Ransomware – Prevention & Recovery

Ransomware

Ransomware attacks are on the rise.  If you, or someone you know has been hit then you know the sinking feeling that comes with having your personal or business data held hostage, and the feeling of helplessness that comes with the realization that you are at the mercy of criminals who are telling you to pay up or lose everything.  Take heart!  In this post, I will explain how you can prevent becoming a victim of ransomware, and I will give you resources you can use to potentially gain access to your system if you happen to get hit.

The old adage “an ounce of prevention is worth a pound of cure” is as true today as it ever was.  Your cyber security program’s focus needs to be heavily weighted toward prevention and preparation.

Prevention

Put effective Perimeter Defenses in place to fend off attacks at the edge of your network instead of fighting that battle on the endpoints that are on the inside.  This is an essential part of the Defense in Depth model where we layer defenses like an onion so the most sensitive and important systems, apps, and data are well-protected by multiple layers.  Your perimeter defenses should include a high quality firewall that incorporates threat detection to include attacks, malware, DBL blocking abilities, and content filtering for web and email traffic.

If your budget permits, include Next Generation features like endpoint-firewall synchronization, and real-time threat feeds that help the firewall stop attacks observed by other customers’ systems.  You are far better off if you can find and stop threats before they enter your network.

Having a Patch Management program is essential.  Vulnerabilities in software are a consistent target for hackers and malware, so making regular patching an essential part of your cyber security program will dramatically reduce the likelihood of an intrusion or breach.  The vast majority of web based attacks against client software, and a lot of the payloads included in email phishing attacks take advantage of missing patches.

Security Awareness training for your staff is one of the best investments in security your organization can make.  When you have well-trained employees who know what to look for, and who have a healthy level of awareness of the threats, the positive impact on security because of this is immense.  By providing regularly scheduled cyber security awareness training for your employees, you empower them to be your eyes and ears, like human firewalls and intrusion detection sensors throughout your organization.

In my 20 years of on the job experience as an IT professional and as a Cyber Security engineer and manager, few things have had the kind of major positive impact on overall security posture as has implementing and maintaining Superior Endpoint Protection;  it is just as critical as your firm’s perimeter defenses.

Year after year we see reports on intrusions and breaches were patient zero is a compromised endpoint that is then used as an initial base of operations for expanding the attacker’s footprint within the victim organization.

Legion Cyberworks partners with Sophos to provide superior protection against all forms of malware, including ransomware and a host of other threats and exploits.  Sophos has a revolutionary security product called Intercept X that incorporates CyrptoGard to prevent ransomware from being able to encrypt your data.  Intercept also includes protection for a variety of other threats and exploits such as attacks against Adobe Flash, Java, and others which are common vectors for drive-by attacks online, and Intercept includes a powerful virus cleaner, Sophos Clean, which completely cleans up all traces of malware, like it never even happened.  Head on over to our Sophos page for more information.  You can sign up for a free trial of Intercept X and be up and running with the absolute best in malware detection and defense in a matter of minutes.

Preparation

Segregation and compartmentalization of systems, data, personnel goes a very long way toward being prepared for an intrusion or breach. This can literally mean the difference between a minor problem and a business disaster.  When an intrusion or security incident happens, the cyber security team must be able to Identify, Contain, and Eradicate the threat.  Segregation and compartmentalization makes the work of containment much easier.

Think about it like this – if the edge of your network resembles an egg where the outer shell is hard (firewalls, IPS, few open ports, WAF, etc.) but your internal network is like the yolk (no segregation or compartmentalization, flat, open, etc.) then all the attacker has to do is compromise an endpoint and he’s going to have access to everything pretty quickly.

Another essential component of your Preparation plan has to be regular off-site backups.  Disasters happen and we need to be prepared by making sure our business critical data is regularly backed up and stored off-site in a way that prevents it from being corrupted or lost in a disaster.  There are plenty of cases where firms have backups running every day, but they go to an internal network share or to a USB hard drive attached to one or more endpoints or a server, and they get hit by ransomware which not only encrypts the data on the servers and endpoints, but also on the network shares and the USB-attached backup drives.  Backups have to be stored off-host and off-site.

Taking the time to plan ahead for a disaster can mean the difference between chaos when a disaster strikes, or having your stuff together and being able to survive through it.  The absolute worst time to start preparing for a disaster is during one.  Take some time to line up key contacts so that you know who to call for cyber security help in the event of a malware attack or an intrusion, develop a relationship with your local FBI Cyber team, and make sure you have an attorney you trust who is well versed in cyber issues, whom you can call for counsel.  You should also create an emergency contact list of key personnel who also understand your disaster preparedness plan.  Holding table top exercises annually at a minimum is also a great way to make sure everyone on your emergency contact list knows their role and these types of exercises can point out holes in the plan which you can fix ahead of time, which is even better!

Recovery

Recovering from a ransomware attack usually involves rebuilding systems and recovering data from clean backups.  There are some exceptions, but for the most part, decrypting your data isn’t going to be an option.  You could consider paying the ransom but that’s going to embolden the hackers and they may not provide you with the decryption key anyway.

Once recovery efforts are underway or completed, it’s a good time to evaluate your Information Security Program and identify gaps that may have contributed to the incident.  Those gaps should be prioritized and addressed in order of importance and risk.