Ransomware is a sophisticated and serious threat to your information system, and it can cost your business a lot. The good news is using the right controls and security approach you can defend against ransomware virus. Many service providers and software companies use scare tactics to drum up business. One of their favourite red flags is ransomware protection, and their solutions almost always incomplete and expensive. Some SMB owners, panicked by a potential ransomware attack, fold and crash their budgets to ward off security threats. Others, with limited resources, put their heads in the sand and pretend that their systems are safe. Both reactions defy logic and are not the way to go.
In this article, we outline a constructive self-help solution that:
is affordable.
Enable you and your staff to get the job done.
Give you peace of mind that your data and network can ward off the most vicious ransomware virus attacks.
Our Approach
In this article, we have delivered a complete solution to protect your system from a ransomware attack. Our multi-layered security solution is the only way to ensure your safety against a sophisticated ransomware attack. The rules of security engagement are clear:
There’s no such thing as 100% secure. Despite all your efforts, assume that a ransomware attack will get through your defenses. Therefore our solution consists of recovery controls in addition to preventative measures.
A multi-layered defence-in-depth approach is compulsory because all security controls fail in one situation or the other. Relying on single security control is ineffective and incomplete.
The four preventive controls in our multi-layered approach to prevent ransomware
Spam Protection – the first line of defence
Spam Emails are the number one source for spreading a ransomware virus. There are two methods of attack used by spammers:
First one – sending an attached malware file in an email message. It’s no longer a popular choice among spammers because most spam protection systems and email providers can scan for malicious code, adequately warning recipients and blocking malicious messages.
The other approach includes a download link in the emailed content. The message is generally a well-disguised ruse to get you to click on the link, downloading the malware into your system. Because the emailed content does not include malware payload most spam protection system failed to recognise it as a threat.
Sophisticated hackers use OneDrive, Dropbox or Google Drive, and the like. They know that most companies see these cloud storage providers as high status and legitimate, allowing traffic in without too much scrutiny. For example, the hacker stores a malware file in Microsoft OneDrive and then shares that file via an OneDrive link in an email. From a deviousness point-of-view, it’s streets ahead of throwing out some random domain name and then hoping for the best.
In summary: Good spam protection reduces your exposure by blocking most of the phishing emails. Make sure that your spam protection is capable of performing SSL inspection and context-aware scanning to identify and block malicious links and domains.
Content Filtering – the 2nd line of defence
Spam protection plays a vital role by blocking most of the malicious emails before they deliver to your end-users. But even the best spam filtering system fails to stop all spams messages. When end users accidentally click on destructive links in a spam email, then content filtering is your next line of defence. Content filtering use blacklists to block known malicious domains and perform a real-time malware scan on each file. It can scan encrypted content using SSL inspection, and utilise behaviour-based detection mechanisms to filter internet traffic.
Antivirus – the 3rd line of defence
Spam protection and content filtering, in combination, stop the majority of the ransomware attacks. However, it’s not perfect. Carefully crafted malware attacks can bypass both spam and content filtering. The malware could also introduce to your network from other means like removable storage devices. Here’s the thing: it only takes one to spiral things out of control. If the ransomware virus reached your network, you have to be ready to counteract it. Antivirus is the next preventative control that you should have installed, configured, and prepared to spring into action.
An effective antivirus must have:
Behaviour-Based scan capabilities, in addition to malware signatures – it’s impossible to have signatures for all malware. A behaviour-based feature is invaluable because it defends against newly released viruses and zero-day threats even when the signatures are not available in its database. It’s especially pertinent when it comes to ransomware popping up new strings frequently. For example, a behaviour base antivirus can detect if a process is trying to encrypt multiple files, hence terminating the process quickly.
Antivirus must have an application control feature – It exerts essential, tighter control over end-user execution rights by restricting the installation of unauthorised software. Application control policies are necessary to stop ransomware from causing damage by:
Blocking unauthorised programs from making changes to system files and processes.
And by restricting the use of an encryption feature to whitelisted applications only. In some situations, there is a genuine need for the encryption process, hence allowing the whitelisted applications and services to use encryption and blocking all others.
We are a big fan of Trend Micro and Sophos Antivirus. These products have a low footprint on the system resources and tick all the boxes when it comes to defending against ransomware. Depending on the size and need of your business, you can choose between different product versions. For example:
Trend Micro Worry-Free For Business is ideal for small business
The Apex-One solution is a step up. It deals with medium and large enterprises as well as virtual desktop environments.
As a large company, on the server-side, you may want to try the Trend Micro Deep Security product.
Speak with our support team to get your no-obligation Antivirus configuration and policy check today. The iVersion ransomware experts go substantially further than others, and we do it without disrupting affordability.
Limiting File Access Rights – the 4th line of defence
Here are some eye-popping facts:
Ransomware malware needs write access to the files and folders for it to encrypt them.
With no write access, there’s no way it can modify the data.
Unaware business operators, SMB in particular, allow all users in their environment to have full access to network shares.
They fail to realise that it increases their exposure because compromised users enable the virus to encrypt a large amount of data.
Therefore, we advise, limiting write access to the network files and folders on a need-to-know basis. It’ll help prevent unauthorised data deletion and changes while containing the damage a ransomware virus can cause. In short, this simple step severely reduces the impact of a viral attack against your network.
Recovery Controls for Ransomware Attack – Plan for the worst to avoid the regrading
We tell all our clients to prepare for the worst while doing everything in their power to achieve the best. So, that said, are you ready to deal with a ransomware disaster?
Windows Shadow Copy – Version Control – the 5th line of defence
Windows Shadow Copy is one of the cheapest controls available to most users, even individuals working from home. There’s no cost associated with it if you have a professional or enterprise version of the Windows operating system. Yet, we see most of the businesses in Australia missing this control. Windows Shadow Copy on the computers and servers volumes makes your recovery effort fast and straightforward.
Microsoft Windows provides the ability to generate file versioning, and you can keep many previous versions of the files and folders.
We recommend at least 15 days of’ retention.
The file and folder versioning provides simple one-click access for end-users to restore the previous version if they accidentally delete or modify the file.
It also helps with the ransomware recovery effort. How? In case of a successful ransomware attack, the virus encrypts files, and the modification generates a new version for each encrypted file. If you have enabled Windows Shadow Copy, simply right-click on the file or folder and restore it to the previous version. Hence, you can undo the ransomware damage with a single click.
Backups – the 6th line of defence
Not having a regular backup is a recipe for disaster.
You should back up your critical data at least once daily because the disks and the storage units all of these are doomed to fail one day.
Backups are also crucial in restoring your data from a ransomware attack without paying the ransom to the attacker.
There are many backup products that you can use to generate an automatic daily backup of your system.
It’s essential to have an onsite and offsite backup. In rare incidents, we have seen the backup storage encrypted by ransomware on the same network. Therefore you must store a regular offsite backup copy in addition to your onsite backup copy. For example, you can store a copy of your backup in the low-cost cloud storage like AWS S3.
Incident Response Plan for Ransomware – the 7th line of defence
Be prepared and know how to act during and after an incident. Your incident response policy and procedures should be clear, and it must include:
Identifying the infection source
Isolating the infected machines
Restoring data
Identifying the Source
You can pinpoint the source of infection using the following:
Identify the endpoint – Most ransomware viruses encrypt the data on the local disk before the virus moves onto network shares.
For Network Share – Identify the last user who made changes to the file and the time stamp by checking infected file properties. Contaminated file properties should provide sufficient information for you to identify the source of the attack.
You can also obtain this information from your file auditing log system if you have one in place.
Isolate the Source
Disconnect both the affected users and the endpoints entirely from your network.
It may be worth temporarily shutting down the file servers that are running network shares during the remediation to avoid further damage. A few minutes, downtime is no big sacrifice while you are assessing and cleaning the malware. It’s far better than allowing a whole array of network-stored files and shares to be infected. It could result in many hours of downtime when you try to restore your data in the aftermath.
Folder size software is used to identify infected and modified files
Restore Data
Be prepared to restore all your critical data. Regularly check your backup system to ensure your backup jobs are running correctly and you can restore files from shadow copies and backups.
Don’t just start restoring data, first assess the damage, make sure the attack is off.
Restore only the damaged files and folders instead of everything. Your first choice for restoring files should be from Windows Shadow copy because it is quicker and more granular. As a last restore backup.
If you want to stay one step ahead of ransomware, use the do-it-yourself list above or call Australia’s leading ransomware consultant. For more information or quick complimentary ransomware, preparation check do not hesitate to contact us on 1800 864 868
