Ransomware

In case you lived under a rock the past few years: ransomware or cryptolockers are a form of digital extortion. A malicious program runs on your computer, searches for any and all data files it can find and encrypts them. Anywhere on the network where you have access, the program performs its evil function. Entire organizations can be paralyzed when ransomware runs rampant. The extortionists promise to decrypt your data, if you pay them in some cryptocurrency. Is that really the only course of action? What can you do to stop ransomware and how do you recover from an attack?

Should you pay?

Many victims of ransomware decide to pay the ransom to get access to their data again. Often, the attackers will release decryption software after the ransom is paid. While I understand why some organizations decide to pay, there are several objections:

  • You make ransomware attacks profitable, encouraging this type of crime.
  • There is no guarantee the attackers will stick to their end of the bargain.
  • The decryption software might not work.
  • The attackers may ask for more money before releasing your files.
  • You risk being targeted again when word gets out you paid.

Paying isn’t ideal but if you’re not prepared for this kind of attack it might be the best bet for your organization.

Be prepared for ransomware!

Unfortunately, cyber attacks are a part of life. Sooner or later every organization becomes a target so it’s better to prepare. There are several things that you should do to thwart ransomware attacks.

1. Create awareness

Awareness is key in stopping many cyber attacks
( Photo by Fernando Arcos from Pexels )

One of the best ways to prevent ransomware from becoming a problem, is to make sure users understand the dangers of opening unexpected attachments or clicking on every link they see. Train users to recognize suspicious emails and attachments.

Train users how to react if they notice something suspicious on the system. Encourage them to report incidents, make it clear how they can report incidents and most of all: don’t assign blame when someone creates an incident See incidents as ways to learn and improve your information security.

2. Restrict your users

Trust is good but control is better when it comes to information security. Give your users the permissions and the software they need to do their jobs but nothing more. We call this the principle of least privilege. If a user workstation becomes infected with a virus or ransomware, it runs with the same privileges as the user. The less access the user has, the less access the malware has.

3. Patch

Several large scale ransomware attacks used vulnerabilities in the Microsoft Windows operating system. The most notorious of these are WannaCry and Petya. Running up to date versions of software is always a good idea and this is also true when dealing with ransomware.

4. Detect

Antivirus software isn’t always effective at detecting new ransomware but it does help prevent older types. Scan for potential malware in email attachments, software downloads or on removable media. Larger organizations can afford so called next-gen protection from vendors like SentinelOne but for most small businesses this kind of protection is out of reach.

Cloud platforms don’t always offer ransomware protection to their users. Nextcloud is one of those that does, even for users who run their software for free. Nextcloud offers detection of suspicious files and users can easily restore files affected by ransomware as well. You might like these other Nextcloud articles too.

You do have backups, don’t you?
( Photo by panumas nikhomkhai from Pexels)

Backups

If all else fails and ransomware does manage to infiltrate your systems and wreak havoc, all is not lost. Good backups will save the day. What do I mean by good backups?

  • Tested
    A backup is only good if you have verified that it works and that files can be restored successfully.
  • Offline
    Backups should be kept separate from your production systems and should not be accessible, accept during backup or restore operations.
  • Restricted
    Limit the number of users who have access rights to the backup. Don’t use these user accounts for regular work.
  • Remote
    Backups should be kept offsite for added security.

Disaster recovery

A ransomware outbreak should be part of any organization’s disaster recovery plan. In the plan, you document how to act during and after the outbreak, who is responsible for doing what and how you intend to recover. Also include contact details for any third parties that you need to restore your systems to working condition.

Do you have tips or advice on surviving a ransomware outbreak? Were you a victim of one? How did you recover from the outbreak? Feel free to leave your tips below!