Background Blocks

Resource Library - eBook Whitepaper

Brand Arrow

Ransomware: 4 Ways to Protect and Recover

WHEN YOUR BUSINESS DEPENDS ON ACCESS TO DATA - FAST RECOVERY IS A PRIORITY

As cyber security pundits warned, the number of ransomware incidents is on the rise in 2017. Unfortunately, ransomware schemes have become an easy source of revenue for cyber criminals, which has resulted in a growing number of attacks every year. When an attack occurs, unprotected organizations can lose access to critical electronic files, putting their entire business at risk. To restore access, organizations are faced with the decision to pay the ransom – with the hope that the files are actually released – or attempt an ad hoc recovery, with no guarantee that current data can be reliably reproduced. To maintain access to your critical data, consider these four best practices to protect and recover from ransomware attacks with confidence.

ransomware-4-ways-to-protect-and-recover
Brand Arrow

4 WAYS TO PROTECT AND RECOVER FROM RANSOMWARE ATTACKS

Implementing a multi-layer security strategy – including anti-malware, personal firewall, hard disk and file encryption, DLP and more – is critical to protecting against growing cybersecurity threats. However, even with all of these endpoint protection solutions, there's still a modest chance of breach. According to the Gartner Magic Quadrant for Endpoint Protection Platforms,1 "When 44% of reference customers for EPP (Endpoint Protection Platforms) solutions have been successfully compromised, it is clear that the industry is failing in its primary goal: blocking malicious infections."

To protect even the most data-intensive business environments from ransomware, consider the following best practices:

"Ransomware use grew by 167 times year over year and was the payload of choice for malicious email campaigns and exploit kits."

SonicWall GRID Threat Network, 2016

ONE: HAVE AN EFFECTIVE INFORMATION SECURITY PROGRAM

If your organization is new to information security, or you have only a partially implemented information security capability, consider taking the following steps outlined in Table 1 to put an effective security program in place.

STEPS ACTIONS
Know where critical data is stored

Maintain awareness of data location

  • Data center
  • Remote facilities
  • Cloud
  • Service Provider
Inventory systems
  • Know which systems handle critical data: store, process and transmit
  • Understand the data flow
  • Determine which systems present the highest risk to your operations
Assess risk
  • Include electronic records, physical media, and the availability of key systems, services, or devices
Simple to Use Policy and Workflow Automation

Reduce IT admin burden with a library of basic tasks, customization capabilities and automated workflows such as auto retention and defensible deletion based on content attributes. You have real-time visibility into all running jobs and events with customized alerting and reporting, as well as out-of-the-box reports.

Monitor effectiveness

Prepare for the evolving threat landscape

  • Proactively evaluate the effectiveness of risk-based information security strategy, the security controls applied, and the proper implementation of security technologies
  • Apply corrective actions, remediation, and lessons learned
Educate users
  • Make sure employees are educated on what to do when they receive emails from unknown senders with suspicious attachments or links (see Appendix for recommended steps)

Table 1: Components of an effective security program

Ransomware: Defending Against 5 Major Types

By knowing the type of ransomware attack that you are under, the initial response, can significantly limit the damage that’s inflicted.

TWO: PROTECT DATA WITH TECHNOLOGY BEST PRACTICES

With the growing number of threats, coupled with the evolving sophistication of attacks, businesses need to clearly understand the cost tradeoffs of investing in cybersecurity and employee education, against loss of access to critical data and the resulting impact on your business.

Network security is a good first line of defense in guarding against ransomware attacks. And by implementing effective technology best practices, organizations can further protect their data and IT infrastructure. Table 2 outlines key technology strategies to help eliminate the potential for infection by ransomware attacks.

STEPS ACTIONS
Detect and prevent

Employ a multi-faceted security solution

  • Keep systems and software updated with relevant patches
  • Protect against file-based threats (traditional AV), download protection, browser protection, heuristic technologies, firewall and a community sourced file reputation scoring system
Use external cert groups (computer emergency response teams)
  • Often identify a problem before the virus software companies
  • Can make recommendations on immediate steps for manual filtering (software companies may require hours or days to release a patch)
Identify and stop infection

Define a comprehensive prevention policy

  • Includes endpoint and network policies and protection products, such as antivirus, antispyware, and firewall-type products
  • Limits execution of unapproved programs on workstations
  • Limits the write capabilities of end users so that, even if they download and run a ransomware application, it is unable to encrypt files beyond the user's specific files
  • Include electronic records, physical media, and the availability of critical systems, services, or devices
Keep a "Gold" image of systems and configurations
  • A fundamental element of data management policies
  • Easily clone infected system with master
Maintain a comprehensive backup strategy
  • Backup are the fastest way to regain access to your critical files
  • Take volume level snapshots more often (every 15 minutes) and store them for a longer period of time.
  • Remove the impacted system from the network to remove the threat.
  • Restore any impacted files from a known-good backup
Monitor effectiveness

Prepare for the evolving threat landscape

  • Proactively evaluate the effectiveness of risk-based information security strategy, the security controls applied, and the proper implementation of security technologies
  • Apply corrective actions, remediation, and lessons learned
Educate users
  • Make sure employees are educated on what to do when they receive emails from unknown senders with suspicious attachments or links (see Appendix for recommended steps)

Table 2: Technology best practices

Services to Protect You Even More


To establish the comprehensive safeguards to protect from ransomware attacks with complete confidence, consider the support of Commvault services. We are experts in addressing the security layers you need to protect your environment from vulnerabilities. Working closely with your backup, recovery, archive and cloud teams, our technology consultants will help you develop a practical, modern design for your IT environment that is both efficient and secure.

THREE: EMPLOY EFFECTIVE BACKUP STRATEGIES

Recognize that a ransomware event is almost always a progressive hack. It works over time, and can run in the background for a week or more, and learn the behavior of your backup routines. As such, it is important to maintain a persistent copy of the data in other locations as part of your disaster recovery procedures.

Many who only rely on snapshots as backup are at a higher risk. When the snapshot or the other instance is replicated, the source is corrupted too, as it follows the replication. Have a preserved version of the data from prior recovery points in protected locations is the ticket.

STEPS ACTIONS
Employ backup or DR processes
  • Directly call out a backup copy rather than versions stored on the same system.
  • Have external backup copies of the data beyond simple snapshots that are maintained on the source system.

Table 3: Data protection best practices

Using a cloud library is another alternative for a good external collection. Since the cloud backup is not visible to the local administrator operating system account, it would require additional sophistication to gain access to your cloud user credentials. And while no one loves tape in the day of “disk only,” it may prove to be a better alternative for some businesses, as the online nature of disk is what exposes the persistent risk.

FOUR: EDUCATE EMPLOYEES TO SECURE THE ENDPOINT

Finally, educating everyone who touches your data on good security habits is essential to keeping businesses secure–remind them to use common sense. As described by the Internet Security Threat Report,2 educate your users on the best practices outlined in Table 4.

STEPS ACTIONS
Train users to practice security best practices
  • Do not open attachments unless they are expected and are from a known and trusted source.
  • Do not execute software that is downloaded from the Internet (if such actions are permitted) unless from a trusted source or the download has been scanned for malware.
  • Be cautious when clicking on URLs in emails or social media programs, even when coming from trusted sources and friends.
  • Employ safe social media conduct. Hot topics are prime bait for scams, not all links lead to real login pages.
  • Encourage employees to raise the alarm if they see anything suspicious.
  • If Windows users see a warning indicating that they are “infected” after clicking on a URL or using a search engine (indicative of fake antivirus infections), users need to close or quit the browser using Alt-F4, CTRL+W or to use the task manager, and then notify the helpdesk.

Table 4


  1. 1 Gartner, Magic Quadrant for Endpoint Protection Platforms, February 1, 2016
  2. 2 Symantec, “Internet Security Threat Report,” Volume 21, April 2016
Brand Arrow

A complete recovery solution that covers applications, servers and end user machines is the only way to minimize business disruption when a ransomware attack occurs in your organization. Read more at commvault.com/ransomware.