In light of the recent high-profile ransomware infections on the Colonial Pipeline and JBS Foods, I have been asked multiple times for my thoughts on the matter. Despite how it is being portrayed in the media, ransomware infections showcase a lack of disaster recovery rather than vulnerabilities in the network infrastructure. So here is the 10,000ft overview of what you need to avoid the PR nightmares of those companies attacked.
So what can you do to help mitigate a possible ransomware infection? Here are a few bullet items that can help prevent an attack and quickly recover from one if you do.
- Have a Firewall / Internet Security Appliance - Every company should be running some type of subscription-based appliance that provides real-time firewall protection and internet content filtering. If a bad link or site is blocked for content or geo-location, then you can stop many attacks before they even start. For example, if your company doesn't do business in or with Russia, blocking access to all sites hosted in Russia might be a good start.
- Virtualization - If you are running servers on bare metal hardware, you should consider virtualization. It provides maximum portability of your servers should you need to move or restore them during a disaster.
- Backups - Having a backup system in place is similar to having a strategy to make a fire in a survival situation. If you have one system, you have zero. If you have two, you have one… so on and so forth. The more backups you have, the better equipped you will be to return operations to normal. For example, you might have a backup for the virtual server system as a whole, one for the data itself, and one that backs up to the cloud (or perhaps a failover mirrored server in the cloud should your on-premises systems fail.)
- Base images for restoring individual workstations - Since most infections of this type are actually instigated by an employee, it is important for their workstation to have a base image that can be quickly restored. Having spare workstations as part of your disaster recovery solution is even better. The base image can be blasted and their backups can be restored rapidly and efficiently.
- Employee Education - Ensure that your employees understand what phishing emails, fake pop-ups, and other malicious attempts look like. Reinforce the fact that it is better to ask the IT staff if an email or website is real, rather than blindly infect themselves and the entire company. It's better to be safe than sorry.
Ransomware attacks have payloads that are almost always activated by an employee. They receive a suspicious email, a malicious link, or a hijacked ad on a website that is NSFW. Anti-virus programs installed locally are not enough to stop a ransomware attack. Now is an excellent time to look at your disaster recovery solutions or create one if you do not have one. Educate yourself and your employees, and you can recover quickly with little to no effect on your enterprise. And, of course, there is no reason ever to send Bitcoin to bad actors. How fast could you get back to “business as usual” in the event of a cyber attack?