How to protect yourself and your startup from ransomware?

Ransomware is back in the news. In fact, it hasn’t been away, but we’ve again noticed a few very high-profile ransomware attacks recently that have gotten a fair amount of press. Let’s hope this increased focus will also wake up some people who may have turned a blind eye to cyber resilience in the past.

• Hackers Cripple Travelex Airport Currency Exchanges, Seeking $6 Million Ransom
• Ransomware shuts down production at Flemish multinational Picanol
• That Pulse Secure VPN you're using to protect your data? Better get it patched – or it's going to be ransomware time

The good news is that you can really make a big difference in protecting against ransomware with a few basic steps, the bad news is that ransomware in itself is rapidly evolving and its intelligence in how to exploit vulnerabilities is also increasing.

Protection against ransomware doesn’t have to be expensive. The real cost is in the disciplined behavior that you (and your family members and co-workers) have to adopt: one of backing up files regularly, being cautious, updating software, etc. Cybersecurity awareness has to become part of how you work and live.

As people keep asking me questions about real cybersecurity basics, I’ve decided to write down a list of 12 easy and relatively cheap steps you can take. I’ve listed 7 very basic steps YOU can take to protect yourself against losing all your data through a ransomware infection, and 5 more steps that are a little bit more advanced, and more applicable to home offices, SME’s, startups. This is a my personal list for basic cyber hygiene and is far from complete, as that would lead me too far.

1. Backup your data.

Make sure you have multiple versions of your data, and you store them separately. Don’t leave your backup connected to your network, as when a ransomware strikes it will also lock your backup files it it can get access to them. If you store files in online services like Dropbox, Onedrive, Google Drive, etc. do not rely blindly on the backup/restore functionality feature offered by your cloud provider. Personally, I have a few USB hard drives that I keep in a locker at the bank, with all my personal files on it. For your personal stuff you could do with ordinary hard drives, but for any kind of sensitive or company data I would definitely advise secure devices that come with their own protection and encryption, such as diskAshur PRO or Kingston Ironkey. For doing the backups themselves, you could simply write a script that copies changes data to a storage device, or alternatively use dedicated backup software that you could buy or that is included with your Windows or Mac OS.

Note: if you’re an employee at a company, please make sure you don’t go against company policies if you backup data yourself.

2. Install decent endpoint protection

Endpoint protection software is software that runs on your Windows, Apple or Linux machine that provides anti-virus, privacy, personal firewall and anti-ransomware protection. Do not rely solely on free tools or functionality offered by your Operating System. Note: I have personally never relied on Microsoft Defender, including its Ransomware protection features. If Microsoft would have been this outstanding, we wouldn’t have had 99% of all current malware anyhow. But that’s my personal opinion and built-in skepticism for everything Microsoft. Personally, I’ve been a keen user of Bitdefender, but there are many other vendors out there who offer excellent protection at a very modest cost. I’ve also installed Bitdefender on all mobile devices we have at home (iPads, phones, etc.) and especially looked after the fact that even the kids have this installed and functional.

3. Install browser- and e-mail security plugins

Does the installation of endpoint protection keep you out of trouble? The answer is NO. Nowadays we’re using lots of software that uses encryption. And while encryption is the cornerstone of trust on the internet, it comes with an important disadvantage: encrypted data cannot be easily scanned against malware. This is why you also have to install agents in your client software, such as your e-mail client and your browser. Personally, I’ve enabled the Biitdefender plugins in my client software, but additionally I’ve installed the Malwarebytes plug-ins for Firefox and Chrome. They give me an additional level of safety and trust while surfing the web and reading e-mails.

4. Take a security awareness training (and your family members and co-workers too)

Since most ransomware infections happen through phishing, make sure you get acquainted with this topic. If you look for “what is phishing” on YouTube, you will find plenty of video’s explaining the basics in under 5 minutes time. For cyber-criminals the essential part in their attempt to attack you is that they can convince you to open an attachment or click on a website link. They might even try to build a little bit of trust with you on beforehand, for example by first engaging with you in a conversation on a platform like LinkedIn. Over the past few years, the techniques for phishing have become better and more sophisticated and very often it will be hard or even impossible to see the difference between a real e-mail and a phishing e-mail. The advice is: better be safe than sorry. In doubt: don’t open it. When I receive an e-mail from the bank telling me that I have an important message waiting for me, I just close the e-mail, then proceed to my banks’ website in the way I usually do it and check for messages. I hardly ever click links, unless if I expect one from a source I trust. Most common ways to try lure you into clicking a link is by pretending to be a well-known service, such as UPS, Fedex, Office365, … and asking you to click somewhere, and maybe even ask you to login and steal your credentials. Even if you don’t provide your credentials, the harm may have been done as the malicious payload might have already been installed on your computer. Just don’t click links in mails, messages, etc. unless you know what you’re doing.

5. Use an enterprise-grade e-mail service that offers advanced threat protection.

If you use a free mail system that nobody has ever heard of, that’s really asking for trouble. Personally, I use Office 365, even at home, and I’ve enabled their Advanced Threat Protection option (that was included in the price of my subscription, but somehow comes disabled by default). I configured this ATP service to change the Subject line to “potential SPAM:” if the SPAM score of e-mail received is even a tiny little bit higher than average. I also installed a Bitdefender plugin into my Outlook client. And I also configured the ATP component to block e-mails that contain plain IP addresses or any active content, like macros or scripts.

6. Always keep all your software and firmware up-to-date.

Enable automatic updates whenever possible. Don’t forget that you have much more software than just your endpoint operating system (Windows, Mac, …). Also regularly update your Office, Adobe, Browser, VPN Client, Citrix client, anti-virus, hard-disk encryption software, IoT and mobile devices, … to make sure you’re not using software with known vulnerabilities. Same goes for the firmware on more pervasive devices you use every day, such as your network-attached printers, storage, your WiFi Wireless Access Point, etc.

Note: Don’t forget that sometimes for auto-update to work it requires a device reboot: so people always putting their computer into sleep mode and never rebooting could unknowingly be using out-of-date software.

7. Have a good password hygiene.

Use sufficiently long passwords, preferably passwords generated by a password manager like Keeper, Lastpass or Dashlane. Use different passwords for different services. Never re-use or re-cycle old passwords. Change your passwords from time to time. And whenever possible, enable multi-factor authentication. It is also wise to sign up for https://haveibeenpwned.com, an online service that will notify you if they find a data breach or compromise of your user ID and password somewhere on the Internet.

And here’s 5 more steps for net admins of home offices, Small and Medium Enterprises, Startups:

8. Segment your network

In a home network or SME network, you will often be asked by your visitors if they can access the Internet using your WiFi network. It is essential that you segment off a separate network for your visitors and IoT devices; never allow visitors on your own network as you don’t know if these devices are up-to-date or maybe even already infected and continuously probing for targets to infect. Personally, at home, I’ve bought a Wireless Access Router with built-in firewall and segmentation capability, and created three segments: 1) a dedicated visitor network that is not allowed access to our personal computers and NAS devices; 2) a dedicated network segment for all our IoT devices and 3) a dedicated network segment for our own computers and NAS devices.

9. Block access to known malicious servers/services

When you click a malicious link, your computer will try to contact a server on the Internet, either for downloading a malicious payload, or just for command and control purposes. Happily, we see that security companies, police forces and government are very quick nowadays in adding the IP addresses of such malicious servers to global blacklists. Your Wireless Access Point should have the capability of also blocking all access to servers which are on well known blacklists. At home, our Wireless Access Point has a Trend Micro component that does just that. Additionally, I’ve also replaced the DNS-server that is provided by the Internet provider with the free DNS service of Quad-9. When a client tries to connect to a server, most often it will use DNS to resolve a hostname (like www.microsoft.com) into an IP address (like 194.1.2.3). What Quad-9 does is that when your client tries to resolve a name of a malicious server to an IP address, it will simply NOT resolve that name. All you have to do is in your Advanced Network Preferences to replace the IP addresses of the DNS Servers by 9.9.9.9. You may want to get some help from a knowledgeable IT person for this simple but very effective step. Especially if your IT environment uses a DNS setup known as “split-DNS”, you may need to configure those setting at another level.

10. Enable DKIM, SPF and DMARC on your e-mail domain

A step that might be a bit more complicated relates to the configuration of your e-mail domain and software. It is only applicable for people or businesses owning their own e-mail domain: enable DKIM, SPF and DMARC in your e-mail domain setup. DomainKeys Identified Mail (DKIM) is an authentication process that can help protect both senders and recipients from forged and phishing email. Add DKIM signatures to your domains so recipients know that email messages actually came from users in your organization and weren't modified after they were sent. In Office 365 you can enable DKIM in the Exchange Admin Console: protection, DKIM. A Sender Policy Framework (SPF) record indicates which mail servers are authorized to send mail for a domain. Email recipient servers perform a check: "Is this email coming from an authorized mail server?”. Turn on Domain-based Message Authentication, Reporting, and Conformance (DMARC) by adding a DMARC policy to your domain's DNS records. The policy is in the form of a DNS TXT record, and defines how your domain handles suspicious emails.

DMIK, SPF and DMARC are features that come included with most decent enterprise-grade e-mail solutions, such as Google or Microsoft. They are however usually disabled by default.

11. Less is better

The less you store, allow, run, the better. Don’t stash data that you don’t need anymore, delete it or keep it off-line for audit purpose (check privacy legislation for keeping PII).

Disable or block what you don’t need. If you still have a WEB, FTP or SMBv1 service running on a computer but it isn’t used, just turn it off. Uninstall software you never use.

The same goes for data access: implement a least-privilege policy. Disable “admin” access and rather implement selective policies where people (and user accounts) only get the access rights they need in order to do their job.

12. Be prepared, plan for compromise

Develop a plan-of-action in case your network is attacked, such as being hit by ransomware. Don’t forget to check legal requirements in your region with regards to formal notification of official instances. Make sure you safeguard this plan somewhere accessible, even when the complete computer network is inaccessible, or internet access is blocked. Best is to print it out and keep it somewhere within reach. I keep mine next to my Network Attached Storage devices. It is a good idea to establish an emergency service contract with a cybersecurity provider. This is also called a Cybersecurity Retainer. This will guarantee you that your cybersecurity provider will start helping you within a given timeframe. It is also a good idea to also sign up for a Cybersecurity Insurance, as this will probably provide some coverage of the costs involved in removing the infection and recovering data, if possible.

WHAT TO DO WHEN YOU NOTICE THAT YOU’VE BEEN HIT WITH RANSOMWARE?

So, what if it’s too late?

• As soon as you suspect that your computer is hit with ransomwhere, disconnect the device from the network (Wi-Fi, wired, even Bluetooth…).
• I would also immediately disconnect your Network Attached Storage, detach USB storage, etc. Should your backup device be still connected to the network (I hope not), disconnect it immediately.
• If you’re operating in a computer network that you don’t manage, immediately notify the helpdesk. If you can, use the phone to do so. Don’t be ashamed, this can happen to anyone.
• If you use Cloud storage, immediately use a non-infected device to go to the admin console and break the logged-in connections of your users, making sure that infected computers cannot start replicating encrypted, locked or otherwise damaged files to the cloud storage.
• It is very well possible that the malicious software also installed custom forms, rules or macros in your Office environment that are hard to spot. Microsoft wrote an article about it.
• Execute your plan-of-action. This means involving a professional cybersecurity expert ASAP. And in some cases maybe also notifying and involving authorities.

Full article:

https://tsundoku.ventures/blogitems/2020/1/14/101-how-to-protect-yourself-and-your-startup-against-ransomware