The topic of ransomware is top of mind among both information technology (IT) professionals and business leaders lately and is behind a lot of sleepless nights spent worrying about the issue. It leaves all of us asking, “What are we doing to protect ourselves from ransomware and how do we recovery quickly from an attack of ransomware?”
There are many techniques for protecting ourselves that are useful, but limited:
- User education and safe browsing practices. Do not open unsolicited attachments or download files from untrusted websites.
- Keep applications and operating systems up-to-date. Make sure the latest security updates are being applied to all devices and applications.
- Utilize IP segmentation. Separate networks and only allow traffic to cross networks if absolutely necessary.
- Backup critical files regularly. Use either traditional image-based backups or storage snapshots and keep multiple snapshots.
The first three tips are all proactive, intended to prevent the attack from happening. The fourth is reactive and, in the event you are infected, it is the only way to get your files back without paying the ransom. The problem with traditional backups is the recovery time. It can take a lot of time to recover from a traditional backup and your business is held hostage until you can recover all of your data.
There are options that can be taken to shorten recovery time and get your business back online faster. One option is to use read-only snapshots. A read-only snapshot prevents updates from being made to the snapshot while it writes to the current version ensuring the integrity of the snapshot. A ransomware attack could corrupt the current version of the data, but can be prevented from writing to the snapshot version. Reverting to the snapshot version after detecting the attack can allow for a quick restore to a clean copy of the data. However, since some ransomware is becoming sophisticated enough to remove or make writable read-only snapshots, storing a secondary copy is always recommended.
The challenge you now face is in protecting your secondary snapshots. It pays to view this from the perspective of ransomware, which is looking for network shares to discovery files that it can encrypt. One way to protect your backups from being encrypted is to use a Server Message Block (SMB) file share, which operates as an application-layer network protocol mainly for providing access to shared files. Changing the Remote Desktop Protocol (RDP) ports and any other incoming ports on that server to non-standard ports, or simply blocking incoming connections to the ports that run SMB, will successfully block the ransomware from attacking the snapshots and compromising your backups.
Your backups also need to be isolated from network operator accounts that are exposed to ransomware. This is relatively easy to do. By giving administrators read-only permissions to backup targets and giving your backup software service account write access to the shares, you can mitigate ransomware attacks. By doing so, even if ransomware takes control, it doesn’t have access to the service account and can’t affect your backup files.
One last step to increase the resiliency of your backups is to perform them often – the more often, the better. The best method is to run backups more frequently and also make a copy of the backup files (to your read-only backup target) as frequently as possible, and there are many solutions that can do just that.
To learn more information on RSM’s consulting services and managed services offerings, please visit our website. You can also contact RSM’s technology and management consulting professionals at 800.274.3978 or email us.