In the past year, ransomware has frequently made the headlines, with Locky, the most prevalent strain, hitting 90,000 victims a day, according to security software firm Webroot.
Whilst ransomware has been around for some time, its popularity and use appears to be spreading at a record pace, as cyber-criminals now actively use ransomware to hold businesses, institutions and even individuals hostage. According to a survey of senior level staff at 165 varying organisations, conducted by Osterman Research, almost one out of every two participants indicated their organisation had suffered at least one ransomware attack in the past 12 months.
Ransomware is a form of malware that encrypts data and holds it for ransom until users pay hackers a demanded fee, and as data serves as the lifeblood of business, the threat of ransomware is now challenging the safety of this data.
A resurgence of old and new variants of viruses have been making appearances, in particular CryptoLocker and Locky, the latter demanding between 0.5 and 1 Bitcoin (around £500) to unlock files. Unfortunately, it seems that despite the security defences organisations have in place, the ransomware landscape is evolving and growing in sophistication to evade these defences.
With ransomware attacks now a daily occurrence, it is essential that businesses protect themselves to ensure they maintain normal operations and avoid a costly breach of information. Whilst many businesses will manage their own IT systems, others rely on outsourced IT support. For MSPs ransomware has become a burgeoning threat to their clients, and in the event of an attack, the MSP is ultimately the one who will be held responsible.
If you're an MSP, it's highly likely that despite warnings to clients about unsafe links and phishing emails, they will have been infected by some form of ransomware in the last year. According to Datto which surveyed more than 1,100 managed service providers (MSPs), 77 percent of respondents reported that ransomware made it through their clients' email/spam filters.
Ransomware requires a multi-pronged approach and this involves a systematic management process. The key focus is to avoid infection altogether, but being able to recover in the event of an attack is equally crucial. Once infected with ransomware, there is little that can be done except for retrieving the data from a well maintained backup system, so it's imperative that organisations – and their MSPs – put the necessary procedures in place to avoid a potential attack.
Below are seven steps to protect against ransomware:
Mail protection service
Whether you are an MSP, IT helpdesk or a member of the IT/security team within an organisation, the first action should be to set inbound emails to be scanned for known threats. You should also block any attachment types that could pose a threat. Ransomware can masquerade as any type of file. You will want to avoid opening suspicious files and setup MX records to your mail protection service only.
Web filtering service
Web filtering should be offered through a proven security-as-a-service (SecaaS) gateway and include:
URL protection to block connections to phishing and other malicious sites and prevent infections and credential/login compromises.
Antivirus to reduce the risk of malware infections or the need for time-consuming clean-up.
Advanced threat protection to provide protection from zero-day threats and highly evasive malware through a combination of next-generation Cloud Sandbox Array technology and big data analytics.
The next key step is to configure the Firewall Appliance. Ensure that you allow inbound mail and web traffic from the mail and web filtering servers only. Avoid allowing external attempts to send mails or traffic using telnet (SMTP). Lastly, enable IDS or IPS modules. They can detect and prevent the communication attempts that the malware uses to create the public and private encryption keys required to encrypt the data.
It should go without saying, but always keep antivirus protection up-to-date. Update your antivirus product and its signatures regularly. If you are not already doing so, run system scans on a daily basis. This is best performed out of working hours to avoid load on the end-user system. It is highly recommended that you have in place an alerting system that will notify you of antivirus clients that are not up to date so you can immediately resolve the problem.
It is crucial to back up your data to minimise the potential impact of a ransomware infection. This is your only guaranteed recourse if an attack does penetrate one of your or your customers' networks. Ideally this should include a disaster recovery capability to enable quick recovery times. If you are going for a standard backup solution, select important and useful data, such as: Drive C / D and backup the system state including:
– System registry – a database every Windows operating system needs to keep track of information about users, hardware, and software.
– COM + database – is an extension of Component Object Model (COM), a building block approach for developing application programs.– Certificate Services - a trusted entity that issues electronic documents that verify a digital entity's identity on the internet.
– Active directory - a database that keeps track of user accounts and passwords within an organisation in one protected location.
– SysVol - is a folder which resides on each and every domain controller within the domain.
– IIS metabase – This is a plaintext, XML data store that contains most IIS configuration information.
Use archiving capabilities to gain retention for more than 30 days – you can hold a snapshot of a specific backup session for an unlimited amount of time.
Operating system / domain environment
Keeping the operating system and domain environment secure is a key strategy against ransomware infection. Patch and update your system. Using an automated patch management system is recommended.
Disable Remote Desktop Protocol (RDP) - the protocol which provides a user with a graphical interface to connect to another computer over a network connection - where the RDP isn't required. The malware can also spread via RDP ports that have been left open.
Limit end-user access to mapped drives. The ransomware will recognise available workstations in the network and will infect them instantly. Restricting the user permissions for the share or the underlying file system of a mapped drive will provide limits to what the threat has the ability to encrypt.
Lastly, educating users about the proper handling of unknown or suspicious files is crucial. This is probably already part of your IT security and access policy but it may be worth considering a communication or training remediation in the light of new threats.
With monetary motivation, the onslaught of these attacks will likely continue to gain momentum and businesses should be prepared for the increasing probability that they will be subjected to a ransomware attack. Ransomware is a lucrative business for cyber-criminals, so ensuring you have the right security measures in place to thwart attacks will certainly help to prevent losing business critical data.
MSPs can deliver services around everything from email provision, to backup and business recovery, remote monitoring and management (RMM), professional services automation (PSA) and business analytics, which in turn, means they should have all the necessary tools to manage organisations' web security headaches and tackle ransomware before it tackles them.
Contributed by Gil Pekelman, CEO, Atera