(Following is some material that Slingshot recently wrote up to help guide our customers through securing their IT systems against Ransomware. It’s too good to not share with the world, though, so here ya go. BTW, we pair this with a personalized recommendation — just holler if your organization would like a Slingshot consultation!)
Introduction
CryptoWall, CryptoLocker, and a variety of other names – they’re all Ransomware, one of the newer and most dangerous types of malicious software (Malware) threatening anyone who uses computers. Once a computer is infected, these threats can lock your users out of their computers or encrypt your data irreversibly, including data on your servers.
Once the computers and/or data are compromised, users are told they can pay a “ransom” to recover their system and data access, often for thousands of dollars. Since the culprits are often overseas, they reach over and hide behind the Internet in ways that regular law enforcement can’t help you. This is extortion, and you just don’t want to be there!
Instead, we want to help you stay safe, so we’ve written this document to do two things:
- Outline your options to Avoid, Block, Catch, Limit and Recover From Ransomware.
- Recommend your best options to quickly and thoroughly secure your organization.
Options
Fortunately, there are plenty of ways to avoid paying your way out of Ransomware!
1) Avoid It with User Training:
Some technologies can reduce your risks, but the most important part of the puzzle is training users. Besides Ransomware, training can help you avoid other threats, such as:
- Phishing: Masquerading as a trustworthy entity to acquire sensitive information such as usernames, passwords, and credit card details, and sometimes money.
- Whaling: Phishing that specifically targets organizations’ empowered decision makers. Targeting details are harvested through Internet searches and/or social engineering attempts. Hackers will sometimes register a very similar-looking domain, and then email decision makers from what appears to be their bosses, directing them to transfer money to offshore accounts.
- Pharming: Malware is secretly planted in your computer to hijack your web browser. When you type in the address of a legitimate Web site, you’re redirected to a fake copy of the site without realizing it, where the attackers can harvest your sensitive information.
- Vishing: Phishing via telephone, this relies on social engineering techniques to trick you into providing sensitive information.
Informed users are the first line of defense against Internet security threats! Slingshot can train your staff by several means: easy-to-read advisory documents, “lunch and learn” sessions with a hands-on visual component and Q&A, one-on-one training, or any combination of these.
2) Block It with Perimeter Defense:
The next defense is to block threats at a network level before they reach users (or vice versa). Here are options and recommendations for each network threat:
- Malicious File Filtering – Blocks access to Malware and other known dangerous files.
→ We recommend Cyberoam firewalls paired with an Antivirus Filtering subscription for this.
- Malicious Traffic Filtering – Blocks malicious traffic, like encryption keys used by Ransomware.
→ We recommend Cyberoam firewalls paired with an IPS subscription for this.
- Geo Blocking – Blocks all traffic from countries known for their criminal Internet reputation.
→ We recommend Cyberoam firewalls with Geo Blocking configured.
- Web Filtering – Blocks access to websites classified as dangerous. Many firewalls can do this as a blanket solution, but most folks want something more sophisticated.
→ We recommend WebFilter (a Slingshot Managed Service), which we can also setup with per-user policies to also shield you from productivity and legal risks.
- Email Filtering – Blocks spam, dangerous email content, and fraudulent emails. Some email servers can be setup to do some of this, but not very effectively.
→ We recommend MailControl (another Slingshot Managed Service), which we setup and keep tuned up, but which gives users easy self-management over their own filtering.
3) Catch It with Endpoint Protection
Should Ransomware or other malware still get past the user and firewall (e.g. by infected flash drive or using a work laptop outside the office network), additional protections are available:
- Antivirus software – Installed software to detect and block malware. Windows 8+ has Defender built-in, which is free, but basic and unmanageable. → We recommend Slingshot’s Managed Antivirus (a Slingshot Managed Service) which uses the top-ranked BitDefender scanning engine, and which we setup, manage and monitor.
- CryptoPrevent – A third party software application that installs on each computer and blocks many Ransomware infections. The commercial version costs around $100 for 50 licenses.
- Malwarebytes Anti-Ransomware – New program (still in beta) that detects ransomware behavior and blocks the threads that are trying to encrypt files. Currently available for free.
4) Limit It with Secure Settings
Even with a comprehensive protection plan in place, malware is constantly morphing to get around those measures. If malware gets past the user, firewall, and malware detection, we want to limit its impact as much as possible. There are two good ways to do this:
- Software Restriction Policy (SRP) – A built-in Microsoft utility which can be configured to prevent executable files from running from directories that malware commonly tries to use. Basically, this keeps malware from having a foundation to work off.
- Least User Privilege (LUA) – This is just a matter of using Standard User accounts for everyday work (rather than Administrator accounts). If a user account can only make changes to his areas, Ransomware running as that user has the same limitations. (A best practice anyway, LUA also protects against staff accidentally taking down systems, as well as from snooping or malicious users tampering with things they shouldn’t.)
- Network Share Security – Similar to LUA and “need to know” thinking, server network shares should have their access set to only allow the level of access that’s needed by each user or user group. This requires some thinking about an organization’s groups and who needs what. (Also a best practice for the same reasons as LUA above).
5) Recover From It with Backups![Stone-Rolled-Away1[1]](https://blog.throbs.net/wp-content/uploads/2016/03/Stone-Rolled-Away11.jpg)
Finally, no matter what you do, bad things can still happen. If worse comes to worst, there are options for data recovery without paying ransom.
→ Any properly configured server should follow the “3-2-1” Backup Rule: 3 backups, on 2 different media, and 1 offsite.
- Volume Shadow Copy / Restore Previous Versions / System Restore – Properly configured Windows servers and workstations “snapshot” a backup of their files several times per day. In most cases, these previous versions can be easily restored over the encrypted versions. Unfortunately, some malware knows how to also corrupt the previous file versions – LUA (above) helps prevent that.
- Nightly Backups – This is the second layer, usually a full-system (“bare metal”) Windows Backup to an external drive or NAS. Should Volume Shadow Copy have trouble, we can still restore files from this.
- Offsite Backups – Finally, in the event of any catastrophe, you want a copy of your data offsite. We recommend CrashPlan or JungleDisk for this.