I wrote a blog for my company about two months ago - not so much on preparing or preventing ransomware, but rather recovering from it - based on several personal experiences helping customers where we did not intercept it, but had to help deal with the fallout after the fact. I’d be interested to get some feedback, especially if anyone disagrees or has better suggestions than what I put forth.
Simply be educated & smart and don’t get infected. Also keep offline backups stowed away in case i do get the nasties so i can do a clean install
All Win 10 machines protected by BitDefender and MalwareBytes Pro.
All machines daily backed up to a password protected share on a Synology by Macrium Reflect.
Only Macrium Reflect has the password.
All user files are stored on Soonr Cloud File Share and Sync. Soonr allows one click restore of entire Folders to a previous point in time.
Seperate nightly backup to Amazon S3.
Quarterly offsite backups of all the Macrium Images. They are stored at the Client’s home in a fire proof safe.
Even if the entire Office burnt down, we could restore to new computers using the offsite Macrium Images, Soonr would then update the user files.
Email is Exchange.
If Soonr went down/out of business, we’d restore via Amazon.
If they get through that lot, good luck to them
If backup is an after the fact consideration and you are interested in how others dealt with fallout…One of our executives with lots of mapped drives encrypted some network file shares. It was first generation crypto stuff so we could restore. We learned that many users STILL fall for some pretty basic traps. It’s like they become curious to the point of compulsion when it comes to bad emails. Initially. we unknowingly shamed the individual in spite of the fact we felt we were delicate. This helped but further diminished our already waning popularity. I really hate going Dr. Phil on you, but the best thing I have seen so far is to ask them to contact you when they get a suspicious email. I do this for my users who take risks for one or two incidents. I praise the heck out of them for the wisdom to send along the email and they become converts. I usually deal with http content in similar manner. I will also go their bosses and pass along the good news. Positive reinforcement plus training. Initially, this is not efficient but works well in the long run. The most discouraging aspect of this is that I can’t bill for self esteem management. Further, I am not a big fan of being disingenuous by praising adults who behave like children. On another note, if your operation is unwilling to support solid backup and security solutions, then they are putting you at risk. I’ve worked at a couple places where I routinely provided CYA based architectural/security analysis to my bosses to make sure I wasn’t the only one holding the bag.
Great write-up (well stated). If I had to make recommendations from a critical-eye perspective, I’d also recommend including (and/or increasing emphasis) for the following:
- Air-gap Backup systems from production systems in a meaningful way (e.g. make sure they’re purposefully inaccessible - if malware can’t reach out and touch data, it can’t affect it directly)
- Failing to plan is planning to fail (likewise, failing to “test” that your plan works, is just as bad)
- Least Privilege Model reigns supreme (speed bumps that slow or contain outbreak progression are very helpful with reducing impact and time to recover)
Personally, I do not keep much information on my computer for this reason. As soon as I make something that needs to be saved I keep it on an external HD. I don’t automatically save anything to my computer and the one time I was a victim of ransomware I was able to find a tutorial online and get it off my computer. Where there is a will there is a way. Worst case scenario I would erase everything from my computer. I would need to download the applications back onto my computer that I had before but that is not an issue compared to paying a ransom to a criminal or them having access to anything important to me. My previous employer had backed up their information to a cloud server daily since they processed a lot of information. When handling sensitive information it is important to keep copies of all data separate from the main source of memory. I read in an article that due to a company not backing up their data and becoming a victim of ransomware they lost all their data, and it was a nightmare for their public relations and the company went out of business. After all, data is the most valuable resource.
I think we need to look at backup strategies from 2 categories, malicious and non-malicious. Non-malicious are easy to deal with. Those are your patches gone bad, hardware failures, User accidentally deletes a file, etc. Malicious attacks need to be protected against with a defense strategy and that needs to be multi-layered. There’s multiple scenarios that can play out that can render backups useless. Real-time backups from production to DR will have encrypted files replicating across, so now both datastores are useless. Time-delay attacks are useless unless you have sufficient archive to restore against and then you risk decreasing your RPO until the data is old. Backing up images gives you a great RTO, but if that image is infected, it’s not good. One idea is to break up backups into system images and data. You can restore a system back to a time you believe it is clean and if you don’t think you have that image, stand up a new build and then you can scan data before restoring to make sure it’s clean. There’s so many options and so many ways we can protect our data, but we’re always on the defense. Systems can be rebuilt, but data cannot.
All of the back up plans above are great, however organizations also need to think about the “hit by a bus” scenario, i.e. have back ups of the people performing the back ups. If only one person knows how to restore everything, and something happens to them, then all the technology is useless.
If the organization is smaller, have an MSP as backup for vacations and emergencies. If it’s medium or large, make sure there are data checks and balances as there are internal attack scenarios from disgruntled employees as well.
Carbon Black Protection is mandatory on all domain Computers