Ransomware Prevention and Recovery Strategies
Posted by Andrew Ogilvie in SecurityOn Friday 12th May many organisations around the world, including parts of Britain's NHS, were disrupted by attacks using ransomware software called Wannacry.
Ransomware is malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it.
Typically the malware enters an organisation on employees' PCs via security loopholes in web browsers (or their plugins) or
via phishing email attachments.
Such attacks are increasingly common and have the potential to severely disrupt or put an organisation out of business if data is rendered inaccessible. Organisations should review their IT infrastructure and procedures to limit their risk of a succesful attack. Here we list some areas of focus that can help prevent and protect a business from a ransomware attack.
Educate Personnel
Conduct training or existing and new employees to raise awareness of the risks of malware and phishing attacks.
Remind employees never to click on unsolicited links or attachments. Emails from unknown sources should be treated with suspicion.
Spam filtering
Implement spam filtering on your email server. In addition, introducing authentication of inbound email using Sender Policy Framework (SPF), for example, can help block fake emails.
Gateway Scanning
Scan all incoming emails and employees' browser sessions for malware. This can be done with an anti-virus gateway scanner.
Local Anti-Virus
Have local anti-virus and anti-malware programs scan all desktops and servers regularly. Ensure these scanners are updated regularly and ideally automatically.
Patch
Keep systems up to date and patched in a timely fashion. Consider implementing a centralised patch management system for operating systems, software and firmware. Where older operating systems such as Windows XP are still in use this may require transitioning to a more recent Windows version.
Limit Access Privileges
Once a computer is infected with malware it can spread via network shares so it is therefore important that access privileges are limited. Using an authentication system like Active Directory can allow you to manage access properly.
Isolate Internal Networks
Separate your internal network using VLANs, with separate VLANs for different business functions.
Document Viewers
Consider using Office viewer software rather than full Microsoft Office to open email attachment
Penetration Testing
Conduct regular penetration testing of the company's internet facing servers or network access circuits.
Insurance
Insurers now offer Cyber Insurance policies which may be useful for many businesses, however you should be clear
what requirements the detailed policy terms require you to comply with for the cover to be active.
Backups
Regular data backups are a key, absolutely essential requirement to keeping a modern business online.
Even short IT disruptions can be expensive if not fatal.
Offsite Backups
Maintain offsite backup of your key servers and data. This can be done in near real time with software such as Veeam. Backup and Replication. This software used in conjunction with Veeam Cloud Connect services allow rapid backup and restore to and from the cloud, cost effectively and efficiently.
Verify Backups Regularly
Verify your backups on a regular basis. Testing replicas of virtual machines can be the best way to do this, avoiding
disruption to live production services.
Secure Your Backups
Ensure backups are not connected permanently to the computers or networks that they are backing up.
Virtualise Servers
Consider running software as internal 'web apps' inside virtual servers. Virtual servers can be backed up easily and
quickly without disruption to users or the applications they are running. Virtual servers are also easier to
restore quickly. Where a ransomware attack has encrypted data, restoring virtual servers will typically be the quickest
and most effective way to get the business back up and running without disruption.
Access Applications Remotely
Use Remote Desktop Protocolo (RDP) sessions to give users limited access to applications, rather than installing apps locally on each PC.