You’ve seen the headlines of how businesses were harmed by ransomware. Ransomware depends on encryption; there is a public key and a private key. Unless you have the private key, you can’t readily get your data back. Any time you hear someone say that they went to a site such as nomoreransom.org and got their data back, it was because some organization was able to obtain the private key and post it there. You can’t always depend on that situation.
[ Read our blue team’s guide for ransomware prevention, protection and recovery. | Get the latest from CSO by signing up for our newsletters. ]
You can take steps to avoid ransomware, including ensuring that you look carefully at emails that include links, educating your users to recognize questionable email messages, staying current on software updates, and not exposing port 3389 (remote desktop) directly on the web.
If all that fails and you fall victim to ransomware, there is a guaranteed way to recover from it: having a good backup. It is the best way to recover from a ransomware attack. Recently, the Maersk company recovered from a devastating ransomware attack, but not with a backup. They had none. Amazingly, they were able to recover their domain using a single domain controller that was not connected to the internet at the time of the ransomware infection. Maersk got lucky.
Maersk’s backup strategy was trust in synchronization. Enterprises often don’t back up domain controllers, but merely put another online and synchronize it in the network. The “backup” in their eyes is another copy of Active Directory in another location. They never anticipate that their entire domain would be infected to the extent that they needed a backup.
As we move from traditional domain controllers and on-premises computers to cloud services and situations where data is synchronized across systems, take the time to review how you do backups and change your solutions accordingly.
Backup steps for cloud environments that rely on synchronization and distributed files
- Ensure you have versioning. Cloud services often rely on synchronization. If you are a victim or a ransomware attack, you need to be able to roll back to a prior version. Versioning may not be default and may not be set up to have the number of versions you will need.
- Ensure you know how to disable the synchronization client. In the case of SharePoint, you want to temporarily stop the synchronizations if someone hasn’t yet caught the new changes.
- Review options for third-party backup solutions for cloud platforms. The vendor that provides you with a cloud service may not backup your files as often as you like, or the recovery process may take time to open support tickets and wait for their technicians to perform the steps to recover the files. Most cloud solutions also have third-party vendors sell cloud-based backups. This gives you additional options to recover.
Backup steps for on-premises systems
- Ensure that your backup solution uses a different user account than the logged-in user. Most ransomware attacks come in from a user and whatever that user has access to is encrypted. Often the first step to determine who has accidentally infected the network is to find any encrypted file, right-click on it and look at the properties of the file. The owner of the file will be the person that infected the network. This will help you understand the impact on the network and whether it is widespread or limited.
- Ensure you have multiple methodologies to back up files. These days you can add an Azure backup to nearly any platform (even Windows 7) by downloading KB3015072 on Windows 7.1, Windows 8.1. You then go to the Azure portal, set up an account, set up a password to properly secure the data in the Azure portal and back up the data online.
Azure backup can back up virtual machines as well as physical machines. To set up an Azure backup, sign up for a trial and follow the step-by-step instructions.
Use the headlines of ransomware to force a reevaluation of your backup methodologies and processes. Don’t be the business that has no other option than to pay the ransom. Have a backup. It sounds so simple and yet it’s overlooked by so many.