News of ransomware attacks is everywhere. Online. On the news. In newspapers. On the radio. It’s hitting companies, cities, airports, and even churches! No entity with computers is immune.
Imagine showing up at your church and finding all of your computer systems unusable. Yes – even the computer that is used to show PowerPoint during the sermon and the computer that plays audio. Oh, and all of your accounting data is unusable, too. And the computer that you store your sermons on in Microsoft Word. Does this sound like a nightmare?
What is ransomware?
Basically ransomware is malicious software that encrypts your computer and/or data making the files unreadable … unless you pay the attackers’ ransom. If you pay the ransom, they (theoretically) provide you with a key to decrypt the files. Why I say theoretically, is there is no guarantee that this key will work … or even that they will provide it after you pay. And it’s not like you can go to the local Better Business Bureau and report them if they don’t!
Ransomware has been around in some form since the 1980’s. (Back then payments of ransom were sent through postal mail.) Ransomware has gotten much more complex and malicious over the years. As there are large sums of money to be made from these ransoms, more attackers have moved into developing this type of software.
How do I get ransomware?
There are different ways that ransomware can infect your computer. One of the most common is through malicious email. The email might have a malicious email attachment, pdf, or Word document. It also may contain a link to malicious websites.
Another popular infection vector is malvertising. This is where online ads are used to distribute malware with little or no user interaction.
There are many other methods too. Too numerous to name. And once one system gets infected, some variants of ransomware spread across the network. Typically they will search for unpatched systems or try to Remote Desktop and infect other systems.
Yes – ransomware is REALLY bad!
Steps to help prevent ransomware and limit the impact
First, there is no 100% protection from Ransomware, but following these steps will help to lower the risk of being infected and limit the impact.
1 ) Maintain backups
Backup your data! And especially backup your important data! Hopefully you already do this, but it is important to have backup copies of data should your systems be compromised by ransomware.
But, backups alone aren’t enough. Consider this scenario: Your PC is infected with ransomware and you have your backups on a USB drive that is connected to that PC. Well, chances are those backups are useless as they’re likely encrypted with the ransomware. That’s why it is recommended that your backups should be protected and stored offline or out-of-band, so they can’t be targeted by attackers. Using cloud services could also help to mitigate ransomware infection, as many retain previous versions of files allowing you to roll back to an unencrypted version. Be sure to test your backups regularly too. You don’t want to learn that they don’t work when you need them most.
There are documented cases of companies going out of business because their systems AND BACKUPS all were infected with ransomware. In this case, all your data is gone. If you have backups of your data, you can at least rebuild.
2 ) Keep systems up-to-date
Make sure that ALL of your organization’s operating systems, applications, and software are updated regularly. Vendors put out patches for a reason and that reason is because there are vulnerabilities that can be attacked. Some variants of ransomware are designed to attack these vulnerabilities and spread to other systems that have similar vulnerabilities. Applying the latest patches will help close these security gaps. Where possible, turn on automatic updates so you’ll receive the latest patches…but also verify that they are being applied.
Don’t forget your router and devices such as tablets and phones. Vendors issue patches for these also.
3 ) Secure your systems
Ensure that your systems are configured with security in mind. Here are some ways:
- Change default passwords on devices.
- Disable un-needed services. Many ransomware variants take advantage of Remote Desktop Protocol (RDP) port 3389 and Server Message Block (SMB) port 445. Consider whether you need to leave these ports open, and consider limiting connections to trusted hosts.
- Run antivirus software with real-time protection and keep it updated.
- Run a firewall such as Windows firewall on your system.
- Use strong passwords.
- Disable unneeded user accounts.
- Disable guest accounts.
- Lock your PC’s screen when you step away.
- Only download software from secure sources.
- Use email services that provide threat protection filters. While nothing is 100%, this is an additional layer of the security onion.
- Look into services such as Cisco Umbrella: https://umbrella.cisco.com/. Umbrella provides protection for your systems at the DNS-layer.
- Limit user rights on systems. If a user doesn’t need Administrative rights, don’t give them Administrative access. In some cases, malicious software needs Admin rights to spread.
- Physically secure devices that you own or manage so that people can’t just walk up to them and plug devices into them.
4 ) Security Awareness Training
This is a key to stopping ransomware attacks. Make sure that all users of your systems can spot email attacks such as phishing. Ransomware can initially infect an organization through email, then has mechanisms to spread.
5 ) Use security settings in your router
Harden your routers security.
- Change the default password.
- Use strong passwords.
- Use encrypted wifi.
- Updgrade the firmware on it.
- Turn on automatic updates.
- Enable the router firewall.
- Enable the intrusion detection system if it has one.
- Turn off features that you don’t use.
- Separate guest networks from your internal systems. IF you put your guests and internal systems on the same network, it is possible that an infection on their system could spread to your internal systems.
6 ) Develop an Incident Response Plan
Unfortunately, you could take all the security steps detailed and still get hit by ransomware. A user could get tricked into opening a malicious file that isn’t detected by antivirus software that encrypts the system. You’ll want to develop a response plan to deal with the issue.
Pro tip: One of the first things you want to do when you find out a system is infected with ransomware is to take it off of the network so that it can’t spread and infect other systems.
In closing, I’ve provided quite a few recommendations above. This illustrates the fact that with IT Security, you want to layer defenses. Unfortunately, there is number 1 product or service that you can buy to keep a system safe … so you build a defense in depth architecture that makes it harder for attackers to compromise your systems as they have to defeat many mechanisms and not just 1 or 2.