Ransomware. What is it, and how do I avoid becoming a victim?
If you are worried about ransomware, you should be. Ransomware is a form of malware or viral payload that encrypts the files on your computer and possibly your network file servers too. Once activated the software alerts the user with a message demanding payment of a ransom, usually in the form of Bitcoin, to decrypt your files.
You may have heard of some of the ransomware spoken about in the news, such as Wannacry and Locky. It’s devastating, and if your business is attacked it could bankrupt the company. You must protect yourself in as many ways as you can from getting it, and from it’s effects should the worst happen.
Recently ransomware has been responsible for taking out Travelex Bureau de Change, an unnamed US natural gas pipeline, ISS World facilities management and Redcar and Cleveland Borough Council. Most of those organisations still haven’t recovered from the attack and their systems remain offline at the time of writing this article.
Shouldn’t I just pay the ransom?
No, you shouldn’t pay. There are several reasons why not.
- If you pay you are encouraging and funding the attackers to do more.
- If you pay you have no guarantee that the attackers will unlock your files.
- Even if your files are decrypted, your systems will need to be wiped and re-installed to ensure that the malware is permanently removed.
How do I avoid becoming a victim?
This is another of those occasions where the old adage – dig your well before you become thirsty – holds true. The best defence against ransomware is to be properly prepared for an attack, and that means backup.
You should also make sure you have some good quality anti-virus software installed, something like Norton or McAfee. I also run MalwareBytes.
Not just any backup, although that will help (especially if it’s offline). Standard backup of your files to a series of external drives will certainly protect a single machine on a tight budget. However, if you have several users and servers then you need something more robust and automated. Ideally you want a remote continuous backup, that’s one which is on an inaccessible server and is updated continuously with revision protection. Let me explain what I mean by that.
Continuous backup
Continuous backup with revision protection, rather like Apple’s Time Machine, is a backup system where every time you make a change to your computer’s data it is duplicated to a backup system. That backup system has revision protection, in other words the data you send to it does not overwrite what is backed-up already. Instead it creates a new revision, which is timestamped. This allows you to roll-back to any moment in time since you started backing up using this method.
To make continuous backups quick and efficient only the changed data, or delta, is sent to the backup server. In the best systems this is timestamped and stored separately to the main original file.
Inaccessible server
An inaccessible server is not really inaccessible. But rather, it’s access is only possible over a secure channel used by the backup client. That means that the ransomware malware can’t encrypt the whole backup server. You ideally want your backup client to connect to the backup server using some strong cryptographic method, using a certificate is best. The files are then stored in a filesystem which is not accessible via any other external method.
We run exactly this kind of setup to backup our web servers.
How should I backup my home computer?
By far the easiest and cheapest way is to use three or more external drives, often referred to as “grandfather – father – son”. These form your backup set.
- Number the drives 1-2-3 etc. Often it’s a good idea to pre-allocate the numbers on a calendar.
- Run a full backup of your system to the first drive. Many external hard drives will come with some form of backup software, and that may be good enough.
- Once your backup is completed each day, disconnect the drive and store it away.
- The next day, use the next number, and backup again.
- Repeat from step 2.
Bear in mind that you don’t need to back everything up, you only really need to backup your user profile and any files you have stored outside your user profile. You should always keep an inventory of your software licence keys and logins separate to your main computer and your backup devices. I use a password manager called KeePass to do both tasks.
Once you’ve implemented your backup strategy, you need to test it. You should do a test of your backup at least once a year.
There are a variety of ways you can test your backup. Simplest is to use your backup software’s verify function. But, there is no substitute for doing a real restore test. Pick some files from your manifest as a random sample, and then restore them to a new folder. If you’re using continuous backup then restore the test files from several points in time.
How should I backup my server?
This is going to depend on what your server operating system is. So, for the most popular two, namely Windows and Linux, here are my recommendations.
In both cases I’m going to assume you have a file server and a backup server. Those servers can be in the same data-centre or remote. You can have more than one file server and more than one backup server, but in all cases the principal is the same.
Your remote server should never have drive mapping enabled, or be accessible by any of your desktop or server systems other than via the secure channel used to send the backup files to it. Ideally, you want to have only SSH access to the server for admin users that requires certificate and 2-factor authentication (keep offline copies of your certificates). The idea is that this is your data vault, treat it like you would a bank vault with all your most precious possessions stored in it.
Windows Server
There are other backup software systems available for Windows based servers, they can be very expensive and may not protect you from ransomware. The mechanism I outline below will work, and doesn’t cost anything for the software. However, some corporate IT policies don’t like open-source software solutions, in which case you need to make sure that the key features are still present in the software you choose.
- Install rdiff-backup on your file server and your backup server
- Install an SSH client on your file server and an SSH server on your backup server (if they don’t have one already)
- Create a folder structure on your backup server to store the backed-up files and folders
- Add a dedicated backup user with sufficient read permissions on your file server to access everything you want to backup
- Add a corresponding backup user on your backup server with sufficient write permissions on your backup server to write the backup files to the backup folder on the file system
- Generate a SSH key pair for your backup user so you can connect securely from the file server to the backup server without having to use passwords
- Configure rdiff-backup to backup the files from your file server to your backup server
- Create a simple windows command script or batch file to run the backup
- Test your backup. Login to the remote server and inspect the file structure and data that has been backed up. Check some files at random
- Decide on your backup frequency (hourly, daily etc) and set up an appropriate scheduled job to run your backup script.
- After the first scheduled backup, test your backup again
- Regularly test your backup by performing sample restores from a variety of points in time
Linux Server
For Linux based servers you will need to set up a backup mechanism that will efficiently transfer files from your file server to your backup server. Since you’re already keyed into the open-source world, here is a great open-source solution that will protect your data.
- Install rdiff-backup on your file server and your backup server
- Create a folder structure on your backup server to store the backed-up files and folders
- Add a dedicated backup user with sufficient read permissions on your file server to access everything you want to backup
- Add a corresponding backup user on your backup server with sufficient write permissions on your backup server to write the backup files to the backup folder on the file system
- Generate a SSH key pair for your backup user so you can connect securely from the file server to the backup server without having to use passwords
- Configure rdiff-backup to backup the files from your file server to your backup server
- Create a simple shell script to run the backup
- Test your backup. Login to the remote server and inspect the file structure and data that has been backed up. Check some files at random
- Decide on your backup frequency (hourly, daily etc) and set up an appropriate cron job. Either in the crontab or in the /etc/cron.hourly or /etc/cron.daily folders as a script
- After the first scheduled backup, test your backup again
- Regularly test your backup by performing sample restores from a variety of points in time
Other ways of protecting your systems
In addition to backup, which should be your first priority. You also need to ensure you have the following measures in place.
- Install current, good quality, and regularly updated anti-virus software (such as Symantec Endpoint Security, Norton Security, ClamAV, McAfee Endpoint Protection or McAfee Total Protection)
- Install effective anti-malware desktop protection software (such as Malwarebytes)
- Use a filtered and virus-checked email service (such as Virtco Hosted Email)
- User training is a fundamental component to help prevent malware of all kinds entering your IT ecosystem. Ensure you train your users to spot the dangers.
How can we help?
We can help you develop your ransomware protection and mitigation strategy. We can also help develop your organisational policies and procedures to protect you and your organisation from other cybersecurity threats. if you need help, or want to contact us about how we can work together to protect your business please use our contact us page.
I recommend that you subscribe to our monthly Threat Report. It’s an executive summary of the currently trending threats and links out to our detailed articles such as this one. You can get the report by filling out the form below.
Get Virtco Threat Report
[pt_view id=”1e954a46xk”]