Ransomware, the breed a malicious software that takes your computer hostage by encrypting files and demanding a ransom payment to unlock them, continues to be the scourge of computer networks everywhere. In the past month, ransomware attacks were carried out on a massive scale, including attacks on the Colorado Department of Transportation and the City of Atlanta, Georgia that crippled operations and prevented thousands of employees from working for days.
The groups responsible for creating the ransomware applications are always evolving them to take advantage of any security holes they can find. The current attacks use a strain of ransomware called Samas (or SamSam), and the infections are usually started by either a successful phishing email or a brute-force attack on an open Remote Desktop Protocol (RDP) server. A brute-force attack takes known account usernames, usually gleaned from an email address or website staff directory, and asks to log into the RDP server while trying thousands of common passwords until a correct one is found.
There are a number of things you can do to help protect yourself and your business from ransomware. Samas’ particular infection methods can be prevented by:
- Turning off RDP connections from the Internet unless absolutely necessary
- If RDP is necessary, protect it by using either a VPN or a Remote Desktop Gateway server. Either of those will take the place of the standard RDP connection entry to your network, and prevent the most common brute-force attacks
- Turn on account lockout in Active Directory, so an account that’s having a brute-force attack will get automatically blocked before a password is guessed
- Use complex passwords so brute-force attacks aren’t able to guess passwords: 10+ characters, using numbers/capitals/special characters, a passphrase (multiple works with spaces), or a combination of both.
- Provide security training and guidelines for anyone who uses a computer on your network
If you find yourself in the grip of a ransomware attack, it is important to do the following:
- Immediately turn off all machines connected to the network. Ransomware is configured to spread itself across a network. Once it takes hold on one system, it will try to get to anything else it can on the network, including servers. Stopping the spread is the first priority.
- Once the spread has been stopped, each machine should be unplugged from the network/disconnected from wifi, turned on and cleared. Any machine with the ransomware on it should be fully wiped and reinstalled before being put back on the network.
- If the infection has hit servers, restore from the previous day’s backup. Some ransomware targets backup files, so be sure your backups are secured against that, and/or are offsite so they aren’t affected by anything that happens on your network.
If there are no viable backups, you may be faced with either making the required payment or losing the locked data permanently. While there are at least a couple of services that may be able to unlock your files (see https://www.nomoreransom.org/), most strains currently in use don’t have known unlocks. While paying the ransom may feel like the only choice, it’s still not guaranteed to get your files back. According to a security threat research group (see https://cyber-edge.com/cdr/), less than 20% of people who paid a ransom were given back access to their files. If you’re already protecting your network and backups against this threat, you won’t have to roll the dice on whether or not you’ll regain your files.