In the year 2013, our client’s file servers which was setup in multiple sites were infected with ransomware. All 12 files servers powered by Window 2008 Server were infected with ransomware “Cryptolocker”.
The ransomware spread rapidly like wildfire and encrypted all our working files overnight. It was very destructive and we lost all our working files and photos. The disaster recovery process was painful as we spent many weeks to re-format all the servers. There was no backup process in place and we have to restore all operational files with bits and pieces from email attachment or files that have been saved on users’ desktops.
Fast forward to year 2017, we have learnt our lesson and below are the preventive measures against ransomware.
Backup, Backup and Backup Everything
We purchased Backup software and schedules backup to external drive or a network access storage on a daily, weekly and monthly basis.
Entrust Network recommend Backup Assist as the preferred backup software for SME business.
We also subscribe to cloud backup services and scheduled weekly backup to the cloud.
Automated Windows Update on Servers and User Computers
We do not schedule our windows update and we only update our user’s computers and servers when manpower and time are available.
After the incident, we setup Windows Server Update Services (WSUS) to distribute the update to clients’ computers in the AD environment.
For workgroup setups, we set windows to automatically update and educate the users to follow instruction on screen for windows update and to reboot their computers if required.
We requested budget from the Management to purchase Fortinet Firewall (or Cisco ASA Firewall) to replace the basic router as the gateway. The Firewall minimizes cyber threat by regulating and control incoming and outgoing traffic for the network.
Segment The Company Wireless Network
We welcomes guest, vendor, and client to visit our office for meetings. Visitors always request internet access for their presentation and discussion. To protect the network and minimize the risk from the visitors’ notebooks and devices, we purchased and setup a wireless access point in the different VLAN. Any notebooks that are infected with ransomware, virus or trojan will not be spread to the local Luan.
The Guest’s WIFI must be setup on a different VLAN or DMZ network.
Antivirus and anti-malware do not effectively prevent the infection and spread of ransomware.
We recommend installing Cryptoprevent on all computers.
CryptoPrevent is a security tool that writes 200+ group policy object rules into the registry in order to prevent executables in specific locations from running. CryptoPrevent can be used to lock down any Windows OS to prevent infection by crypto ransomware which encrypts personal files and then offers decryption for a paid ransom. CryptoPrevent artificially implants hundreds of group policy object rules into the registry in order to block executables (*.exe, *.com *.scr and *.pif) and fake file extension executables in certain locations (i.e. %AppData%, %LocalAppData%, %userprofile%, %programdata%, Recycle Bin, Startup Folder) from running.
Ongoing effort and email reminders sent to educate users on the risk of the internet and to be cautious in opening any email attachment, phishing scam and unknown files download from the internet.
The preventive measures are recommended for SME Business with limited IT budget and resources.