Best Practices for Preventing and Recovering from a Ransomware Attack

AUGUST 27TH, 2018

Ransomware has been around for a while now, but it was not until the WannaCry attack in May 2017 that the public was made aware of their destructive capabilities. WannaCry infected over 300,000 Windows computers by encrypting data on the machines and then demanding Bitcoin to unlock the data.

inline

Ransomware a lucrative endeavor and there is no sign of it slowing down. There is a good chance you will have to deal with ransomware at some point if you have not already. In this article, we discuss some best practices for preventing ransomware attacks along with a few suggestions on how to respond to an attack on your data.

Factors in the Rise of Ransomware

Several factors have led to the dramatic rise in ransomware attacks:

  • Ransomware has moved beyond the amateurs to the professionals who are more likely to be aware of security holes making attacks more successful.
  • The anonymous nature of Bitcoin has driven investment in the cryptocurrency while making it the ideal currency to demand from victims of attacks.
  • Computers are providing value for longer than ever, but that means many lack the latest security updates to operating system updates that can repel attacks. IT would rather do about anything than patch older computers because OS updates often slow down old systems.
  • Most ransomware attacks come through email, and many employees have not been properly trained to recognize a malicious email attachment.

How to Mitigate Attacks

inline

The most effective step you can take to combat ransomware is to perform a regular backup of your most important files. The most sophisticated attacks not only encrypt data files, but also Windows restore points. Backing up your critical data and making it easy to recover is your best defense against ransomware attacks. If you do not have a current backup plan, a product like ShadowProtect may be a good fit for your needs. In addition, performing regular backups, you should also consider:

  • Update all software according to a regular maintenance plan. If a workstation or server is too old to update, retire it. The few tasks it can perform do not outweigh the risk it presents to the machines on your network.
  • Restrict administrator accounts to only a few people in your organization and create user (not admin) accounts on each workstation for each employee. End-users should not be logged into machines as administrator. The most destructive ransomware is designed to gain access to areas of a network only accessible via administrator accounts.
  • Verify backups. Performing backups is only the first step because they will not do you any good unless they work. The only way to make sure is to verify backups by testing your data restore process. You may find the backup restores properly but did not include all critical files.
  • Employee training is often overlooked or not regularly updated for new employees. Do not assume employees are tech-savvy enough to recognize malware sent over email. Regular training takes time and resources, but outside of backup, can have the biggest impact in deterring the spread of ransomware.

How to Respond to an Attack

If you suspect anyone on your network has been a victim of a ransomware attack, perform the following steps:

  • Take a snapshot of your system and then shut it down. A snapshot will attempt to save your system memory which might the help in decryption and gives further details about the attack. Some professionals recommend you quarantine any computers you know to be infected, but you are safer to shut down all of them to keep the ransomware from spreading.
  • Block RDP at the network level. You might consider blocking all email attachments until you fully understand from where the attack originated.
  • Assess the damage and determine the point of entry. This is where your backups come into play. You will need to revert to your backup plan at this point depending on which systems were infected. Pulling a server offline may take more planning. The key here is that you have a backup you can rely on to get you up and running quickly.
  • What if you do not have a backup? You will have to access the value of the encrypted data and decide if it is worth hiring a security/ransomware expert or simply paying the ransom. Thieves often increase the ransom the longer you wait.

Ransom attacks are the perfect crime because the thieves “win” even if only one out of a thousand companies decide to pay the ransom. The anonymity makes it nearly impossible for the authorities to track down the perpetrators, so they move on in search of more potential victims. One thing we know for certain is that the attacks will continue and will evolve as companies learn to combat them. Defending your data is important when fighting back from a ransomware attack. Learn how StorageCraft can help keep your data safe in the midst of a disaster.