Protection against ransomware

Not quite a development topic, but with the recent proliferation of Ransomware attacks, and having to help a customer who has been a victim of Ransomware, I learned a few things to help protect against the disruption that this type of attack can cause.

What is ransomware?

Basically, ransomware is a piece of malware that will steal some or all of your data, and make financial demands for you to get it back. Typically, this is achieved by encrypting your data with a string encryption key. The encrypted files are of no use to you without having the key to unlock them.

This kind of attack is commonly propagated through emails. The customer I had to help had received an email containing a little javascript. This javascript then downloaded the ransomware, which executed it’s payload (encrypted the files) then deleted itself. In this case, not only files on the compromised computer were affected, but also files on network drives, and even public folders on all computers attached to the network.

It is a devastating feeling seeing all you software report errors opening files, accounts etc. then realising that it’s all gone. Without adequate protection, that could be the end of your business, or costly  if you did successfully recover the encryption keys from the attackers.

So, what can we do to mitigate against this kind of attack?

Anti-virus

Unfortunately, is is not enough just to have anti-virus software installed. My customer had 2 different anti-virus programs installed, one on their mail server, and one on each client computer. These were fully up-to-date, yet still the ransomware got in.

Obviously, any anti-virus product you have installed must be kept up-to-date, as best practice dictates, along with selecting you anti-virus products carefully.

A good Anti-Spam engine will also remove many potentially hazardous emails, but with all these tools, there is a trade off – too strict and you will lose genuine emails, too loose, and you will get more SPAM.

Backups

Always make sure you have backups of your data. not just copied to another computer, disk or device on your network. It must be an offsite backup so that any attack on your network will not be able to attack your backup also. Also, the backup should be frequent – at least daily.

If you use an online backup facility, it must be adequately secured with your own encryption keys, and only accessible by authorised users. It would be ironic to find your backup files also attacked by ransomware.

The backup should also be tested. It is no good having the backup if you cannot recover your data from it. This should be tested periodically.

You should also review what is contained in your backup. If you have moved data to another location, or server, make sure that your backup is updated accordingly.

Permissions

Always hake sure that users login with the lowest level of permissions required to do their work. If users always have administrator permissions, all kinds of malware can install itself without the user knowing, until it is too late.

Linux if often regarded as significantly more secure than Windows systems. This is primarily do to user  logging in with unprivileged accounts. Often a user’s home directory does not even have execute permissions, so any downloaded applications must be installed or run with elevated permissions. Windows users should try to mimic this setup as much as possible.

Network resources

One thing I found surprising was how many network resources were included in this attack, despite only one machine being compromised. As a rule of thumb, users should only have access to the network resources that they need. Any network shares should be restricted to authorised, authenticated users only. The permissions on those shares should also be checked – for example, do all users need write access?

Public folder on all client machines should be disabled if not required.

Staff

Staff should be educated to be cautions about any online activity – emails, browsing, social media etc. Attackers are clever. They will try anything to entice you into running their software, and hence compromising your system. Any suspicious activity, or emails should be reported to your IT support for checking, BEFORE opening them.

Conclusion

We need to make it difficult for malware to deliver it’s payload. This can be done by protecting front line services, such as email servers, with adequate anti-malware tools. However, this is not always enough.

Restricting access to resources, limiting user permissions and keeping adequate backups are all valuable tools that should all be deployed to protect against all forms of cyber attack.

In the case of my customer, all they lost was 1 days work as the backups had been run the night before the attack.

 


Raspberry Pi 3 model B

The new Raspberry Pi 3 Model B is now available to buy. With on board 802.11 b/g/n wireless and Bluetooth 4.1, this Pi offers great possibilities for business and education. The high performance 1.2GHz Quad Core 64 bit ARM Cortex-A53 with 1GB RAM, is 10 times more powerful than the original Raspberry Pi.

Raspberry Pi 3 model B

Raspberry Pi 3 model B

The Raspberry Pi boots from a Micro SD card which is perfect for a Linux installation such as Raspbian, or a custom Linux system built using Yocto and Qt for Device Creation.

Measuring just 85mm x 56mm x 17mm, this could be the perfect complement to many business projects, with the addition of a Linux installation and Qt application.

Watch this space for evaluations, comparisons with other boards and sample projects over the coming weeks.