For Windows users, tips on fighting ransomware attacks

Ransomware.

It’s one word that strikes fear in the minds of many a computer user, especially given the near daily headlines about companies affected. It makes us wonder why this keeps happening to users and businesses, large and small.

But there’s plenty you can do to protect yourself or your business.

Be wary of what you click on

Most of the time, ransomware that affects an individual happens after someone clicks on something they shouldn’t — maybe a phishing-related email or a web page that installs malicious files. In a business setting, the attacks often come from an attacker going after open remote access protocol, either using brute force or harvested credentials. Once inside the network, they can disable backups and lie in wait until the best time to attack.

Ransomware is not new. Its history dates back to 1989. Back then, the lure was a floppy disk that installed a virus, which on the third day asked for money to get the computer information back. More recently, it was used against Colonial Pipeline, a gas delivery pipeline company on the East Coast. That attack led to a run on gas, closed gas stations, angry drivers, and bad publicity (and a reported payout in the millions of dollars) for the pipeline company. It was a real-world example of what ransomware can do to businesses.

Backups, backups, backups

I co-moderate a Facebook group on the topic of security and ransomware. Often, when a user comes to us to ask how to recover from a ransomware attack, our only recommendation is to ask whether they have a good backup. By that, I mean one that is run on a regular basis and stored on an external hard drive that is “air gapped” from your computer. If you can access the drive your backup is stored on, so can your attacker. So make sure that you rotate backup media and always have a copy that is offline and not connected to your system.

It’s also good to investigate whether your backup software has an anti-ransomware feature that ensures the drive can’t be accessed by anyone other than the backup processes.

There is no magical fix to undo ransomware, though nomoreransom.org keeps track of known attacks; if an encryption key has been released to the public by the attackers or some authority has taken over a command-and-control server — and thus gained access to the encryption tools — the decryption tool will be stored on that site.

Tricking attackers

If you are a bit more adventuresome, you could consider adding a tool such as Raccine, which will prevent ransomware from deleting all shadow copies using vssadmin. It runs on Windows 7 or higher and intercepts the request and kills the invoking process. Silently deleting backups and stopping the backup process is often the first sign that an attacker is going after your systems.

Always make sure you keep track of the success or failure of the backup process. I personally set up alerts with my backup software so I’m notified of both successes and failures involving my key infrastructure. Keeping track of the completion of backups is a key way to track the health of your systems.

Another trick you can use to try to fend off attackers is to install the Russian keyboard on your system. While the Darkside ransomware did not specifically check for its instance, Russian-based malware often will check to see where it’s being installed and avoid Russian-based systems. (You don’t have to use the keyboard, and you’ll end up with “EN” on your system tray. But it might just trick attackers into passing you by.)

Another security tool that scared away attackers during a recent attack was Sysmon. This is a free tool from Microsoft that enhances the security event logs on Windows machines. When attackers using the Solarwinds vulnerability reviewed what firms they wanted to attack, if Sysmon, Procmon, Procexp, or Autoruns were installed on systems, the attackers would not go after the firm  because they didn’t want to be detected. Especially for small businesses, I recommend the use of Sysmon to enhance log files on your system.

What you can do

Bottom line, don’t make it easy for attackers to turn you into another ransomware statistic. Here’s what you can do to lessen the chances of an attack”

• Make sure you do good backups on a regular basis and have multiple external hard drives that you rotate to ensure at least one copy of your files is offline at all times.
• Keep your browsers up to date and ensure that they update independently of the operating system.
• Ensure your email has good filtering, either from your ISP (if it provides your email) or by using Gmail or Outlook.com.
• Consider adding Duo Authentication as two-factor authentication for remote access if you use remote desktop protocol in a small business. And don’t allow merely a password between you and the outside world when it comes to remote access.

These may not ensure you’re completely safe from ransomware, but they should at least make it less likely you’ll be hit.