We hope you’re here to learn how to protect yourself from ransomware, not that you already have ransomware, and now need to remove it. This article is meant to help you with ransomware protection and prevention, not removal! However, if you are past that stage, please contact us, and we’ll see if we can help you remove it and recover your data.
But assuming you’re serious about not getting ransomware in the first place, we want you to know, this is the business we’re in. We are in the protecting businesses business, and we reluctantly do some work in the repairing or recovering businesses business.
Now the bad news – we can’t protect every business, and every business that wants protection will not follow all the steps.
1. Update your software
Most of the recent strains of ransomware were thwarted in businesses and organizations who were fully up-to-date with their updates. If you are in the habit of not updating your software as soon as updates become available, you’re at additional risk from ransomware. Every vendor from Adobe, to Apple, to Microsoft and more, are updating their software as bugs are found. Some of these bugs allow ‘remote code execution’, and when combined with a privilege escalation, or – if you’re running your machine logins as administrators, just running as the local admin user – the malware authors have a quick exploit and they write code and push it out via the web to websites near and far. They embed their malicious code in legitimate sites and programs, and they work a numbers game.
One of the worst things to come out of the Wannacry outbreak as to learn that there was a fix already available for this ransomware threat before the attack. Microsoft had released a patch for the WannaCry vulnerability eight weeks before the outbreak. Those that were infected were those that had not implemented the update.
In other words, if people had simply run their security updates, their machines would not have been infected.
People get complacent and are not vigilant about updating their machines – that’s a huge risk and window of opportunity for ransomware to get in!
2. Install quality antivirus software
In addition to keeping your machines up-to-date with the latest security enhancements, antivirus software can prevent malware from infecting your computer.
Of course, with antivirus software, the same principles apply: Make sure to keep the antivirus app and signatures up-to-date as well, so it blocks the latest emerging malware strains.
It’s our opinion that with antivirus, you get what you pay for. We believe in a few different companies, and there are two different approaches to protecting machines, which fall into two different camps – whitelist and blacklist.
Whitelist antivirus only allows known good programs to run, and blocks all others until they are known to be good – these are products like PC Matic and PC Matic Pro.
Blacklist antivirus uses multiple technologies to detect malicious program by either a signature, or behavior, and then blocks the program from running or being downloaded. These are your more traditional antivirus products like ESET, Bit Defender, Kaspersky etc.
We can help you determine whether whitelist or blacklist antivirus is best for you, and help you select the right product for your protection.
3. Be wary of suspicious emails and pop-ups – educate your users
Please tell us that you don’t just click on links in emails – right?
Even a security professional can occasionally get caught by the clever phishing emails that might make it into their inbox. Protection starts with a solid spam filtering technology which will block many of these malicious emails. Some emails might get through though, so it’s important to educate yourself and your staff about how to spot bad emails, because if you click on that one link, a page you end up on might be phishing, or a malicious code execution page. At best there is no code lurking to run, but in the worst case scenario, you can see your machine spring into life with a ransomware.
Let us help you with spam filtering and end-user education, up to and including periodic testing of your employees and cyber-education lunches and seminars. We can even arrange online cyber-education courses which can be mandated if they click on a ‘bad’ test email we can send them.
4. Create backups of your data
You need your data and possibly your machines (desktops, laptops and servers) to be backed up. You need to know how long you can be down if that machine suffers a hardware failure, or the disk is encrypted. Assume it is vaporized, how soon does that computer need to be recovered?
A backup isn’t just for ransomware protection, it’s multi-purpose protection against hardware loss, damage and other catastrophic failures.
Not every backup is created equal – and a local backup to a local spare hard-drive is NOT protection from ransomware, because some ransomware strains will trash your still-connected backup!
In a best case scenario, you might be able to recover a lost file, but in the worst-case scenario, do you need to spin up a copy of that server on a virtualized machine? If so, we have solutions that can do that.
We recommend that you have both local and off-site backups, and putting your important files into a connected drive such as OneDrive, or Dropbox is NOT an offsite backup. If it is always connected, like an external hard drive, or a connected drive, then the ransomware can encrypt it. An infected backup is not a backup!
If you don’t have a clean backup as your last line of defense, then a ransomware infection can destroy your data with no chance of recovery – we can help you ensure that doesn’t happen to you!
5. Create a security plan for your business
Even smaller businesses need to be aware of the implications of something infecting one of their machine or worse, their entire network. Depending on where in the world you are, you might have mandatory reporting. For instance, any business in Canada, you must report a ransomware infection to law enforcement.
If you’re a business that is subject to government oversight or compliance, say you’re in healthcare, finance or even just processing credit cards, you have different reporting requirements. Your state may have mandatory reporting. We recommend that you know what your procedures are BEFORE you become a victim, because failure to know now, could cost you higher fine later if you miss a reporting step.
We can help you with a basic security plan, all the way up to a detailed step-by-step plan tailored for your business.
What to do if already infected
Disconnect the infected computer – NOW!! If you have network shares, start scanning those files to find out how many might already be encrypted.
Do you have processes running as admin users on that machine? If so, you might have a rapidly spreading infection in your organization.
We recommend that you disconnect data-stores and start checking EVERY machine for infections while simultaneously starting remediation procedures on the machine that is known to be infected.
Trust nothing until you have verified it fully.
If you’re in Canada, you need to report this ransomware infection to law enforcement. Oh yes you do. It’s the law. If you’re in the USA, are you in a complianced industry? Did you prepare that security plan? Start working it like you rehearsed…