March 4, 2021
The Best Ransomware Protection for 2021
Ransomware is a threat for individuals as well as companies. A ransomware attack can destroy important data and cause financial and reputational loss. The number of ransomware attacks across the globe is growing each year, with petabytes of data lost. Nobody wants to be a victim of ransomware attacks. For this reason, it is important to know how to protect against ransomware. This blog post covers the best ransomware protection methods to safeguard your data.
The Anti-Ransomware Strategy
The anti-ransomware strategy can be divided into two main stages:
- Preventive measures
- Recovery measures
Preventive measures are used to prevent infections with ransomware. It is better to prevent a ransomware attack rather than mitigate consequences of the attack. Preventive measures can be done without downtime or with minimal downtime and include antivirus software and email protection.
Recovery measures are taken during and after a ransomware attack, especially when such an attack causes data loss and interruption of normal operations. Recovery measures require more efforts and time comparing to preventive measures because recovery involves restoring data and workloads. If you are not prepared for disasters and ransomware attacks, recovery may prove too difficult or even impossible.
Consider the tips below that cover both preventive and recovery measures to protect yourself from ransomware.
Use Antivirus Software
Install antivirus on all Windows machines to detect infected files and malicious injections in the memory of devices and block infected content and pages on websites. This is not to say that macOS users are safe. Lately, macOS devices have also been attacked by ransomware.
It is best if you use antivirus that supports behavior-based detection of ransomware and heuristic analysis. If a malicious behavior is detected, an antivirus should block suspicious files and display alert notifications. Consider using antivirus that can monitor common locations where ransomware can create or modify files.
The following anti-virus functionality is important because it provides much better protection than simple signature-based scanning (which uses anti-virus signature databases).
- Detection of suspicious processes attempting file encryption
- Protection of selected folders against unauthorized access and file modification
- Real-time protection
- Exploit protection
Update antivirus databases regularly at least once a day. Ransomware creators usually test ransomware before starting an attack to ensure that a new version of ransomware cannot be detected with antivirus software. Hence, it’s in your best interest to have the freshest available virus database in your antivirus to detect the newest viruses.
You should also use antivirus for your virtual machines. There are antivirus solutions that support integration with vShield and vSphere and provide agentless antivirus security for VMs running on ESXi hosts (if you have a VMware virtual environment). Consider using such antivirus to optimize workloads on ESXi hosts rather than traditional antiviruses that should be installed on each VM.
Configure anti-spam and anti-malware filters on email servers. Email is one of the most popular methods used to spread ransomware and infect computers to propagate infection to other computers connected to the network. Attackers like to provide links to malicious websites and attach Word or Excel documents with macros to infect devices. Proper configuration of anti-spam and anti-malware filters on email servers prevents users from receiving email messages with harmful links or malicious file attachments (or at least reduces that probability significantly). Filter configurations should be updated regularly by using databases of trusted vendors to perform ransomware protection.
Depending on your security policy, you can configure anti-malware and anti-ransomware filters to display a warning message or delete a message before it reaches a user. Popular vendors who provide cloud services and email services such as Google (G Suite) and Microsoft (Microsoft 365 Exchange) protect customers against spam.
Routers that are configured improperly can be used to start ransomware attacks. Attackers usually scan standard ports for widely used services to detect which port is open and try initiate an attack using that port.
That’s why it’s important to configure firewall on routers to protect against ransomware infiltration. You are also advised to block access to unused ports. Another thing you can do is change standard port numbers to custom (unused) port numbers if possible.
What you can do next is configure URL filtering and ad blocking. Advertising can be used to infect with malware. Malicious advertising is known as “malwertising”. Websites with a bad reputation that are used to distribute malicious content should be blocked by using URL filters on routers providing internet access for users in your organization. Modern software can add new malicious sites to configuration of content filters dynamically to keep the URL filtering system up to date.
Train Your Employees
A single user’s device can be the entry point for a company-wide ransomware attack. Human error ranks at the top of ransomware statistics. It is important to train employees in your organization so that they understand and recognize ransomware threats and infection methods.
By conducting cybersecurity trainings for employees at your organization, you can reduce malware infection incidents related to human error and inadvertent breaches, and, by that, you improve ransomware protection at your organization. Tell users that they should not open suspicious emails, click all links provided in emails, click ad banners on websites, enable macros when opening documents attached to email messages, click executable files or open other potentially risky content. Provide them with examples of social engineering techniques. Users should use strong passwords and enable two-factor authentication.
If you don’t raise employee awareness about ransomware attacks and cybersecurity threats in general but just block everything for them on your side, users can still bypass that protection. For example, employees can use their USB flash drives to copy information from/to work computers, connect personal laptops to a network of an organization, etc. So you should strike a balance between a strict security policy with hard restrictions and employee awareness. Otherwise, a strict security policy can make working processes hard and may interfere with employees’ daily work.
You should also ensure that employees are using strong passwords and respect the password change policy. Keep in mind that if complex passwords are changed too often, users usually can’t remember them unless they save these passwords in files as plain text or write down them on stickers attached near computers. This creates the threat of password leaks.
Give users only those permissions that they strictly need to do their work based on the access policy. This means that a regular user must not have credentials of a domain administrator to write some files in a shared folder used by their department. If part of a user’s work is to back up their data, you can create a separate account and a separate backup repository for that user. The principle of least privilege allows you to reduce the risks of unauthorized access and improve ransomware protection. Use a dedicated account to access a backup repository where data backups are stored.
Protect Your Network
To protect your network, use network segmentation. Properly connecting multiple subnets and routers can limit the spread of viruses in your enterprise network if devices get infected.
Consider using the IEEE 802.1X standard with supported authentication methods for secure network authentication and configure access control to a network. This way, a signed certificate and valid credentials are required to connect to a network to pass authentication and establish an encrypted connection. There are three main components in the architecture: a client, an authenticator and an authentication server. A RADIUS server and 802.1X capable switch are needed to recognize a user for a wired Ethernet connection. 802.1X can be used for wired and Wi-Fi networks.
Perform network penetration testing if possible. This kind of testing helps you detect vulnerabilities that can be used to access your network and initiate a ransomware attack. Fix found issues to protect against ransomware.
Install Security Patches
Install security patches for operating systems and other applications installed on computers to prevent using vulnerabilities to initiate ransomware attacks. There are many cases in history when vulnerabilities were used to start ransomware attacks and to spread ransomware across the network as a worm. Automatic updates are useful in this case to protect against ransomware.
Monitor Your Environment
Monitor your environment to ensure timely detection of ransomware and mitigate an attack. Suspicious/abnormal processor load and disk activity may indicate that ransomware is active. If fresh backups consume twice more storage space than usual, something may be wrong. For example, the last recovery point for an incremental backup may contain encrypted data that is completely different than the previous recovery point with correct data. The last recovery point is not valid in this case. Consider configuring a honey pot (or trap) in this case.
A honey pot (or trapping) is a technology for detecting abnormal activity. This is a set of special files in non-standard locations on a server. If access to them is detected, abnormal activity is reported to the system administrator because in normal production operation these files should not have been accessed.
Perform Data Backups on a Regular Basis
Having a backup is one of the most important steps to take to ensure that if a ransomware attack does infiltrate your systems, you can still recover with minimal damage. If ransomware still manages to corrupt or encrypt your files despite all your preventive measures, recovery from a backup is the most effective method to restore data and workloads. Recovery from backups is even more resource efficient that using a decryption tool, that is, if you find one. Let’s day you find a decryption tool for the needed version of ransomware, the recovery process with the tool would require a lot of time, with the bulk of the work done manually. Whereas recoveries with backup software can be automated.
When it comes to backups, here are some best practices to follow to ensure smooth recovery after a ransomware attack:
- Store backups in a safe place. Protect backups from being accessed by ransomware and from being erased. Modern ransomware tries to find and encrypt backups in addition to files that are in use to make it impossible to recover data.
- Don’t use the Active Directory administrator’s account to access backup storage and a backup server. If a domain controller is compromised, ransomware can get access to backups and corrupt them. Don’t provide an account used to access a backup server to users, and don’t share backup storage for regular users. Consider the approach when a backup server is not a member of an Active Directory domain.
- Follow the 3-2-1 backup rule. Keep at least three copies of data: a production copy, and two other copies written to different media, with one of the copies stored offsite. For best ransomware protection, you can go even further and have an extra copy stored offline. For example, a backup to a public cloud can be considered as an offsite copy while backup to tape as offline copy.
- Copying a backup to a read-only medium is a good idea to protect data against modification by ransomware. Tape cartridges or optical discs are examples of media that can be used in the read-only mode and cannot be easily rewritten. Keeping backup disks offline prevents them against data encryption by ransomware if computers become infected.
- Create a backup copy, and copy data from one repository to another. For example, one backup repository is located on a Linux server and is accessed via SMB protocol by Windows machines. A backup copy is created in a backup repository on the same Linux machine or on another Linux machine that can be accessed only from the Linux backup server (for example, via NFS).
- Test your backups periodically to make sure they are usable and that you can recover the data.
Have a Response Plan
The actions can include:
- Disconnect infected computers from a network
- Delete ransomware with antivirus software and removal tools
- Recover data from a backup
If there is no backup, try to find a decryption tool. The probability of that is not high, unfortunately. Sometimes it is possible to find a decryption tool for old types of ransomware. But whatever you do, don’t pay the ransom because each payment incentivizes cyber criminals to launch more ransomware attacks. There is also no guarantee that your data will be restored even after paying a ransom.
Use NAKIVO Backup & Replication
NAKIVO Backup & Replication is the all-in-one data protection solution that can be used to perform backups, recoveries and disaster recovery. Use NAKIVO Backup & Replication to have the best ransomware protection in your environment. The product supports backup of VMware vSphere VMs, Microsoft Hyper-V VMs, Amazon EC2 instances, physical Linux and Windows machines, Oracle databases and Microsoft 365. A wide set of deployment options adds more flexibility to fit your backup policy. You can install the product on Linux, Windows, NAS devices and even on Raspberry Pi.
With NAKIVO Backup & Replication, you can create backup repositories using SMB and NFS shares. You can also create multiple backup repositories located on a Linux or Windows machine where the Director is installed and on remote machines where the Transporter is installed. Last but not least, you can use an Amazon S3 bucket to create a backup repository.
NAKIVO Backup & Replication allows you to deploy multiple Transporters to use more options to transfer data including compression and encryption. Data encryption is supported when transferring data between Transporters.
The backup copy feature in the solution allows you to follow the 3-2-1 backup rule and store multiple copies of data in different places. Backup copies to tape and to clouds such as Microsoft Azure, Amazon S3 and Wasabi are good options to protect against ransomware. Backups stored on tape cartridges cannot be deleted by ransomware. If ransomware gets access to your backup storage in Amazon S3, you can restore previous versions of Amazon S3 objects using versioning and S3 Object Lock. In addition to that, a new version of NAKIVO Backup & Replication provides an additional protection level against ransomware for data backups stored in Amazon S3 by locking access to data. This new feature delivers support for the S3 Object Lock functionality in Amazon S3 and make your backup data stored there immutable.
Download NAKIVO Backup & Replication, configure protection against ransomware, and back up your data.
Ransomware can corrupt data and cause devastating results. This blog post has explained how to protect against ransomware and avoid data loss. Implement the series of measures explained in the blog post to ensure the best ransomware protection. Prevention from ransomware infection using ransomware protection software is the sound approach. But if your computers have been infected you must be able to recover data. The most reliable method to protect your data is to back it up regularly. Use NAKIVO Backup & Replication, back up your data, and follow our blog for more useful content on data protection.