Two years ago my father called me in a panic. His nearly new HP computer was asking him for money whenever he launched his web browser. The ransomware so aggressive that it has locked down access to all his files and folders. All he could do was launch his web browser. This was followed by a full-screen warning with instructions on how to pay the ransom. Luckily, he was meticulous in backing up his documents, because I had to wipe his drive and reinstall Windows. This week, I want to take a look at specific ways IT and MSPs can help reduce the number of ransomware attacks on the networks they manage. End-users still need to use common sense when visiting risky websites. But there are specific ways in which you can configure your network that will go a long way towards reducing attacks.
ransomware: a type of malicious software designed to block access to a computer system until a sum of money is paid.
Ransomware has grown in popularity over the past decade, but its origins trace back to Russia. By 2013, security vendors such as McAfee had collected over 250,000 samples of known ransomware. For the experienced IT professional, ransomware is annoying, but can usually be removed. As the instances of ransomware have increased in number and level of aggressiveness, it’s causing major headaches for IT departments.
The FBI estimated that one piece of ransomware called CryptoLocker has extracted an estimated $3 million since security experts discovered it in 2013. A more recent example called CryptoWall has taken in over $18 million since hackers unleashed it on the public. Given the success of this ransomware, others are sure to follow.
Perform Regular Backups
I know backups are not specifically related to your network, but it’s always a great place to start. My father was in habit of performing a weekly backup, and that backup saved his hide. MSPs can make sure backup protocols and procedures are followed and implemented properly. Here are a few things to check:
- What data is IT responsible for backing up?
- Can employees quickly restore their data?
- What data are employees on the hook to backup?
A few years ago, I learned the hard way that only my Microsoft Exchange mailbox and archives were being backed up by IT. When my laptop was stolen at an event, I lost a lot of work that I’d saved to My Documents assuming someone else was backing it up for me. I learned my lesson, and began saving documents to Dropbox instead and performing my own backups with an external drive.
Take the time to train new employees on the company’s backup policy, and reinforce it regularly with seasoned employees.
Ransomware often finds access to the network through the Remote Desktop Protocol (RDP). RDP is built into Windows PCs and allows other machines to access your desktop remotely. While this comes in handy if you need remote support, it’s one more hole thieves use to gain access to your network. It’s unlikely that every machine in the building needs RDP enabled so disable the protocol on all machines that don’t need it.
Whitelisting Keeps Your Network Clean
Traditional anti-virus tools keep a list of known malware and block any known virus signature from gaining access to your network. But with the increase in the number of viruses, keeping your list up-to-date becomes almost impossible. Whitelisting takes a similar approach, but keeps track of only those applications and processes which have been authorized to run. CryptoLocker and CrytoWall are two examples that could have been prevented through the use of application whitelisting.
There are a number of products on the market to assist you when it comes to using whitelists. Smaller companies might consider compiling their own list if the number of applications and processes is manageable. If you’re supporting a larger enterprise, it would be wise to consider whitelisting software. This software comes pre-configured by professionals to combat the latest threats. Weigh the pros and cons before making a decision, and check out the Threat Stack blog for a review of both options. Although I found the the article very helpful, keep in mind that Threat Stack sells whitelisting services.
You may want to ask users to exhibit patience while you fine tune the whitelist. If an employee tries to run a program that’s safe but isn’t on the whitelist, they are going to be greeted with a warning message. Proper training and the ability for employees to easily add a program for whitelist consideration will help reduce this friction.
Delpoy a Secure Antivirus Solution
While whitelisting continues to become a popular tool in fighting ransomware, it’s not a replacement for a good AV product. Nor should you abandon other security products you have in place. There’s been a lot of debate on whether antivirus software is still a viable protection option. Generally, antivirus developers need around 90 days to isolate a new virus variant and come up with a patch. In a world where there are hundreds of thousands of ransomware variants emerging per day, AV may be too slow to keep up.
Just like whitelisting, an antivirus solution is a complimentary option for dealing with ransomware. Because the bad guys sometimes get around security software, a backup is usually the best way to make sure your data is protected.
Deploy a Solid Firewall on Your Network
IT and MSPs can deploy firewall services on-premise as well as at cloud service providers such as Azure and AWS. Most administrators swear by them. They are also effective in stopping DDoS attacks along with a number of other threats to your network. I’d recommend not just any cheap old firewall, but one built from the ground up to repel ransomware threats.
Firewalls are complex devices. They are only effective if configured properly. MSPs with expertise in this area can provide a valuable service to their clients in helping them understand their firewall options. Most legitimate makers of these devices will loan you one for a month. If you plan to deploy one in the cloud, check with your cloud provider to see if they have partnerships in place that can help you take one for a test drive.
When dealing with ransomware, it’s best to take a multi-pronged approach instead of searching for a silver bullet. Proper training, regular backups, using a quality AV, whitelisting and deploying a firewall will go a long way towards keeping threats at bay. It’s difficult to stay one step ahead of the crooks who develop this aggressive malware. It’s one thing when a virus resets your browser’s homepage. But it’s an entirely different beast when ransomware is holding your pictures or business plans hostage. Following these tips can help you stay ahead of the threats.
What tactics have helped you fight against ransomware on your network?