In these times of uncertainty with an increase in cyber-attacks on small and large organisations, we thought it was time to reflect on a real-life experience we had to deal with which has proven why it is important to take cyber security and business protection seriously! Five years ago, our office was hit by a ransomware attack that encrypted our files one-by-one with a strange file extension “.block”, on a shared NAS device. Here’s what we learned from the experience, the prevention measures you should consider, and some technical considerations to keep in mind.
Immediate Action
One computer on the network had a script that had been installed and run. We identified the rogue computer by looking at data traffic on the network. We immediately took action to isolate the affected device by disconnecting it, and the NAS from the network, thus immediately stopping any further infection or encryption. We also inspected every online machine to determine if there were any other infected devices.
Initial Investigation and Technical Considerations
Our initial investigation revealed that only files on the NAS were being affected. It was discovered that the ransomware attack was initiated by a phishing email containing a malicious attachment that was accidentally opened by one of our employees. Once the attachment was opened, the ransomware spread through our network from that device only, encrypting files on any directly-connected device. It did not infect other computers on the network as it didn’t have access to them. In addition, it didn’t have the credentials to connect to other computers.
Data Recovery
For Business Continuity & Disaster Recovery (BCDR) purposes, the NAS had external backups taken daily to an isolated backup NAS device in a separate location. We were able to recover all the data from the backup NAS, which helped all users get back to work within two hours. However, recovering from a ransomware attack can be a time-consuming process, and it’s essential to have a solid backup and recovery plan in place.
Prevention Measures
To prevent a recurrence of the attack, we recommend the following prevention measures.
- Regular Backups: Ensure that you have a robust backup system in place, preferably taking daily backups, and store them on a separate device or location that is isolated from the network. This will ensure that you can recover your data in case of a ransomware attack.
- Managed Antivirus: Invest in a managed antivirus solution that is updated regularly and can detect and prevent malware and ransomware. Make sure that the antivirus software is configured to scan all incoming emails, files, and downloads, to prevent malicious files from being executed.
- Restricted User Permissions: Limit user permissions to only those who require them for their job functions, reducing the risk of unauthorized access or infection. Consider implementing role-based access control (RBAC), which allows you to define different levels of access based on job roles.
- Zero Trust: This is explained in our article on Ramping Up the Fight Against Ransomware.
- Employee Training: Educate your employees on the importance of cybersecurity and teach them how to spot and report suspicious activity or phishing attempts. Conduct regular training sessions on safe email practices, such as not opening suspicious attachments or clicking on links in unsolicited emails.
- Network Segmentation: Consider segmenting your network into smaller, isolated subnets to prevent the spread of malware and ransomware in case of an attack.
- Patch Management: Keep your systems up to date with the latest security patches and updates to prevent known vulnerabilities from being exploited.
- Incident Response Plan: Develop an incident response plan that outlines the steps to be taken in case of a ransomware attack. This plan should include steps for identifying the attack, isolating the affected devices, and recovering data from backups.
Conclusion
A ransomware attack can be devastating to any business. In the most serious cases, companies either have to risk paying vast sums of money, or lose all encrypted data and often do not manage to recover from it. Taking preventive measures and implementing technical considerations can go a long way in protecting your business. With remote monitoring and managed antivirus solutions, you can keep your network safe from cyber threats. Don’t wait until it’s too late, act now to protect your business from ransomware attacks. Remember, prevention is always better than cure.