Ransomware Education: Tips, Tools & Tricks for the IT Manager
In a 2017 survey of more than 1,700 managed-service providers (MSPs), 86 percent said their clients had recently suffered a ransomware attack. And a whopping 99% predicted that attacks will worsen over the next two years. Now more than ever, it’s critical that IT managers have the fundamental ransomware education they need to fend off attacks.
In this article, we’ve compiled the most essential tips, technologies and protocols for lowering your risk of a disruptive infection.
1) Train employees what to look for. Most ransomware infections are still primarily caused by good old-fashioned human error. Somebody opens a spam email, clicks a bad link, opens a malicious attachment, and so on. Phishing emails can be very deceiving, especially to an untrained eye. So, you need to train those eyes! Implement an ongoing ransomware education program that trains staff how to spot malicious emails and how to practice safe Internet usage.
2) Use good anti-malware software. Obvious, right? But it’s always worth repeating: you should be using strong anti-malware/antivirus protection across your organization as a first line of defense against ransomware and other cyberattacks. That being said, there’s no guarantee the software will stop a ransomware infection. 94 percent of surveyed IT professionals said their clients were using antivirus software when they were successfully attacked. Compare software options carefully, and look for solutions that are designed specifically to spot known ransomware strains.
3) Implement strong spam filters. Strong spam filtering will prevent the vast majority of ransomware emails from reaching inboxes. You have numerous options for configuring such filters: through your server, email client, firewall appliance, add-on software and so on.
4) Authenticate inbound emails. The more filtering, the better. The FBI’s Cyber Task Forces recommend that you authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC) and DomainKeys Identified Mail (DKIM) to weed out bad messages and prevent email spoofing.
5) Filter executable files. Aside from suspected spam, you should also be scanning inbound and outbound emails for executable files. If you need to set permissions for select email accounts, that’s fine. But in most cases, users rarely have a need for sending or receiving executable files by email.
6) Block known malicious IPs. When any kind of data attempts to come into your network from an IP address that’s known for sending malware, it should be blocked. Configure your firewall to block all access to those known IP addresses. Some firewall solutions will update their blocklists automatically, or you can add them manually.
7) Patch and update constantly. Last summer’s WannaCry outbreak revealed that thousands of companies’ operating systems were embarrassingly out of date. WannaCry exploited known vulnerabilities in Windows, for which patches had been available long before. These infections could have been prevented with automatic Windows updates. But it’s not just operating systems you need to be concerned about. IT managers should be patching all software and firmware used by the business as soon as updates become available. A centralized patch management system can help to streamline and automate those patches across the organization.
8) Set account privileges and access controls. When an infection occurs, it locks up data on the user’s computer and then spreads outward, attempting to reach as many other files, folders and machines on the network as it can. You can minimize that outward spread by placing restrictions on account privileges. Theoretically, if the user can’t access a sensitive folder of data, the ransomware shouldn’t be able to either. Apply the principle of least privilege: limit each user’s access to only the destinations they require for their job, and restrict administrative access to those who need it.
9) Disable macro scripts from files sent via email. One bad file attachment can take down the whole business. Phishing emails will often contain attachments of Word docs, PDFs and spreadsheets, labeled as “invoices,” “receipts” and other files that look authentic to staff. Attachment previewers, which disable active content like scripts and macros, help ensure that staff can verify the contents and authenticity of suspicious attachments without fully opening them. Email clients like Outlook have preview options built in, but third-party previewers are also available.
10) Use software restriction policies and controls. IT managers should be setting controls over which programs can run on local computers and/or how they’re executed. Software restriction policies (SRP), within Windows for example, will allow you to automatically enforce an approved list of software, effectively denying all other applications from being able to execute. If you need looser restrictions, you can apply a more granular approach. For example, the FBI recommends setting controls that “prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.”
11) Disable Windows Remote Desktop Protocol (RTP). Don’t need it? Disable it. Last November, businesses saw a flood of new ransomware attacks that leveraged Remote Desktop Protocol to break into machines, one at a time, and then lay the groundwork for a ransomware infection. Part of the problem in these cases was weak RDP passwords, which were easily broken by tools like NLBrute. Creating stronger passwords is a good start. But even better, IT managers should disable RDP on every machine, and enable it only temporarily if/when remoting is needed.
12) Categorize and separate data. This is especially important for larger organizations that have sprawling networks across multiple locations. Beyond the mere user access controls mentioned above, you need to think strategically about how and where your data is stored and accessed, and by whom. As the FBI Cyber Task Force advises, you should be categorizing data based on organizational value, and implementing “physical and logical separation of networks and data for different organizational units.” If someone in your San Francisco marketing office unwittingly opens a ransomware-infected email attachment, why should that affect the critical data used by your accounting team in New York? You need to approach your infrastructure strategically, separating stored data in a way that makes it harder for ransomware to spread and disrupt your entire organization.
13) Back up your data. Backing up your data won’t necessarily prevent ransomware (although, it can: see #14 below), but it is arguably the most critical preventative step on this list. If an attack occurs, your only option is usually to restore a backup from before the infection occurred. When all other preventative methods fail, your data backups are what will prevent your business from losing everything in a ransomware attack.
14) Consider backup technologies with built-in ransomware protection. Data backup technologies from Datto have built-in ransomware detection as an extra line of defense against infection. The appliance actively looks for common signs of a ransomware footprint (for example, large amounts of file content being suddenly overwritten with random data). When an infection is detected, administrators are immediately notified, so they can roll back to clean data and significantly minimize the disruption.
If you’ve been infected with ransomware, there are still steps you can take to mitigate the impact. Here’s how to contain the infection and gain control, before things turn catastrophic.
1) Isolate the infected machine. Remove the infected computer from the network immediately. This will help to prevent the infection from spreading to other machines. We’ve seen some companies now including this step as part of their employee ransomware education: if a ransomware attack becomes evident on the user’s computer, they are advised to disconnect the network cable from their computer immediately. Not a bad idea.
2) Isolate and/or shut down unaffected or partially infected devices. When in doubt, shut it all down. Yes, a network-wide shutdown will significantly disrupt operations. But it could drastically shorten the overall length of the disruption. Powering down machines that haven’t been completely infected will afford time to contain damage and recover data before things get worse. Particularly on large networks, you need to know where the infection has spread before you recover a backup. Otherwise, your recovered data could be re-infected all over again.
3) Delete registry values and files. With affected machines isolated, you can attempt to identify (and delete) newly created or edited registry files and values, which should prevent the malicious program from executing.
4) Give the FBI a call. Yes, really. For reporting purposes alone, businesses are strongly advised to contact the authorities (ideally your local FBI field office) about every ransomware attack, even if you have already resolved the problem. But also, the FBI stresses that law enforcement may be able to use advanced tools to unlock encrypted data that are unavailable to most organizations.
REMOVAL & RECOVERY
1) Restore a backup from before the infection occurred. Once you’ve identified exactly where and when the infection occurred, it’s time to get your data back! Choose a clean recovery point from before the attack. This will restore your data and—poof—the threat will be effectively removed at the same time.
2) Change all passwords. As an added safety measure, all account and system passwords should be changed at least once during the mitigation and recovery process, if feasible. FBI’s experts advise: “Change all online account passwords and network passwords after removing the system from the network. Furthermore, change all system passwords once the malware is removed from the system.”
Ransomware education + the right tech = total business continuity
Don’t let ransomware disrupt your business. Contact Invenio IT today for more information on deploying today’s best data backup and disaster recovery solutions. Call our business continuity experts at (646) 395-1170, email [email protected], or request a free demo.