We were recently reminded that ransomware is still an active threat for organizations. Of course, avoiding a ransomware attack is the best place to be. But what should you do in the event your organization does get attacked? Here are some recommendations for dealing with a ransomware attack. Hint: do these things BEFORE you’re in the middle of an attack, especially backup and restore!
Set Up and Test Backup and Restore
First and most importantly, back up your content! Back everything up to a secure drive. Make sure you test the restore capability and you’re comfortable that it works. Make sure you can make and restore incremental backups.
We see many customers that store organization-wide content on one server and use mapped drives to store each user’s content to another server. If you have this arrangement, we suggest incorporating a public cloud service to store your backup and restore content. For instance, if you are an Office 365 subscriber we recommend enabling OneDrive for Business to manage user content. OneDrive for Business now allows for incremental restoral of content. (You’ll want to check out this update on that topic.) This makes restoring a user’s files simple to accomplish. You can store the organization-wide content in SharePoint Online on in Azure. If you work with Amazon Web Services, you have access to similar backup and restore options as well.
Lock Down Your Backup
Second, make sure the backup and restore location is locked down. Public cloud services can help here, as they actively work to ensure their servers are secure from ransomware and other malware. But you also want to manage according to the principle of “least privilege.” This means you want to limit what users can do with content that isn’t their own. For instance, you would want to restrict one user from accessing or deleting another user’s content.
Clean Up Your Active Directory
Third, scrub your Active Directory of accounts that are no longer needed or no longer in use. Compromised access credentials are still the primary way that ransomware gets into an organization. Look for AD accounts that were set up for some temporary purpose and remove any that you find. If you have accounts that are not subject to a password change policy (you DO have such a policy, yes?), then take some action.
- Make them subject to the password change policy
- Delete the account
- Examine the password and make sure it’s hard to guess
While you’re in Active Directory, take a look at accounts with administrative privileges. See if you can reduce the number of accounts that have access to multiple functions or areas of the network.
Revisit Multi-Factor Authentication
Last, and by no means least, revisit multi-factor authentication. Having MFA in place greatly reduces your exposure to attack because it vastly reduces the success of brute-force credential hacking. At a minimum, make sure that administrative accounts are using MFA. There are many options for providing a second factor of authentication.
- Text message
- Voice call with PIN
- Authenticator app for your smartphone
- Windows Hello for organizations using Windows 10 devices
The Best Offense is a Good Defense
Ransomware attacks are never fun. Follow these steps and you can ensure that you will avoid many attacks, and successfully recover from ransomware that does manage to get through to your content.