If you work anywhere near any technology, you have undoubtedly heard the term “ransomware.” However, it’s important that anyone who works with technology (that’s a big way of saying “uses a computer at work”) understands what ransomware is and how to protect your organization against it. In this article, we will define ransomware, and offer up some clear instruction on how to prevent ransomware from entering your network. And, because no solution can be 100% effective all the time, we will explain how to protect your data in case ransomware does make it onto your network.
Ransomware is a computer virus that criminal hackers use to extort your organization. In a typical scenario, the hacker will breach the network, and then plant the ransomware virus on the network. The virus is built to find and encrypt certain data on the network, so that the rightful owner of the data (your organization) can no longer access the data. At that point, the hackers would seek a ransom in order to free the data. Quite often, the organization simply has no choice but to pay the ransom in order to get their data back.
There are ways to prevent a ransom virus from being placed on your network, and there are steps that can be taken to mitigate any damage if a ransom virus is installed on your network. Organizations should invest in both prevention and protection.
Here are four methods of preventing ransomware from infecting your network and data: antivirus, anti-malware, file screens, and software prevention policies.
- Antivirus – organizations must run antivirus on all points of entry into your organization: email, servers, PCs, gateways, etc. Every device that touches the network must have antivirus, including employees’ personal devices if your organization allows them. However, antivirus alone is not enough.
- Anti-malware – Organizations need anti-malware (if it’s not included in the antivirus package), heuristics, and behavior detection. It takes time to updated antivirus definition, but heuristics can detect anomalistic behavior.
- File screens – Installing file screens allows an organization to block common ransomware file extensions. This method requires that file screen software and rules are up to date with the latest software virus extensions.
- Policies – software prevention policies can stop unrecognized .exe files from executing on your network. It’s not just the file, but the execution of the file that causes the ransomware to do its damage.
We highly recommend testing all internal applications to be whitelisted to run on your network before you run certain software. This recommendation means that all software that runs on the network must be approved by network administrators, and not regular users. Do not give your users management or admin rights to install software on the network.
Preventing the installation of ransomware is incredibly important because ransomware can also be “ransom-scam” software, which holds your data until you pay, and then deletes it anyway. Unfortunately, it’s impossible to tell the difference between ransom and ransom-scam viruses.
Here are two questions every organization needs to ask: What is your current antivirus software? Do regular users have admin rights on your network?
Plan for the best, but prepare for the worst should be the mantra behind preventing and protecting your data against ransomware. Every organization should work to prevent viruses, but the hackers are typically one step ahead of the good guys, so we must also protect our data on the chance that a virus gets through our preventive measures. There are two major methodologies when it comes to protection of your network and data: firewalls and backups.
- Firewalls – At the very least, you should deploy a firewall between your network and the internet. A firewall is considered baseline business data protection. Though every vendor addresses firewalls differently, every firewall will come equipped with either Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). IDS only detects when an unauthorized user has accessed your network, and sends alerts to the appropriate personnel. IPS is built to prevent unauthorized users from successfully accessing the network. Again, every vendor implements these technologies differently, but every organization must have a firewall.
- Backups – Backup your data in a combination of ways: local, off site, and cloud. A local backup is good because it can be immediately implemented. However, a local backup is no good if it’s on the same network as the ransomware. Even so, a local backup should be a one-time full backup plus regular incremental backups. It is up to your network administrator how often the incremental backups take place. That frequency is also very much dependent upon the amount and velocity of your data. How much does your data change in a minute, an hour, a day? That amount of change will determine how often incremental backups are necessary.
An offsite backup is usually necessary for legal or regulatory purposes. While an offsite backup may help in an emergency, the very fact that the data is offsite means that it takes some time to get it there and get it back. Therefore, the data in an offsite backup is typically not up to date, and would be a last resort in restoring data that is being ransomed.
Cloud backups are now the most effective means of backing up data. However, even cloud based backups and storage are not the complete solution. In an emergency, the organization may not have access to the network, which connects to the internet, which is where the backup is located.
We recommend a combination of local, offsite, and cloud data backups as protection against loss of data due to ransomware. The appropriate combination of these tools will be determined by the amount of data your organization generates, how often it needs to be backed up or replicated, and how fast it needs to be restored.
Prevention is the best medicine for ransomware; however, no organization can make itself completely immune. Therefore, prevention and protection together is the recommended methodology.