Skip to main content

Best practices for preventing and recovering from a ransomware attack

(Image credit: Datto)

Today’s cyber-criminals are smarter than ever, and it’s likely that we are yet to see the most advanced attacks the world has seen. With an estimated global cost of around $6 trillion (£4.24 trillion) per year attributed to cybercrime, there can be no denying that digital crime is just as lucrative for criminals as it is destructive to businesses.

Perhaps the most memorable cyber-attack in recent history was in May 2017, when the WannaCry attack jolted the public into awareness of just how destructive ransomware can be. WannaCry infected over 300,000 Windows computers by encrypting data on the machines and then demanding Bitcoin to unlock the data. It was a particularly destructive attack as it struck a number of high-profile systems, including many in the NHS.

Unfortunately, the WannaCry attack is just one example out of a plethora of attacks that have occurred over recent years. Research shows that 40 per cent of mid to large UK businesses suffered an average of five ransomware attacks in the past year, costing them individually £329,976 per annum. Meanwhile a report by McAfee showed that ransomware issues grew 56 per cent in 2017, and another study by Trend Micro named ransomware as its number one cyber-threat for 2018. With this in mind, it’s fair to assume that most organisations, if they haven’t already, will have to deal with ransomware at some stage. And given that approximately 90 per cent of businesses that lose data are forced to close within two years, being unprepared for a ransomware attack is not a risk that businesses can afford to take.

There are several factors contributing to the dramatic rise we’re seeing in ransomware attacks:

  • Ransomware has now moved beyond the amateurs to the professionals who are more likely to be aware of security holes, making attacks more successful. We are also seeing a rise in highly targeted attacks that are more sophisticated and therefore, more dangerous.
  • The anonymous nature of Bitcoin has driven investment in the cryptocurrency, making it an ideal currency for attackers making demands on attack victims.
  • Computers are providing value for longer than ever, but that means many lack the latest security updates to operating system updates that can repel attacks. IT professionals are often reluctant to patch older computers because OS updates often slow down old systems, but it is vital that they are kept up to date with the most recent security software.
  • Most ransomware attacks arrive through email, and many employees have not been properly trained to recognise a malicious email attachment. While training employees to be more vigilant for attacks can be time consuming and expensive, it is one of the most effective ways that organisations can defend themselves against ransomware attacks.

There’s no doubt about it; cybercrime is an omnipresent threat that isn’t going away. But there is a lot that companies can do to prepare. Taking steps to understand and outsmart the new technologies that criminals are employing to steal data and money is key, particularly given the often-irreparable reputational damage that faces those businesses that suffer breaches.

Outlined below are the best practices that businesses should consider implementing to safeguard against attacks, including a few suggestions on how to respond to an attack on your data should it occur.

How to mitigate attacks

The most effective step that an organisation can take to combat ransomware is to perform a regular backup of the most important files. The most sophisticated attacks aim to encrypt both data files and Windows restore points, so this should be top of mind when installing a backup system.

The rise in the amount of data being accumulated and stored is placing pressure on backup systems.  As well as being unprepared for future, many organisations are struggling with the day to day management of data backup and protection. Indeed, research shows that nearly 50 per cent of IT decision makers (ITDM) are struggling with data growth and believe it is only going to get worse; and 51 per cent of ITDMs are not confident that their IT infrastructures can perform instant data recovery in the event of a failure.  It’s clear there is a problem, and a screaming demand for appropriate backup and recovery strategies and systems.

Backing up critical data and making it easy to recover is one of the best lines of defence that a business can take against ransomware attacks.  For organisations without a current disaster recovery plan, a quality backup and restore solution should be considered as a matter of urgency. In addition to performing regular backups, businesses should consider the following:

  • Updating all software according to a regular maintenance plan. If a workstation or server is too old to update, retire it. The few tasks that it can perform do not outweigh the risk it presents to the other machines on the network.
  • Restrict administrator accounts to only a few people in the organisation and create user (not admin) accounts on each workstation, for each employee. End users should not be logged into machines as administrators as the most destructive ransomware is designed to gain access to network areas that are only accessible via administrator accounts.
  • Verify backups and replicate backups offsite. Performing backups is just the first step because, of course, these will not be effective unless they are proven to work. The only way to make sure is to verify backups by testing the data restore process. Occasionally the backup restores properly but does not include all critical files. This is something that should be frequently checked. Adding an offsite backup strategy, including processes for restoring data and leveraging off-site cloud services, adds a necessary layer of security to your organisation’s information and mitigate ransomware attacks.
  • Employee training is often overlooked or not regularly updated for new employees. Do not assume that employees are tech-savvy enough to recognise malware that has been sent over email. Regular training takes time and valuable resources, but alongside backup, it is one of the main factors that can have the biggest impact in deterring the spread of ransomware through an organisation.
  • Antivirus endpoint protection with updated signatures, endpoint sandboxing, and next-gen antivirus
  • Network sandboxing, next-generation firewalls, and email security to block phishing attacks
  • Next-generation scale-out storage with Continuous Data Protection feature, taking immutable snapshots automatically

How to respond to an attack

If an organisation suspects that someone on the network has been a victim of a ransomware attack, it should perform the following steps:

  • Take a snapshot of the system and then shut it down. A snapshot will attempt to save system memory which might the help in decryption and provide further details about the attack. Some professionals recommend the quarantine of any computers known to be infected, but it is safer to shut down all of them to keep the ransomware from spreading.
  • Block remote desktop protocol (RDP) at the network level. Consider blocking all email attachments until the origin of the attack is fully understood.
  • Assess the damage and determine the point of entry. This is where your backups come into play.

Depending on which systems were infected, this is when the organisation will need to revert to its backup plan. Pulling an entire server offline may take more planning. The key here is to have a reliable and well-tested backup to get the business up and running quickly with minimal repercussions.

What if there is no backup system in place?

If an organisation is struck by a ransomware attack but it does not have a backup system in place, it will need to take a slightly different approach. The IT team will need to assess the value of the data that has been encrypted and make a decision as to whether it is worth hiring a security or ransomware expert to try and recover the data. If the answer is no, they might be tempted to pay the ransom which is not a good idea! Even if the ransom was to be paid, there is no guarantee of receiving the decryption keys, and thieves often increase the ransom the longer they have to wait for it to be paid.

Companies who have fallen victim to ransomware and lost data due to a lack of appropriate security measures and/or backup, must re-assess their overall data protection policies and take the relevant prevention measures.

Ransom attacks are the perfect crime because the cyber-criminals often ’win,’ and the anonymity makes it nearly impossible for authorities to track down the perpetrators, so instead of being intercepted and stopped, they move on in search of more potential victims.

One thing we know for certain is that the attacks will continue and will evolve as companies learn to combat them. Businesses can no longer afford to sit back and hope that they will be the lucky ones to avoid attack. Data is a highly sought-after asset, and its safeguarding must be of the utmost importance to businesses that wish to succeed in an increasingly threatening cyber landscape.

Florian Malecki, International Product Marketing Sr. Director, StorageCraft