In the first two parts of this series, I went over what happens when BitLocker attacks your computer when the computer is unprotected, and what it takes to possibly recover at least partially from the attack. While it is possible that someone who is prepared will not be significantly impacted by a ransomware attack, most of us will not be so lucky. In most cases, a ransomware attack will mean completely restoring the computer to its factory settings and losing most or all of our data. This is clearly not the best option for anyone, so what can we do to make sure that we don’t become a victim in the first place?
The phrase is a little cliche, but it’s the best piece of advice I can provide. It’s easy to say, but what does it mean? Being prepared in this case means that you are assuming that you will be attacked at some point, and you have protections in place to stop the attack early in the attack chain, while also having measures in place to stop the attack at later stages and recover from damage in case the attack can’t be prevented early on. It’s something we advise all of our customers to do at Acronis. Attackers are continually improving their tactics and tools, which means that a solution that is continually updated and implements detection that has a better chance of detecting future attacks is key.
When it comes to ransomware, there are a number of aspects we need to consider. How did the ransomware get on the computer in the first place? How can the ransomware be stopped early? How can the ransomware be stopped before significant damage is caused if the initial attack isn’t stopped? How can we easily recover from an attack if all other methods fail? By asking these questions, we can find a solution that ensures any attacks have little to no impact on our lives.
Just stop it!
The best way to avoid an attack is to stop it before it starts. Most ransomware attacks come from malware installed because of a phishing attack, or a vulnerability in the software we have installed. The solutions here are fairly simple, as we can learn to keep from opening attachments or clicking links in unexpected emails and keep our software updated. Another good practice is to uninstall any software that we stop using. Old software potentially adds vulnerabilities to our computers, even if we don’t run the software anymore.
Of course, a solution to help us avoid some of the malicious servers and websites is available as well. Sometimes a link or file may be convincing enough that even a well-trained individual may be fooled. This is where URL Filtering comes in. A solution that prevents access to malicious URLs will help to keep us from accessing dangerous websites, or having documents download malware behind the scenes.
Stop it early
In the cases where an attacker uses an unknown vulnerability, also known as a zero-day vulnerability, or a new website or server, we can still stop most malware before it can impact our systems. A good, modern, antivirus that utilizes AI and behavioral detection will usually be able to stop even new droppers and trojans, preventing the installation of ransomware early on in the attack chain. By utilizing newer technologies, rather than relying on classical antivirus solutions that just look at the code or the file hash, we can ensure that even new malware is detected and blocked by the solution you implement.
At least stop it
Even with modern antivirus, there may be times when the initial malware isn’t stopped. As I have previously mentioned, attackers are constantly updating how they do things, and sometimes they find novel ways to attack systems that haven’t been considered previously. This type of attack may even be able to bypass behavioral detection or AI analysis. This is where dedicated ransomware protection comes in. There are behaviors exhibited by ransomware that will exist no matter what methods are used. For instance, multiple files being encrypted is a strong indicator of a ransomware attack. A solution that specifically looks at ransomware behaviors, and provides proper protection against ransomware, will create protected duplicates of files as they are accessed, then will stop the ransomware and be able to restore the files from the backups it created. It is important not to rely on Windows shadow copies, as some ransomware will delete these copies to prevent easy access to be able to restore the files.
Reverse total destruction
Even with the best solutions, there is always going to be a worst-case scenario. When the attack starts, executes and completes, a proper solution ensures that all is not lost. It is important to have a backup solution that can scan backups for malware, and protects the backup files from tampering. With a full backup, it can be made simple to restore the system to the last backup prior to the attack. If there have been new changes to files between the last backup and the attack, it is still possible to lose some data, but this will minimize the impact of any lost data and will ensure that any lost data is recent enough that it will be much easier to remember what it was and recreate it.
The key consideration with your backup solution is that the backups must be protected from tampering. A recent addition to the common tactics of ransomware operators is to identify and delete or encrypt backups. Ensuring that the backups are protected against tampering will help to ensure that they are available when it comes time to use them to recover your files.
While it can be overwhelming to think about a ransomware attack, there are ways to make sure you can easily defend against or recover from an attack. Even if you think you are not a target, it is important to have a multi-layered solution that covers attack prevention, malware detection, ransomware protection, and protected backups. With such a solution in place, you can rest easy knowing that if an attack comes, you have a solid security posture, and won’t be significantly impacted by the attack.
Topher Tebow is a cybersecurity researcher, focusing on community collaboration and threat analysis. Topher has been working with malware and other cyberthreats for more than a decade, beginning with web-based malware before moving into endpoint protection. Topher has written technical content for several companies, covering topics from security trends and best practices, to the analysis of malware and vulnerabilities. In addition to being published in industry publications like Cyber Defense Magazine and Security Boulevard, Topher has contributed to articles by several leading publications, and spoken at international cybersecurity events.