For Windows users, tips on fighting ransomware attacks
This word is a constant reminder of the fear that computer users feel, particularly when you consider the daily news headlines about the companies affected. This makes us wonder what happens to businesses and users alike.
There are many things you can do to help yourself and your business.
Be careful about what you click
Ransomware is most often spread by an individual clicking on an inappropriate link or email. An attacker may attempt to gain remote access via brute force or harvest credentials. This is often the case in a business setting. Once they are inside, they can disable backups or wait for the right time to attack.
Ransomware is not a new phenomenon. Its history dates back to 1989. The lure was a floppy disc that contained a virus. It demanded money to retrieve the computer information. More recently, it was used against Colonial Pipeline, a gas delivery pipeline company on the East Coast. That attack led to a run on gas, closed gas stations, angry drivers, and bad publicity (and a reported payout in the millions of dollars) for the pipeline company. This was a true-life example of ransomware’s destructive effects on businesses.
Backups, backups, and backups
I moderate a Facebook group about security and ransomware. We often recommend that users ask us if they have a backup when they are trying to recover from ransomware attacks. This means that the backup must be regularly updated and kept on an external hard disk that is not accessible from your computer. Your attacker can also access your backup media if you have the right to do so. You should always rotate your backup media and keep a copy offline that is not connected to your computer.
You should also check if your backup software includes an anti-ransomware function that prevents anyone from accessing the drive except the backup processes.
There is no magical fix to undo ransomware, though nomoreransom.org keeps track of known attacks; if an encryption key has been released to the public by the attackers or some authority has taken over a command-and-control server — and thus gained access to the encryption tools — the decryption tool will be stored on that site.
If you are a bit more adventuresome, you could consider adding a tool such as Racine, which will prevent ransomware from deleting all shadow copies using vssadmin. It is compatible with Windows 7 and higher. It intercepts the request, kills the invoking process, and then deletes all shadow copies using vssadmin. An attacker may stealthily delete backups or stop the backup process.
You must keep track of whether or not your backups succeed. My backup software has alerts that I set up so that I am notified about both successes and mistakes affecting my infrastructure. It is important to keep track of when backups are completed.
Another trick you can use to try to fend off attackers is to install the Russian keyboard on your system. Although the Darkside ransomware didn’t specifically check for it, Russian-based malware will often check for it and warn you to avoid Russian-based systems. (You don’t have to use the keyboard, and you’ll end up with “EN” on your system tray. It might trick attackers into letting you pass them by.
Another security tool that scared away attackers during a recent attack was Sysmon. This free Microsoft tool enhances Windows machine security event logs. When attackers using the Solarwinds vulnerability reviewed what firms they wanted to attack, if Sysmon, Procmon, Procexp, or Autoruns were installed on systems, the attackers would not go after the firm because they didn’t want to be detected. Sysmon is a great tool to improve log files, especially for small businesses.
What you can do
Don’t allow attackers to make you another ransomware victim. Here are some things you can do to reduce the chance of an attack.
- To ensure that at least one copy is always offline, make sure to regularly back up your data.
- Make sure your browsers are up-to-date and that they run independently from the operating system.
- You can ensure that your email is well-filtered by your ISP (if they provide it) or using Gmail and Outlook.com.
- Consider adding Duo Authentication as two-factor authentication for remote access if you use the remote desktop protocol in a small business. Remote access doesn’t require you to share a password with the outside world.
While they won’t guarantee your safety from ransomware attacks, these should make it less likely that you will be attacked.