Definition of ransomware according to Wikipedia: “Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.”
Manage and Report Active Directory, Exchange and Microsoft 365 with ManageEngine ADManager Plus. Download Free Trial!
Computers usually get infected with the links in email emails or messages on social networks. Attacks are usually carried out using a trojan file, which is disguised as a legitimate file, like for example PDF, spreadsheet or text document. Once the file is opened a computer gets infected. WannaCry worm was the first high profile ransomware virus that automatically spread between computers without user interaction. With the popularity of cryptocurrencies, attackers can be paid anonymously, and with the damage, crypto viruses can cause prevalence of such attacks rose exponentially.
Use a reliable product and test backups
You can use a backup product for years. But when the worst happens, and it will. How do you know that you can recover? Have you tried to restore your backups? Maybe once? Testing backups is hard as it takes a lot of time admins don’t have in this fast-paced world. For example, Nakivo Backup and Replication can do this time-consuming process for you automatically. It can test backup restores, and it can send you a screenshot once the backup is restored all in an isolated environment. That way, you know that every day, data from the backup can be recovered.
How does ransomware encrypt backups?
There are many ways ransomware can infect a system. The most popular are email attachments, malicious links, drive-by downloads, RDP exploits, hacked MSP tools, and other means can quickly infect computers protected by anti-virus systems. Once computer is infected, the malware starts encrypting write-accessible devices such as external drives, NAS devices, file shares, NFS shares, and locally installed cloud services.
The starting point to prevent some infection via email and social websites is to use a anti-spam server protecting all the users from spam and the use of a Proxy or NGFW to protect users browsing the internet.
Spreading through the network
Many business use file shares on the servers or NAS devices for backup repository. They are either manually copying file or use a backup program to automate backups to a file server. Most ransomware variants are built to spread as fast as possible to a variety of devices by exploiting several protocols they have not in the past. External drives, Network shares, File servers, they all get encrypted eventually.
Network segmentation is an essential security hygiene. You can prevent or at least slow down the infection if the network is segmented.
Isolate backups credentials
Usually, administrators use the same domain admin credentials for their server access and their backups. So when the infection starts spreading, it can easily encrypt the backup as well. If you use different credentials for the backup and repository, you can prevent ransomware from spreading to the backups.
If you use your NAS as a storage repository like a CIFS file share, malware can quickly spread to all the shares it can access. But, if you use your Synology as a backup appliance rather than a CIFS share, malware does not have access to the data. That way your backup won’t get infected. You can install Nakivo Backup and Replication on most NAS devices and create a low-cost backup appliance. As a low-cost alternative, you can install Nakivo Backup and Replication on a Raspberry PI, and have a low-cost backup appliance.
Copy backups to an external medium and store it offline
You can use external hard drives or Tapes which are moved to a safe place after the backup is completed. For example, they can be moved to a fireproof vault, a bank or company office in another location. By having medium offline, your data will be kept safe in case the worst happens.
Watch out for Cloud storage it may not be safe
Many Cloud Backup services such as Carbonite or Amazon S3 allow users to mount cloud storage as local drives attached to the computer. Some SMBs also use Google Drive and One Drive for the backup. Users can then browse the data just like a regular C or D drive. Malware can easily encrypt data on cloud storage without the user knowing. Once the user needs to restore a backup, it is too late. Using Cloud services that support APIs can increase the security of data stored in the cloud. In addition, if you use Nakivo Backup and Replication, you can backup and replicate data offsite or directly to the AWS Cloud.
Keep up to date with security patches and Anti-virus
Ransomware uses security holes in the operating system to spread in the network fast. Sometimes it is difficult to update the operating system as updates, can break the application that is running on the server. Some administrators instead not patch the OS so that they don’t have to deal with angry users. If you keep your system up to date with security patches, you can prevent malware from spreading. Besides, you should also update Anti-virus clients. Even though admins are entitled to updates, they rather postpone client updates. New versions can improve detection and protection so, having the last version is recommended.
Having a proper backup strategy is now more critical than ever. Some companies went out of business because of ransomware. Even if you have to best anti-virus protection, there is a chance that a new type of ransomware gets into the wild that will hide from anti-virus protection. When that happens, the only right protection is a robust backup solution with a proper backup strategy. Do you know how much time you need to restore all your data? Do you know how much data will be gone from the time your company goes dark? Do you see the value of your data? Where will you recover if ransomware hits you?
Leave a Reply