Author: B.Henry 12/24/2021
Language: Plain Text
Here's a document I put together for IT professionals on how to prevent and hopefully avoid ransomware attacks.
Ransomware is a lucrative tactic for cybercriminals. No business is immune from the threat of ransomware. It can be a frightening and challenging situation to manage. Once malware infects a machine, it attacks specific files or even your entire hard drive, network, and locks you out of your own data. Once this happens the software will demand a ransom requesting that you pay an amount of money to get your data back.
There is no foolproof way of protecting yourself from ransomware, if someone is persistent enough eventually, they will find a weakness. It could be an old outdated system, a simple click in a malicious email or navigating to a website that is not so friendly. In most cases the average recovery time is around 21 days when dealing with ransomware, this is of course dependent on the size of your company.
The best way to stop ransomware is to be proactive by preventing attacks from happening in the first place. In this doc, we will discuss how to prevent ransomware and recover from an attack.
How to avoid & prevent ransomware
Although ransomware often travels through email, it has also been known to take advantage of backdoors or vulnerabilities commonly found in outdated systems and software.
Here are some ways you can avoid falling victim to ransomware and get locked out of your own data.
Backups are one of your most important lifelines against ransomware if you do not want to pay them anything to get your data back.
You should backup your servers and desktops daily to a local backup device and or the cloud. You should not stop there; it is also a good practice to store backups on a weekly or monthly basis that cannot be accessed from any computer and keep these backups for at least one year or more. EX: A tape drive or a USB drive then just disconnect it from the computer.
Note: Remember that ransomware and hackers can spend months scanning and running around your network searching for all your weaknesses so they can hit you where it hurts.
I also recommend using current backup programs. For example, BackupAssist for servers can scan backups for ransomware and send notifications if any is found. Backups can also be encrypted to protect your data. EaseUS Backup & Recovery Software works well for desktops.
Your second line of defense is your hardware firewall, you should always make sure this is updated with the most recent firmware and subscription. This will protect you from outside threats.
Enable intrusion prevention services, gateway antivirus, and antispam services.
Enable the content filtering system of your firewall this will allow you to limit the sites and apps your employees can access.
If your firewall support Geo-IP filtering you can filter traffic coming from other countries also you can prevent your employees from accessing websites and services in blocked countries.
Windows offers a function called Group Policy that allows you to define how a group of users can use your system. Users should not be allowed to install software without IT present, change system configurations, modify user permissions for folders and applications.
Always install antivirus software on all servers and desktops, also make sure the subscriptions for these programs are kept up to date. When it comes to purchasing an antivirus program remember to do your research. Sometimes the cheapest antivirus software is not necessarily the best, remember you get what you pay for.
After you install an antivirus software it is a good idea to lockout the antivirus interface with a password if available, so security services cannot be disabled.
You should run scheduled antivirus and malware scans on every server and desktop on a weekly and monthly basis. The weekly scans can be a quick scan, but I do recommend at least once a month scanning the entire system.
Any device that is connected to your network should be updated to protect against any vulnerabilities.
When you purchase a new printer, Wi-Fi access point, managed network switch, or security camera, they always come with default usernames and passwords you should change these as soon as you set them up also check periodically if there are new firmware updates that need to be installed.
Don’t forget if you have automation systems you should perform the same tasks on these systems as well.
Note: Wi-Fi access point passwords should be changed frequently. I change them every three to six months.
Your employees are one of your biggest assets, but they can also be one of the biggest vulnerabilities when it comes to ransomware. The number one thing I recommend is training your employees on what to lookout for when it comes to malicious emails, websites, programs, and social engineering scams.
This can be a monthly email on cyber threats and social engineering scams. It is also a good idea to have your employees attend training on cyber threats and social engineering scams.
Employees should never leave their computers unlocked when they are not using them also passwords should never be kept on sticky notes underneath keyboards or anywhere that is easily accessible.
Note: The more informed your employees are about cyber security threats the more protected your company will be.
In many operating systems, the most common method to authenticate a user's identity is to use a secret passphrase or password. A secure network environment requires all users to use strong passwords, which have at least twelve characters and include a combination of letters, numbers, and symbols. These passwords help prevent the compromise of user accounts and administrative accounts by unauthorized users who use manual methods or automated tools to guess weak passwords. Strong passwords that are changed regularly reduce the likelihood of a successful password attack.
Note: These policies can be configured in windows servers Active Directory/Group Policies.
Enforce password history
Enforce password history this determines the number of unique new passwords that must be associated with a user account before an old password can be reused. Password reuse is an important concern in any organization. Many users want to reuse the same password for their account over a long period of time. The longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute force attacks. A good setting here is between 3 and 5 passwords before a user can reuse an old password.
Maximum password age
Maximum password age determines the period (in days) that a password can be used before the system requires the user to change it. I recommend changing passwords every 90 days.
Note: This should apply to any service or program that you use.
Minimum password length
Minimum password length determines the least number of characters that can make up a password for a user account. Your password length should be set to a minimum of 12 characters.
Password must meet complexity requirements
Passwords must meet complexity requirements this determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements.
Password must be at least 12 characters in length.
Password must include at least one upper case letter.
Password must include at least one number.
Password must include at least one special character.
Password must not include any part of the username.
Note: Password policies should also apply to administrator passwords, they should be changed frequently and be overly complex.
If you receive an email with the attachments and the file extension is one of the following .exe, .vbs, or .scr, even from a “trusted” source, do not open it. Contact your IT department and inform them that you have received an attachment that contains an executable file. you should also be wary of zip files because they can contain executables.
These are executable files that are most likely not from the source you think it is from. Chances are the executables are ransomware or a virus. Likewise, be especially vigilant with links supposedly sent by “friends,” who may have their addresses spoofed. When sent a link, be sure the sender is someone you know and trust before clicking on it. Otherwise, it may be a link to a webpage that may download ransomware onto your machine.
Note: A good practice if you receive a zip file in an email is to scan it with your antivirus software before you open/extract it. You can do this by right clicking on the zip file and clicking scan with the antivirus software you have installed on your system.
By allowing users to see file extensions such as a .exe, .vbs, or .scr you can then train your employees on what extensions are unsafe.
Start filtering out and rejecting incoming mail with executable attachments. Also, set up your mail server to reject addresses of known spammers and malware.
Most email mail servers have addons you can buy that scan for viruses and spam. This is one of the easiest ways of preventing ransomware and social engineering scams.
I know that updates can be annoying and take time out of your day they can even create problems, however they are especially important and should be installed.
Malware often takes advantage of security loopholes and bugs within operating systems or software. Therefore, it is essential to install the latest updates/patches on your servers, desktops, and network devices.
Windows releases updates/patches for their operating systems and software monthly, I recommend installing these immediately also check monthly if any other devices need to be updated.
Note: You should also install updates/patches for any third-party software, drivers, and system BIOS when they are available.
There are many types of web plug-ins that hackers use to infect your computers. Two of the most common are Java and Flash. These programs are standard on a lot of sites and may be easy to attack. As a result, it is important to update them regularly to ensure they do not get infected by viruses.
Limit the data an attacker can access with network segmentation security. With dynamic control access, you help ensure that your entire network security is not compromised in a single attack.
Types of network segmentation
Network engineers segment a network either physically or virtually. Let us compare the two segmentation methods:
To physically segment a network, each subnet needs to have its wiring, connection, and a type of firewall. Physical segmentation offers reliable protection, but it can be hard to apply on a large system.
This is the more common and affordable method of dividing a network. Different segments share the same firewalls, while switches manage the virtual local area network (VLAN).
What to do if your company is infected with ransomware
Note: If you decide to pay the ransom check with your local state and federal government on any law’s against paying. There is a one in five chance you will not get your data back, according to TechNewsWorld.
Ransomware is a threat that is not going away any time soon, it can invade and lock you out of just about every system on your network. Remember that one of the most important things you can do is to be proactive, don’t become a victim of ransomware.
I hope the information I have provided in this document is helpful.
Thank you for your time.
Note: Some information in this document is from Microsoft docs and other online sources.