Story image

Best practices: Preventing and recovering from ransomware attacks

06 Jul 18

Article by StorageCraft APAC sales head Marina Brook

In May 2017, the WannaCry attack jolted the public into awareness of ransomware’s destructive capabilities.

WannaCry infected over 300,000 Windows computers by encrypting data on the machines and then demanding Bitcoin to unlock the data.

Ransomware is a lucrative endeavour.

There is a good chance that an organisation will have to deal with ransomware at some point if they have not done so already.

Here are best practices for preventing ransomware attacks, plus a few suggestions on how to respond to an attack.

Several factors have led to the rise in ransomware attacks:

Ransomware has moved beyond amateurs to professionals, who are more likely to be aware of security holes that make attacks more successful.

The anonymous nature of Bitcoin has driven investment in the cryptocurrency while making it ideal for making demands on attack victims.

Computers are providing value for longer than ever, but many now lack the latest security updates to operating system updates that can repel attacks.

IT professionals are often reluctant to patch older computers because OS updates usually slow down old systems.

Most ransomware attacks arrive through email, and many employees have not been properly trained to recognise a malicious email attachment.

How to mitigate attacks

The most effective step for an organisation to take to combat ransomware is to perform a regular backup of its most important files.

The most sophisticated attacks encrypt both data files and Windows restore points.

Backing up critical data and ensuring it is easy to recover is the best defence against ransomware attacks.

In addition to performing regular backups, consider the following:

  • Update all software according to a regular maintenance plan. If a workstation or server is too old to update, retire it. The few tasks it can perform do not outweigh the risk it presents to machines on the network.
     
  • Restrict administrator accounts to only a few people in the organisation and create user (not admin) accounts on each workstation for each employee. End users should not be logged into machines as administrators. The most destructive ransomware is designed to gain access to network areas that are accessible only via administrator accounts.
     
  • Verify backups. Performing backups is just the first step because these will not be effective unless they work. Be sure they do by verifying backups and testing the data restore process regularly. Occasionally, the backup restores properly but does not include all critical files.
     
  • Employee training is often overlooked or not regularly updated for new employees. Do not assume the employees are tech-savvy enough to recognise malware sent via email. Regular training takes time and resources, but apart from backup, can have the biggest impact in deterring the spread of ransomware.

How to respond to an attack

An organisation suspecting that someone on the network has been a victim of a ransomware attack should perform the following steps:

  • Take a snapshot of the system and then shut it down. A snapshot will attempt to save system memory, which might the help in decryption and gives further details about the attack. Some professionals recommend the quarantine of any computers known to be infected, but it is safer to shut down all systems to keep the ransomware from spreading.
     
  • Block remote desktop protocol (RDP) at the network level. Consider blocking all email attachments until the attack’s origin is fully understood.
     
  • Assess the damage and determine the point of entry. This is where backups come into play. The organisation will need to revert to its backup plan at this point depending on which systems were infected. Pulling a server offline may take more planning. The key here is to have a reliable backup to get the business up and running quickly.
     
  • What if there is no backup? IT will need to assess the value of the encrypted data and decide if it is worth hiring a security/ransomware expert, or simply paying the ransom. Thieves often increase the ransom the longer they have to wait.

Ransomware attacks are a perfect crime because the cybercriminals ‘win’ even if only one out of a thousand companies decides to pay the ransom.

The anonymity makes it nearly impossible for authorities to track down the perpetrators, so they move on in search of more potential victims.

One thing we know for certain is that attacks will continue and will evolve as companies learn to combat them. 

Defending data is critically important when fighting back from a ransomware attack.

How McAfee aims to curb enterprise data loss
McAfee DLP aims to help safeguard intellectual property and ensure compliance by protecting sensitive data.
HPE promotes 'circular economy' for end-of-use tech
HPE is planning to show businesses worldwide that throwing old tech and assets into landfill is not the best option when it comes to end-of-use disposal.
2018 sees 1,500% increase in coinmining malware - report
This issue will only continue to grow as IoT forms the foundation of connected devices and smart city grids.
CSPs ‘not capable enough’ to meet 5G demands of end-users
A new study from Gartner produced some startling findings, including the lack of readiness of communications service providers (CSPs).
Oracle announces a new set of cloud-native managed services
"Developers should have the flexibility to build and deploy their applications anywhere they choose without the threat of cloud vendor lock-in.”
How AT&T aims to help businesses recover faster from a disaster
"Companies need to be able to recover and continue operations ASAP, without pulling resources from other places to get back up and running."
2019 threat landscape predictions - Proofpoint
Proofpoint researchers have looked ahead at the trends and events likely to shape the threat landscape in the year to come.
How your enterprise backup solution could fail
Even the best-trained employees are prone to error, and unfortunately, sometimes those errors affect enterprise backups.