Computers Nationwide is here to help protect your business from cyber criminals and hackers by tracking down and eliminating sources of risk to prevent data theft. Our services help ensure that your business is running at its best. Our team of IT experts implement the most trustworthy and reliable practices to protect your business against cyber threats.
This week’s blog features the article “How To Prevent and Manage a Ransomware Attack” by Herjavec Group.
How Do You Become Infected with Ransomware in the First Place?
There are a few methods that adversaries use to infect computers, such as:
- Fraudulent links in phishing emails and social media posts
- Drive-by downloads, in which users unknowingly visit a compromised website and ransomware is downloaded on their computers without their knowledge
- Exploiting security holes in unpatched software applications
Dealing with an Active Infection
- Disrupt any active infections by removing the infected machine from the network until it can be re-imaged or cleaned. Unplug the network cable or turn the machine off.
- You can pay the ransom. It sometimes works, but this isn’t recommended by Herjavec Group or any law enforcement. Decrypting large infections, especially on network volumes, may be slower than restoring from backups.
- Restore data from back-ups and re-image the infected computers. Re-image the computer from known-good images, to eliminate not only the ransomware but any other malware that may have been downloaded at the same time.
- In some cases, Windows will keep “volume shadow” copies of important files so a program like Shadow Explorer may be able to recover some data. However, some newer variants of ransomware, like Cryptowall0, encrypt the files in the volume shadows as well.
- If you suspect that the malware came via email, it may be useful to try to find the source email and delete it from all mailboxes to prevent reinfections.
- Have an Incident Response team on retainer so they can step in and take control during an active infection.
Preventing Further Ransomware Infections
It is entirely feasible to prevent an active infection at all stages. While many of these actions may keep most ransomware from successfully infecting computers, defense in depth is a best practice in cybersecurity, and organizations should implement as many defensive techniques as possible, such as:
- Deploy advanced web and email gateway protection.
- Use web content filtering appliances or firewall features to block categories such as adware, known bad domains (blacklists for C2 servers), and unknown/unclassified domains. There may be a minor business impact, so caution must be exercised, but generally, these are tolerable restrictions.
- Implement advanced endpoint protection that examines traffic for behaviors, rather than file-matching.
- Deploy a Microsoft Group Policy to restrict software’s ability to run from %appdata% and “temp” folders. These are generally used by malware because all users have the ability to write to these locations predictably, and that permission cannot be restricted without affecting system function. However, there are few-to-none reasons why software should install or have to run from these directories. If the malware can’t run, it can’t do any harm.
- Restrict web browsing and email use by privileged users such as administrators. Have separate accounts for administration and day-to-day computing.
- Minimize the permissions to network file shares. Give the ability to write/modify files only to the users that require it, and only to the necessary locations.
- Implement a policy that no corporate information should be stored on local hard drives, USB drives, or other local storage. Files stored on the network are normally backed up and can be restored with minimal disruption to the business.
- Educate the people using your computers on how to recognize spam and phishing emails.
- Prepare for the worst, and have an Incident Response plan ready. If your organization doesn’t have one currently, we suggest using this 10 Point IR Plan and modifying it to fit your organization’s needs.
Check out our previous blogs to learn more about this topic:
Contact our team today to start the conversation. Let us help keep your business safe from hackers!
ILLINOIS | (847) 419-9900
WISCONSIN | (262) 473-1064