Ransomware, like Cryptolocker, Wannacry, CryptoWall, and others have not only cost organizations around the world billions of dollars, they have severely eroded user confidence in their IT team(s) and service provider(s). For the first time in history, there exists a threat which even the most robust protections seem to have no power to stop – unless, of course, you are protected by Amerihub.
When ransomware strikes, often via an email attachment or by visiting a corrupted website, it can be utterly catastrophic. Faster than many would believe, every single file which the “infected” user has writeable access to is encrypted and becomes unusable.
Once this happens a rather predictable cycle almost always begins:
- IT runs a virus scan
- This fails because ransomware isn’t a traditional “virus” and because, even if AntiVirus software detects and “cleans” the infected files, it cannot decrypt the encrypted files. To make matters worse AntiVirus may remove the “ransom” letter, which represents the only possible last resort (paying the ransom) when all other attempts fail.
- IT tries to restore files from Shadow Copies/Previous Versions
- This fails because most Ransomware overwrites Shadow Copies by default
- IT attempts to restore files from backup
- This often fails because many organizations store backup files on media accessible from the “infected” server (i.e external hard disks or NAS devices). When Ransomware strikes it will often chew through every attached filesystem which is writable by the compromised account. In such a scenario, disk-based backups generally become unusable.
- Even when an organization has remote backups (not reachable by Ransomware) the backups are usually incomplete and are untested. Most IT people are not trained in how to properly setup, manage, and to repeatedly test backups.
- IT lies to the stakeholders and users
- An IT person in a Ransomware situation will often lie to the business owner or users because they don’t want to admit that the protections and backups they put into place don’t work. Of course these lies inevitably come to light, eroding user and stakeholder confidence even more than data loss will.
- The ransom gets paid
- After all else fails, from antivirus, to backup restoration, and any other odd tricks IT tries to use to restore data, the end result is usually that the ransom gets paid. Even Police departments and government agencies have paid the ransom after exhausting every other possible avenue.
- Note: A significant number of ransom payment never result in data restoration. Often instructions are provided to send “money” to an anonymous Bitcoin address, after which the attackers are never heard from again.
How to protect yourself
Ransomware mitigation happens BEFORE an attack occurs, not afterward. Be VERY wary of any company telling you that they can decrypt your files for a fee. They almost certainly can’t (unless they pay the ransom) and they are almost certainly are lying. If anyone contacts you offering decryption services they are either taking you for a ride or they are simply charging you more than the ransom amount, so they can pay the ransom on your behalf (keeping a profit for themselves).
- Eliminate everyday use of accounts with admin permissions to computers, laptops, and servers. Even Sysadmins should only use accounts with admin rights for short periods of time, and only for specific purposes. If you are unsure of when admin accounts should be used, are unsure of how to validate admin account use, or if you are unsure of how to lock admin permissions down, email us.
- If an admin account becomes compromised by Ransomware the ENTIRE SYSTEM is at risk. Every server, every computer, every NAS device, could be encrypted and held ransom.
- Limit the write permissions of your users to ONLY the folders and files they need to work with.
- Just because you need to be able to read the contents of a folder doesn’t mean that you need to be able to write to the folder. In fact, most of the time, users have no need to write to a given directory at all. By limiting the scope of what a user can write or delete, you limit the impact of any infection which may occur within their user session. If you are unsure of how to identify what users need write vs read permissions to, or if you are unsure of how to implement these protections email us.
- Implement secure and robust offsite backups with a provider you can trust.
- Backup EVERYTHING you THINK you may need. Once data is lost, it’s too late to go back to tweak your backup plan. If you don’t know for sure what needs to be backed up to ensure that your ENTIRE system can be restored in the event of an attack or system failure call us. If you don’t have a trusted backup service provider, or if you are unsatisfied with the one you currently have, email us.
- Don’t just backup your server.
- Unless you are 100% certain (and this is rare) that your VIP users (Executives, department-heads, designers, engineers, physicians, etc.) are storing EVERYTHING on a server or cloud-service, you need to backup their computers. Period.
Don’t let this happen to you and your organization. Amerihub has proven systems and procedures in place for guarding against and recovering from Ransomware. Even if you have your own IT team and believe that you’ve “got it”, don’t hesitate to email info@amerihub.com to make sure you’re on the right track with a system protection provider who understands IT operations intimately (because we help to set the standard year after year).
