Preparing To Survive a Ransomware Attack

If there is one IT problem that keeps me awake at night, it is the ransomware attack. They are indiscriminate, and hugely destructive. They operate largely in a highly mechanised and automatic way – and are so prevalent within the IT landscape that you are generally lucky not to find yourself targeted by one.

The principle of a ransomware attack is based on taking your data and putting it beyond use. It does this by using encryption – essentially the data is “scrambled” and can only be unscrambled by using a key that ransomware author (i.e. the hacker) has. The hacker will offer to sell you this decryption key for a price, usually around £300 to £1,300.

When ransomware attacks your computer, it will look for a combination of any document files locally stored on that computer, and then look for any other computers on your local network that it can find. As such, it’s not uncommon to find that when one computer on a network gets attacked, any other computers – such as colleagues’ computers or servers on the network – also get attacked. The computer itself will often keep working, as after all the hackers need to make sure you can log-in and see the ransom message and be able to access the web so that you can communicate with them.

For SMEs, there is another issue in that virtually all SMEs will use cloud-based sync utilities such as OneDrive, Dropbox, iCloud, or Google Drive. If these are configured so that you have a folder on your computer to access these shared drives, the ransomware will infect these files too. The infected files will then spread out to other computers within the set, which means it’s entirely possible to end up destroying customers, suppliers, or other partners data if you are linked into them via OneDrive, Dropbox, etc.

How you get attacked

The most common “vectors” for ransomware attacks are malicious email attachment and links, which is why it is critically important to practice good “email hygiene” within your business and train staff to be vary wary of emails that come from sources that they do not know.

As well as this email hygiene point, the next position is that generally speaking it comes down to the three golden rules of cybersecurity: keep your computer and software updated and patched, keep your antivirus running, and make sure you have strong passwords. The updates and patching make it harder for ransomware to exploit bugs and other holes on your computer to gain a foothold, the antivirus will (hopefully) stop any ransomware from running, and strong passwords make it harder for the ransomware to either get into or propagate within your network.

How to prepare

There is only one real defence against ransomware, which is to make sure that you have backups. Realistically, the only way to recover from a ransomware attack is to wipe any affected computer and restore data from a recent backup.

Backups is a larger topic, and you can find out more with our [Simple Guide to Backups for SMEs].

Broadly speaking, SMEs should be – and admittedly usually do – keep the master copy of any files that they have in the cloud. Our strong recommendation for this is to use SharePoint as part of Office 365 Business, or Google Drive as part of G Suite. These are preferable to Dropbox, iCloud, and others because you can back-up the whole cloud – the so-called “cloud-to-cloud” backup. If you as a business keep all your data in the cloud, and then backup this cloud data on a daily cycle or better, you become virtually impervious to ransomware attacks. Any computer or computers that you lose to such an attack can be wiped, and your data easily restored.

If you do not store your master data in the cloud, it becomes essential that the any computer where master data is stored is backed up using “device-to-cloud” backup. This is an arrangement where the computer is backed up to the cloud every night, and again if that computer gets put beyond use it can be wiped, and the backup restored.

The reason why both cloud-to-cloud backup and device-to-cloud backup work is that they store “point-in-time” versions of data. As such, if you get hit by malware on a Thursday but don’t notice for a week, you can go back to the Wednesday and you’ve only lost a week’s data.

Failing that, some SMEs will backup to external drives. These are problematic, as a) it requires a great deal of discipline to remember to undertake the physical steps required to make these backups, and b) they often don’t account for this “point in time” issue. People who do this sort of manual backup can often find their backup drives also get ruined by malware, either because they were installed on an affected computer at the time, or because they didn’t notice the damage and overwrite good data with ruined data.

Conclusion

It is possible to recover a computer from a malware attack, in terms of removing the malware and getting the applications running again. Some people will actually pay the ransom and have some luck in recovering their data in that way – although for practical and philosophical reasons this is not something that we recommend.

As stated above, the best way to prepare and defend yourself against a ransomware attack is a) maintain good quality backups, b) practice good email hygiene (throughout the business), and c) keep your computer updated and patched, your antivirus running, and use strong passwords in combination with a password managed like LastPass.