Ransomware is everywhere — that insidious threat that encrypts your precious documents and other files and holds them hostage until you pay a substantial sum to an anonymous third party. Fortunately, there are measures you can take to reduce the likelihood of an attack. Here are three tweaks you can make to mitigate this threat.
Get a better grasp on your inbound e-mail messages
What most administrators do not really realize is that ransomware is almost exclusively passed through phishing messages. The problem with that? The e-mail messages themselves do not have any malware payload to them; rather, they link to a site that lets you download a seemingly innocuous file (a shipping delivery confirmation from the likes of UPS or FedEx, an invoice from a vendor that ostensibly you should begin processing, and so on). This means your e-mail hygiene solution will not pick up the ransomware because it’s not actually embedded within the e-mail. The infection happens when your naïve users click the link and download and execute the payload.
The solution here? Ask your e-mail hygiene provider to enable their URL scanning protection—this is sometimes called ClickProtect or URLScan. It replaces links in inbound e-mail messages with a link to the hygiene provider’s portal, and once that edited link is clicked, the hygiene provider can examine the target destination and decide whether it is potentially malicious or not. If it is, the hygiene provider can display a big warning saying “Don’t Proceed,” and that may be just enough to convince your users they’ve been fooled.
Have good, consistent backups and test restoration regularly
The best way to beat ransomware creators at their game is to remove the need to pay the ransom, and the only way you can do that is to have in your back pocket the ability to get back to a “last known good” state on your own and go from there. The only way you can get to this point is to make regular backups.
- Use Shadow Copies on your Windows Servers, take multiple snapshots per day, and test your restores all the time—both on a consistent basis and also on a surprise basis. Take some of your backups offsite, and make sure that backup drives that are not in use are disconnected from your servers entirely so as not to subject them to any future versions of malware that might be smart enough to delete volume shadow copy entries from your backup medium.
- Contrary to what you might think, you do not need any additional significant investment to get going on a regular backup scheme.
- If your budget is tight, buy three USB hard drives from Costco and use the built-in Windows Server Backup service to get going. For Linux, there are several suitable open source backup packages that will work with USB mounted drives. Whatever you do, you need to start with this, and you can do so for no more than $250.
Look at application whitelisting
Basically your only chance at decidedly, effectively preventing a ransomware infestation is to use application whitelisting. With this approach, you tell your operating system which binaries you will allow to run, and the operating system prevents everything else from running—including legitimate programs that have not been approved by you just yet. This whitelist is derived from building a list of checksums and digital signatures from executable files, so there is some manual labor involved in both deploying the whitelisting solution in the first place and keeping it up to date.
For example, patches and updates to previously approved programs will create different digital signatures and will thus need to also be whitelisted in order to run. This sort of administrative burden is enough to make any busy IT pro blush, but in this day and age, it is the only way to truly prevent this (and any other) type of malware attack.