Ransomware is a type of malicious software (aka malware) that locks the victim out of their computer or files, often by encrypting them, until a financial ransom is paid to the attacker. The ransomware typically displays a message letting the victim know that they have been locked out, along with instructions for how to pay the ransom. Attackers may also publicly release data found on the computer if not paid, double extortion. There’s also no guarantee that once a ransom is paid that data will be able to be quickly decrypted and restored.
To protect against ransomware, it is important to take a multi-layered approach such as the one below. For a more detailed technical guide, see the CISA #StopRansomware Guide.
Keep Ransomware From Entering The Environment
The first layer of defense is the outermost perimeter of your environment, whether that be the home, the office, or anywhere on the go. Here are protections you can put in place at your perimeter.
- Firewall
- Configuring firewalls at different layers between you and the Internet to deny remote connections by default is the first wall of protection. Enabling a host-based firewall, leveraging OIT firewall services on campus, and enabling a firewall at home to block remote connections keeps ransomware off your network and devices. If remote connections are required, only allow VPN access through the firewall rather than opening ports directly to the system whenever possible.
- Phishing and Risky Links, Attachments, and USB drives
- Even with a firewall enabled, you can still unwittingly get ransomware into your environment by clicking on risky links, opening risky attachments, or plugging in USB drives from unknown sources. This is often done via phishing, but be on the lookout for these originating from other sources as well.
- Patching
- Systems must also be kept up to date to prevent security vulnerabilities such as remote exploits via open firewall ports or internal compromise from clicking on malware. Apply updates to patch your software and operating systems, and replace end-of-life software and devices that no longer get security patches.
- Remote Access Login
- Sometimes there is a business need to allow remote access login to your system through your firewall. When doing so, always use strong passwords and change defaults, and enable multi-factor authentication whenever possible. This will prevent brute force attacks and use of weak passwords from succeeding to gain access and infect your system with ransomware.
- Inactive Accounts and Services
- Inactive accounts and unnecessary services still enabled on your systems provide attackers additional ways to infect your system with ransomware that are completely avoidable. Remove inactive accounts and disable services that are no longer needed.
Limit The Impact Of Ransomware Once In The Environment
The next layer of defense is how to limit the impact or the “blast radius” of ransomware if it is able to enter your environment.
- Anti-Malware
- Having anti-malware software installed on your system can sometimes block or at least detect and limit ransomware from running even after it gets downloaded. For University-owned systems, having EDR software installed can also help UC detect and respond to ransomware quickly.
- Don’t Use “Administrator”-type Account
- Don’t login and use an account with privileged access to the system, such as the “administrator” or “root” level accounts, for normal daily operation. Doing so increases the risk that any malware introduced using that account can take full ownership of the system and destroy the integrity of everything on it.
When All Else Fails
The last layer of defense, but important to have in place before you need it, is being prepared with a good response and recovery plan.
- Backup
- If your system gets infected with ransomware, the only safe way to recover back to normal operations is to completely reformat the system, fix the issue that allowed the ransomware infection, and restore your data from a clean backup. It is best to keep multiple backup copies versioned and in different formats, ideally one being offline or immutable so that ransomware can’t corrupt it too, and keep any backups with sensitive data encrypted. Test your backups before you need it.
- Inventory
- You can’t backup or protect data if you don’t know where it is. Take inventory of all your devices, systems, and data to ensure you know what to backup and how to restore it when you need to recover from a ransomware incident.
- Report Incident Quickly
- When ransomware infection happens, timing is everything. To stop the spread and limit the exposure, it is critical to immediately report the incident to OIT Security and follow the instructions provided. Campus leadership should also be familiar with our complete incident response process.