Not quite a development topic, but with the recent proliferation of Ransomware attacks, and having to help a customer who has been a victim of Ransomware, I learned a few things to help protect against the disruption that this type of attack can cause.
What is ransomware?
Basically, ransomware is a piece of malware that will steal some or all of your data, and make financial demands for you to get it back. Typically, this is achieved by encrypting your data with a string encryption key. The encrypted files are of no use to you without having the key to unlock them.
It is a devastating feeling seeing all you software report errors opening files, accounts etc. then realising that it’s all gone. Without adequate protection, that could be the end of your business, or costly if you did successfully recover the encryption keys from the attackers.
So, what can we do to mitigate against this kind of attack?
Unfortunately, is is not enough just to have anti-virus software installed. My customer had 2 different anti-virus programs installed, one on their mail server, and one on each client computer. These were fully up-to-date, yet still the ransomware got in.
Obviously, any anti-virus product you have installed must be kept up-to-date, as best practice dictates, along with selecting you anti-virus products carefully.
A good Anti-Spam engine will also remove many potentially hazardous emails, but with all these tools, there is a trade off – too strict and you will lose genuine emails, too loose, and you will get more SPAM.
Always make sure you have backups of your data. not just copied to another computer, disk or device on your network. It must be an offsite backup so that any attack on your network will not be able to attack your backup also. Also, the backup should be frequent – at least daily.
If you use an online backup facility, it must be adequately secured with your own encryption keys, and only accessible by authorised users. It would be ironic to find your backup files also attacked by ransomware.
The backup should also be tested. It is no good having the backup if you cannot recover your data from it. This should be tested periodically.
You should also review what is contained in your backup. If you have moved data to another location, or server, make sure that your backup is updated accordingly.
Always hake sure that users login with the lowest level of permissions required to do their work. If users always have administrator permissions, all kinds of malware can install itself without the user knowing, until it is too late.
Linux if often regarded as significantly more secure than Windows systems. This is primarily do to user logging in with unprivileged accounts. Often a user’s home directory does not even have execute permissions, so any downloaded applications must be installed or run with elevated permissions. Windows users should try to mimic this setup as much as possible.
One thing I found surprising was how many network resources were included in this attack, despite only one machine being compromised. As a rule of thumb, users should only have access to the network resources that they need. Any network shares should be restricted to authorised, authenticated users only. The permissions on those shares should also be checked – for example, do all users need write access?
Public folder on all client machines should be disabled if not required.
Staff should be educated to be cautions about any online activity – emails, browsing, social media etc. Attackers are clever. They will try anything to entice you into running their software, and hence compromising your system. Any suspicious activity, or emails should be reported to your IT support for checking, BEFORE opening them.
We need to make it difficult for malware to deliver it’s payload. This can be done by protecting front line services, such as email servers, with adequate anti-malware tools. However, this is not always enough.
Restricting access to resources, limiting user permissions and keeping adequate backups are all valuable tools that should all be deployed to protect against all forms of cyber attack.
In the case of my customer, all they lost was 1 days work as the backups had been run the night before the attack.