack.
Joerg Laves is founder and president of IT Secure, an IT services firm in Manchester and has worked in the support industry for over 20 years. For more information, call 603-668-7733 or visit itsecureservices.com.