Focusing on risk and recovery: a ransomware preparation checklist
- Published: Friday, 19 June 2020 09:07
Recent weeks have seen new high-profile ransomware attacks hitting the headlines, adding to the difficulties for companies already working hard to manage COVID-19 issues. Charles Burger provides six tips to help reduce ransomware risks.
Despite the current disruption to the working lives of many people, it remains business as usual for the cyber criminals behind the millions of ransomware attacks taking place every year. One of the most notorious forms of digital crime, ransomware holds hostage the systems and data, quickly spreading and encrypting files until the ransom is paid.
Part of the challenge is that too many organizations are underprepared when targeted by a ransomware attack. Unfortunately, many learn the hard way that relying on conventional backup solutions does not mean data can be recovered, and business continuity safeguarded, as these systems are often also targets of the attack.
Instead, some organizations decide that paying the ransom is the quickest way to restore encrypted systems, even though it does nothing to guarantee recovery. Others, who decline to pay the ransom, attempt to recover their systems, only to damage valuable files in the process. Even the most determined and committed organizations face a potentially long and expensive period of recovery when refusing to pay a ransom.
Ultimately, the nature of ransomware means that, at present, preparing for a ransomware attack is by far the most effective way of minimizing the risk of becoming a victim. Following the steps on this checklist can help tip the balance of power against potential attackers:
- Education. Users should be instructed not to visit unapproved websites or click on links within emails unless they are specifically expecting them and have no other way to get to the site (a password reset email, for example). The best way to illustrate the risks is via a live demonstration for users showing them how the URL behind a link may be completely different from what they think.
- Patch and update. It is vital to keep software on all networked devices completely up to date. This must be a comprehensive process, covering local and remote devices such as switches, servers, and BYODs (i.e., bring your own device). New malware exploits are now published within days of patches being available, so unfortunately the window of relative safety is getting shorter and shorter.
- Enable firewalls. This is another area where it is vital to deploy all the latest patches as soon as they are available, and as quickly as you/your team is able. Note that some of the newest firewalls can help block traffic from known ransomware, though the jury is still out on their real-world effectiveness.
- Control access privileges. Make sure that users - and especially systems administrators - run in the least privileged mode possible while still being able to maintain productivity. Although useful, this is not foolproof as malware has proven very adept at escalating to root or admin privilege levels.
- Disable Remote Desktop Protocol (RDP). Used by cyber criminals to access systems in many attacks, it should be disabled unless used in carefully controlled maintenance procedures.
- Create an immutable copy of vital data. As a last line of defense / defence, your data and backups should be stored in an immutable format so that encryption cannot impact your active data or your backups. It is a common misconception that backups will be available, but recent events have proven otherwise. Only a hardened storage solution that has been engineered to protect the data from attempts at corruption or deletion can guarantee that your data is safe from ransomware threats.
These hardened storage solutions can be critical to effective recovery. A recent example is that of a large and well-known hospital with a meticulously careful IT department, which suffered a massive ransomware attack that encrypted all of its patients’ radiology studies. However, in this case, the hospital’s downtime was only a matter of minutes because it had previously deployed a hardened active archive solution from which it could quickly and completely restore all data.
And that underlines the point: preparation is everything. Certainly, it’s critical in helping to avoid an attack. However, it is just as important for dealing with the aftermath of a successful infiltration. Being well prepared is the key to avoiding the worst effects of ransomware. Organizations that make a firm commitment to protecting their systems and data to stay ahead of this growing cybercrime trend will always be better placed to quickly move on from an attack with minimal disruption to business operations or cost.
Charles Burger is the Global Director of Assureon Solutions at Nexsan, a StorCentric Company. For over nine years he’s served as the architect for customers within the strictly regulated financial, medical, law enforcement, state/local and federal government markets. Nexsan channel partners and end customers value and depend upon his wealth of knowledge and hands-on expertise in enterprise storage and regulations compliance, especially those with ECM applications that are core to successful medical systems like PACS and patient history. Prior to Nexsan, Burger held senior sales and systems integrator positions with Sterling Computers; Sun Microsystems, where he designed, sold and integrated commercial and federal systems (SunFed); and Procom Technology. He holds a B.A. from the University of Wisconsin-Madison where he majored in Political Science and minored in Criminal Law and History.