Ransomware Protection and Importance of Backups

HOW TO PROTECT YOURSELF FROM RANSOMWARE

Protecting yourself from ransomware falls into two main buckets, first is steps to take to avoid getting infected, second is being prepared to recover should you be so unlucky to get infected despite defensive measures. In this article I will touch on defensive measures while deferring detailed coverage on that to a separate article. The focus of this article will be how to set yourself up so that you can recover from infection.

RANSOMWARE DEFENSES

Most ransomware infection these days occurs via email attachments or links in email. Defense against that is twofold

  • Ensure you have a high-quality antivirus/anti-malware software on all computers
    • Ensure it is kept up to date, updates are often daily
    • Ensure it is configured correctly
  • Educate yourself and your users on how to avoid falling for phishing emails
    • Don’t open attachments or click on links in emails that are unexpected, or you aren’t absolutely 100% sure are authentic.
    • Look for other articles from us in the future with more details on this.

If you need help with these steps reach out to a trusted advisor, someone you trust to take good care of your computers and ensure their safety.

RANSOMWARE RECOVERY PREPARATION aka Importance of backups

The best way to prepare to recover from a ransomware event is to ensure you have a solid backup in place. How you do your backups makes a big difference in recoverability.

While backing up to an external hard drive or network share is great for things like failed hard drive or accidental deletion it is useless when it comes to ransomware events or other malicious events as that will get encrypted/deleted along with your local hard drive.

For smaller organizations and individuals, leveraging Microsoft OneDrive built in ransomware protection is often sufficient. Follow this link for more details on how this works.

For larger organizations, they are going to need some additional backup processes, so here are some recommendations for how to set things up for maximum recoverability. Use this guide either for your own setup or when interviewing trusted partners to host your environment to ensure they are thinking about the security of your infrastructure.

  • First step is to select a reliable backup solution that stores the backup off-site and packages the files into archives that are completely separate from files that are being backed up. Additionally, ability to encrypt the backups, is an important security consideration.
  • Storing the backups at a location other than the files being backed up is more important to disaster recovery than ransomware recovery. Since you are going through the effort to back up your files, it makes sense to consider all hazards, not just one. If you store the backup in the same location as the files being backed up, and something happens to that location such as fire, earthquake, tsunami, etc., you’ve lost both the original and the backup. When selecting storage location for the backup don’t pick a location in the same town even, pick a different hazard zone where the same event can’t take out both locations. This typically means storing the backup in a different region, for example if your files are stored in the south, store the backup in the north.
  • Make sure to enable strict separation of duties. The account that has access to the backup system, that can restore backups or even just view or make changes to the backups, should not have access to any of the systems being backed up. Anyone with access to make changes to any documents being backed up, should have no access to the backup systems or the location where the backups are being stored. Backup operator should not be able to access any files in each backup, they can see the file names, paths, and other meta data like that but not the content. Restored system should have the exact same permissions as the backed-up system. For smaller organizations balking at needing a separate backup person note that I am talking about the accounts needed, not persons needed. Backup operator can have other duties, they will just have to use a totally separate account when doing their backup duties.
  • Make sure you test your backup. The backup is not useful unless you know for a fact you can restore it. You do not know for a fact that you can restore a backup until you have in fact restored it. This is the most common failure when it comes to backups.
  • Make sure your backup schedule accounts for the frequency your data is changing. In other words, think about how much work you are willing to lose and backup that frequently.
    • If you only backup once a week, you lose one weeks’ worth of changes if you need to restore a backup. Nightly backups are very common, as that means you only loose few hours’ worth of changes and getting through an entire backup set in a night is typically feasible for most cases.
    • This is usually restricted to how long it takes to perform each backup cycle.
    • Low-cost systems are typically very slow, and fast backup systems are typically very expensive.
    • So, if you are purchasing your own backup system you have to balance how frequently you want to backup with how much you are able to spend on backup systems.

Recovering from Ransomware infection

The single best step in recovering from any sort of infection is something referred to in the industry as flatten and re-image. This consists of completely erasing the infected hard drive of all data to a point where it is squeaky clean with absolutely zero on it. Then reinstalling the operating system and all applications from original installation media, followed by restoring the backup of the data on that computer.

If it is desired to understand how the infection happened, it is important to simply turn off the computer, unplug it and hand it over to a digital forensic specialist as soon as the infection is discovered. This can be a very costly process and not worth it in many cases. For most best course of action is to go straight to flatten and re-image.